# Running 2 sshd???

## Sunnz

I am wondering, if it is possible to run 2 instance of sshd, each using a different sshd_config setting?

What I wanted to do is, allowing wheel group users to log in via key only, but everyone else may use password.

I tried to make a copy of sshd_config in /etc/ssh/ with the settings I wanted, then copied sshd in /etc/init.d/ and changed the new one to point to the new sshd_config. Of course, in the new sshd_config I have set pid to sshd2.pid so it is different.

But yea, it doesn't quite work out.

So, what should I do to allow wheel group users to log in via key only?

----------

## joehack

Each sshd has to run on a separted port. SSH orignially runs on port 22.

Jochen

----------

## hegga

if the two ssh daemons are running on seperate ports, it might give us a 

clue if you posted your config files.

----------

## Sunnz

Ok I just have tried to have them running on different ports, namely, port 22 and port 23.

I changed it via sshd_config for sshd and sshd2_config for sshd2; would that work?

All I have changed in sshd2 is to change all instance of sshd_config to sshd2_config.

However, when I try sshd2 start, it doesn't create a sshd2.pid file in /var/run/; it only works with sshd with sshd.pid file in /var/run/

Do I really need to run 2 instance of sshd to do what I wanted to do? Like, are there any other way to do this?

----------

## kg

What doesn't work?  Running the 2 sshds or just allowing login via key?

Edit: D'oh!  What great timing.

----------

## kg

If you just try to start sshd2, do you get any error messages?

What does it say?  Does it say "Starting sshd2"?

----------

## Sunnz

There are no errors when I start sshd2; but if I try to stop it, it gives [!!] with no error messages. If I THEN start sshd2 again, it says that sshd2 is already running.

That's why I am looking at /var/run/ only sshd.pid is created of all the time.

EDIT: Even if I stop sshd, so that sshd.pid is removed; THEN try to start sshd2 again, it still says that sshd2 has already being started.

However, If sshd2 was NEVER started, as in, if I have reboot the system, it will start, it can't be stopped or something.

----------

## kg

can you post your /etc/init.d/sshd2 file.

----------

## Sunnz

```
#!/sbin/runscript

# Copyright 1999-2006 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6,v 1.19 2006/02/28 00:09:52 vapier Exp $

opts="reload"

depend() {

        use logger dns

        need net

}

SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}

checkconfig() {

        if [[ ! -d /var/empty ]] ; then

                mkdir -p /var/empty || return 1

        fi

        if [[ ! -e ${SSHD_CONFDIR}/sshd2_config ]] ; then

                eerror "You need an ${SSHD_CONFDIR}/sshd2_config file to run sshd"

                eerror "There is a sample file in  /usr/share/doc/openssh"

                return 1

        fi

        gen_keys || return 1

        /usr/sbin/sshd -t ${myopts} || return 1

}

gen_keys() {

        if [[ ! -e ${SSHD_CONFDIR}/ssh_host_key ]] ; then

                einfo "Generating Hostkey..."

                /usr/bin/ssh-keygen -t rsa1 -b 1024 -f ${SSHD_CONFDIR}/ssh_host_key -N '' || return 1

        fi

        if [[ ! -e ${SSHD_CONFDIR}/ssh_host_dsa_key ]] ; then

                einfo "Generating DSA-Hostkey..."

                /usr/bin/ssh-keygen -d -f ${SSHD_CONFDIR}/ssh_host_dsa_key -N '' || return 1

        fi

        if [[ ! -e ${SSHD_CONFDIR}/ssh_host_rsa_key ]] ; then

                einfo "Generating RSA-Hostkey..."

                /usr/bin/ssh-keygen -t rsa -f ${SSHD_CONFDIR}/ssh_host_rsa_key -N '' || return 1

        fi

        return 0

}

start() {

        local myopts=""

        [[ ${SVCNAME} != "sshd2" ]] && myopts="${myopts} -o PidFile=/var/run/${SVCNAME}.pid"

        [[ ${SSHD_CONFDIR} != "/etc/ssh" ]] && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd2_config"

        checkconfig || return 1

        ebegin "Starting ${SVCNAME}"

        /usr/sbin/sshd ${myopts} ${SSHD_OPTS}

        eend $?

}

stop() {

        ebegin "Stopping ${SVCNAME}"

        start-stop-daemon --stop --quiet --pidfile /var/run/${SVCNAME}.pid

        eend $?

}

reload() {

        ebegin "Reloading ${SVCNAME}"

        start-stop-daemon --stop --quiet --pidfile /var/run/${SVCNAME}.pid \

                --signal HUP

        eend $?

}

```

----------

## kg

Ok, does sshd2 actually start sshd listening on port 23 (or whatever alternate port you want to use)?

Want to know if it is reading your alternate config file sshd2_config?

