Ubuntu – Running multiple copies of openssh-server (sshd) on Ubuntu

sshUbuntu

I may be attacking this problem the wrong way, if so let me know.

I have a server which is available through SSH from both the public internet and the local LAN. I would like to have two very different security policies for each, by running two copies of sshd with two different sshd_config files each on a different port.

Some of the things I'd like to change is to allow password or public-key authentication on the LAN, but public-key only from the internet. All (real) users could login from the LAN side, but only certain authorized users would be individually whitelisted to login through the internet.

As far as I can tell this requires having two different SSH daemons running on different ports with different sshd_configs. I am fine with the different ports part, I can easily forward port 22 to any port I want through my firewall.

So my question is what is the best way to actually START the second sshd under Ubuntu 10.04 LTS. Is there a recommended way to do something like this? Surely I am not the first person with this sort of need.

I have a bit of experience with upstart, and I can manually hack the second sshd into /etc/init/ssh.conf I suppose but I'm not sure if that will get overwritten by the package. However I do it, It's important to ensure both sshd processes always get restarted after any automatic or manual upgrade of the openssh-server package.

Thanks in advance.

Best Answer

Start your separate SSH daemons however your operating system traditionally starts SSH daemons:

If Ubuntu is using upstart to launch sshd these days, create new upstart job that looks like the standard one, only pointing the daemon at your custom config file.

If it's using init.d & rc#.d scripts copy them and modify them as needed.

This avoids any package updates stomping on your customizations, and gives you fine-grained control over starting/stopping/restarting the specific SSH daemon you want to target. It also means that an admin stepping in to your universe will be able to recognize what's going on and how to start/stop/restart these daemons because it's done in the operating system's usual way rather than by hackery.

Related Solutions

Ssh – How to setup sshd on Mac OS X to only allow key-based authentication

After a little trial and error, I found the answer myself. These options need to be set in /etc/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication no

Only changing one of them is not enough.

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Best Answer

Related Solutions

Ssh – How to setup sshd on Mac OS X to only allow key-based authentication

Ssh-agent forwarding and sudo to another user

Related Topic