Re: Running multiple sshd instances on one server
- From: Dale Dellutri <ddelQQQlutr@xxxxxxxxxxxx>
- Date: Wed, 19 Mar 2008 14:23:46 +0000 (UTC)
On Wed, 19 Mar 2008 06:01:14 -0700 (PDT), ss11223@xxxxxxxxx wrote:
I am running a system that has a NAT firewall on it with two IP
addresses, one on the outside
internet, and one on an internal network. This is a debian stable
system.
I want to have different login criteria for the internal network
(passwords allowed) and the
external network (key based only) and different allowd user lists for
each. I conjecture that the
only way to do this is to run two instances of sshd with different
config files. Is there anything
in ssh that would prevent me from doing this? Has anyone tried this
and have any pointers
or gotcha's to look out for.
I've run two separate sshd daemons. The instructions below,
which I've posted a few times before, pertain to RedHat-style
systems (RHEL, Fedora, CentOS, and so on). You'll have to
translate them for your debian system.
=====
I suggest the following procedure, which will give you two distinct
ssh daemons, each with its own policies. These instructions pertain
to Redhat-style systems, your file paths might vary.
Let's assume you already have ssh set up to listen on one NIC
with the policies you want. Then, without too much detail:
1. cp -p /etc/ssh/ssh_config /etc/ssh/otherssh_config
Modify the new file as necessary for the policy you want.
2. cp -p /etc/ssh/sshd_config /etc/ssh/othersshd_config
Modify the new file as necessary. Most importantly, look
at ListenAddress and Port.
3. cp -p /etc/rc.d/init.d/sshd /etc/rc.d/init.d/othersshd
Modify the new file to point to otherssh<whatever> wherever
the old file pointed to ssh<whatever>. This includes
executables, config files, pid files and key files, for
example.
4. cd /usr/sbin/
ln -s sshd othersshd
No changes to the executable
5. cd /etc/pam.d/
ln -s sshd othersshd
No changes to the PAM module, usually
Then when all the changes are done:
6. chkconfig --add othersshd
chkconfig --list | grep othersshd
Should be on in levels 2345
service othersshd start
This should create a new set of keys.
One drawback to this scheme: if you ever update ssh, it might change
the config files or sshd init file, but it won't touch the
otherssh files.
=====
--
Dale Dellutri <ddelQQQlutr@xxxxxxxxxxxx> (lose the Q's)
.
- Follow-Ups:
- Re: Running multiple sshd instances on one server
- From: ss11223
- Re: Running multiple sshd instances on one server
- References:
- Running multiple sshd instances on one server
- From: ss11223
- Running multiple sshd instances on one server
- Prev by Date: Running multiple sshd instances on one server
- Next by Date: Could not load host key: ..., but keys exist.
- Previous by thread: Running multiple sshd instances on one server
- Next by thread: Re: Running multiple sshd instances on one server
- Index(es):
Relevant Pages
|
|