Just to be complete, you can copy /etc/conf.d/sshd to /etc/conf.d/sshd2 (but I don't think that will 

have an impact on this issue).  Although you can try adding 

```
SSHD_OPTS="PidFile /var/run/sshd2.pid"
```

Just to see if it will create the pidfile.

The issue with it not stopping is definitely related to it writing sshd.pid in /var/run instead of sshd2.pid

When you start sshd2 and see the file /var/run/sshd.pid, look in /var/lib/init.d/started.  Is there a 

symlink for sshd2 in there?  (I expect there will be.)

If you have problems stop/restarting sshd2, you can:

kill the process manually

make sure /var/run/sshd.pid is gone

remove the symlink to sshd2 from /var/lib/init.d/started  

You should now be able to start it from /etc/init.d/sshd2 again.

I am currently at a loss as to why it doesn't name it /var/run/sshd2.pid....

----------

## zeek

 *Sunnz wrote:*   

> But yea, it doesn't quite work out.

 

You need to point sshd at your sshd2 config file everywhere using the -f <path> option.

```

/usr/sbin/sshd -f /etc/ssh/sshd_external_config

```

edit: I can see you have some code in there to try to do that but I think it may be buggy. 

I've been doing this for a long time - Internet logins are key only and local lan logins also support password.  The firewall DNATs port 22 to port 23 on the ssh login server.

----------

## hegga

i was able to reproduce the problem on my laptop, and i think i've found

the problem.

when i changes these two lines in /etc/init.d/sshd2 everything worked perfectly:

```

#[[ ${SVCNAME} != "sshd2" ]] && myopts="${myopts} -o PidFile=/var/run/${SVCNAME}.pid"

myopts="${myopts} -o PidFile=/var/run/${SVCNAME}.pid"

#[[ ${SSHD_CONFDIR} != "/etc/ssh" ]] && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd2_config"

myopts="${myopts} -f ${SSHD_CONFDIR}/sshd2_config"

```

i found out that ${myopts} and ${SSHD_CONFDIR} was empty when sshd was launched.

does this work for you?

----------

## Sunnz

 *hegga wrote:*   

> i was able to reproduce the problem on my laptop, and i think i've found
> 
> the problem.
> 
> when i changes these two lines in /etc/init.d/sshd2 everything worked perfectly:
> ...

 

BINGO!!!! It has worked, perfectly!!! Thanks so much!!!!

That's kind of weird though, do you know what [[ ]] means???

BTW, everytime I start sshd2, it says * Re-caching dependency info (mtimes differ)... are there any problems?

 *zeek wrote:*   

> u need to point sshd at your sshd2 config file everywhere using the -f <path> option.
> 
> ä»£ç¢¼:
> 
> /usr/sbin/sshd -f /etc/ssh/sshd_external_config
> ...

 

So how did you do so? Did you copy sshd initscript and edit it?

----------

## hegga

 *Sunnz wrote:*   

>  *hegga wrote:*   i was able to reproduce the problem on my laptop, and i think i've found
> 
> the problem.
> 
> when i changes these two lines in /etc/init.d/sshd2 everything worked perfectly:
> ...

 

[[ ${SVCNAME} != "sshd2" ]] && myopts="${myopts} -o PidFile=/var/run/${SVCNAME}.pid" means that if SVCNAME is something else than

sshd2 it will add -o PidFile to the myopts variable. If you set this back to ssh the pid file will be set to myopts as you want it to.

[ ${SSHD_CONFDIR} != "/etc/ssh" ]] && myopts="${myopts} -f ${SSHD_CONFDIR}/sshd2_config" works as the above line, this line is maybe 

made because they want you to use another dir for your second configuration. And i think i might want to advise you to have two ssh config dirs, that

can clear things up a bit.

i think this will work as you want it to:

copy /etc/init.d/sshd to /etc/init.d/sshd2

copy /etc/conf.d/sshd to /etc/conf.d/sshd2

copy /etc/ssh (except the host keys) to /etc/ssh2

then change the line SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh} in /etc/init.d/sshd2, and it should work just fine.

----------

## Sunnz

Ohh I see, that really clears up things! Thanks man!

BTW, I have got a possibly better solution.

Instead of editing a copy of sshd, I have made a symlink /etc/init.d/sshd2 that points to sshd.

Then I have this in /etc/conf.d/sshd2:

SSHD_OPTS="-o PidFile=/var/run/${SVCNAME}.pid -f /etc/conf.d/${SVCNAME}_config"

And of course, I have moved /etc/ssh/sshd2_config to /etc/conf.d/.

It does exactly the same thing though.

----------

## hegga

 *Sunnz wrote:*   

> Ohh I see, that really clears up things! Thanks man!
> 
> BTW, I have got a possibly better solution.
> 
> Instead of editing a copy of sshd, I have made a symlink /etc/init.d/sshd2 that points to sshd.
> ...

 

that sounds like the best solution.

----------

