I'm running a system that has two NICs: one connects to the internet, the other connects to the lan. I need to SSH in from machines on the internet, and also from other machines on the lan. Of course, I want different policies for these two connections.
The simplest way is to run two SSH daemons, one for each interface. Here's how I set it up on a Redhat-style Linux system, such as RHEL, Fedora, CentOS, and Scientific Linux. The file paths and start-up procedures will be different for other distros.
THE FOLLOWING IS OFFERED WITHOUT WARRANTY OF ANY KIND. THIS IS WHAT I DID, BUT YOU MAY NEED TO DO SOMETHING DIFFERENT. YOU ARE RESPONSIBLE FOR ALL CHANGES TO YOUR SYSTEM. IF IT BREAKS, YOU GET TO FIX IT.
I started with a single SSH daemon set up to listen only on the lan NIC. Then:
# cd /etc/ssh # cp -p ssh_config otherssh_config
# cd /etc/ssh # cp -p sshd_config othersshd_config
# cd /etc/rc.d/init.d # cp -p sshd othersshd
# cd /usr/sbin/ # ln -s sshd othersshd
# cd /etc/pam.d/ # ln -s sshd othersshd
# chkconfig --add othersshd # chkconfig --list | grep othersshd # service othersshd start
There is a drawback to this scheme: if "yum update" changes any of the ssh config or init files, I have to manually make similar changes to the files I've copied and modified.
I've been asked why I needed to make a new init file and a new soft link to the executable. There are three reasons. First, some of the subroutines in the init script depend on the executable name being the same as the service name. Second, when I do a "ps" or something else that shows statistics by process, I'd be able to tell which ssh daemon is which. Third, having a new name gives a consistent naming scheme to all components of the new (RedHat-style) service.