[DaleDellutri.com logo.]
DaleDellutri.com
My home on the web

Site Index

Running Two SSH Daemons (Systemd)

These are the instructions for running two SSH daemons in a Systemd server distro, Redhat-style (RHEL, CentOS, and Scientific Linux). Click here if you need the instructions for a SysV Init distro.

THE FOLLOWING IS OFFERED WITHOUT WARRANTY OF ANY KIND. THIS IS WHAT I DID, BUT YOU MAY NEED TO DO SOMETHING DIFFERENT. YOU ARE RESPONSIBLE FOR ALL CHANGES TO YOUR SYSTEM. IF IT BREAKS, YOU GET TO FIX IT.

(Redhat provides an example for "Creating a second instance of the sshd service" in the RHEL System Administrator's Guide but I believe that the example is incomplete.)

You may need to horizontally scroll the code boxes shown below.

I started with a single SSH daemon set up to listen only on the lan NIC. Then:

  1. I copied the sshd_config file, and modified the new file as necessary for the policy I wanted. Wherever the old file mentioned ssh<whatever>, I changed it to otherssh<whatever>. I also changed Port, ListenAddress, and other variables. I made sure that the original file only listened on the lan NIC. 
    # cd /etc/ssh
# cp -a sshd_config othersshd_config
  2. Since I modified the Port in the othersshd_config file, I had to make sure that selinux would recognize that the new port was for sshd. 
    # semanage port -a -t ssh_port_t -p tcp XXXXX
  3. I created a new othersshd.service, othersshd-keygen.service, and othersshd.socket files and made necessary changes (for example, in othersshd.service, I added "-f /etc/ssh/othersshd_config" to the sshd command). 
    # cd /etc/systemd/system
# cp -a /usr/lib/systemd/system/sshd.service othersshd.service
# cp -a /usr/lib/systemd/system/sshd-keygen.service othersshd-keygen.service
# cp -a /usr/lib/systemd/system/sshd.socket othersshd.socket
  4. I created a /usr/sbin/othersshd-keygen with all key file names changed from ssh* to otherssh*. Do not change KEYGEN=/usr/bin/ssh-keygen. 
    # cd /usr/sbin
# cp -a sshd-keygen othersshd-keygen
  5. Make sure that it is executable and has the correct selinux context. Then create the new keys. 
    # othersshd-keygen
  6. I created various soft links. 
    # cd /usr/sbin/
# ln -s sshd othersshd
# cd /etc/pam.d
# ln -s sshd othersshd
  7. I was using firewalld, so I needed to create /etc/firewalld/services/otherssh.xml and change short and port. 
    # cd /etc/firewalld
# cp -a /usr/lib/firewalld/services/ssh.xml otherssh.xml
  8. I changed /etc/hosts.allow, adding "othersshd : ALL" at the bottom.
  9. Finally, I could start the new sshd. 
    # systemctl enable othersshd.service
# systemctl start othersshd.service

There is a drawback to this scheme: if a system software update changes any of the ssh config or init files, I have to manually make similar changes to the files I've copied and modified.

[DaleDellutri.com favicon] Web site comments, criticisms and complaints: E-mail: Dale Dellutri .
Copyright 2020 Dale A. Dellutri
Last modified: Saturday, 09-May-2020 16:16:22 EDT