Dual Instance of SSH - CentOS and RHEL

This guide is for configuring dual instances of ssh on a single server and bind them to seprate NIC's/Interfaces/Ethernet ports. Usually this is required in DEV and Prod environments wherein you need additional security and separation of bandwidth and keep DEV and Prod users access limited.

For this guide let’s assume 2 Instances of sshd running on 2 Interfaces of a single server.

SSH config on interfaces:

  1. sshd = For DEV Users                    = eth0 :
  2. sshd-prod = For PROD users       = eth1 :

We would use the same default port for 2nd SSH instance but bind that to the production interface (eth1) and then create and rename that to “sshd-prod”.

Make a copy of the sshd_config file (to be used by the second daemon)

# cp -a /etc/ssh/sshd_config /etc/ssh/sshd_prod_config 

Edit the "/etc/ssh/sshd_prod_config" file binding sshd_prod to eth1 Interface IP and to a different Process ID file location

PidFile /var/run/sshd-prod.pid 

Make a symlink to the sshd binary and make a copy of the sshd init script

# ln -s /usr/sbin/sshd /usr/sbin/sshd-prod 
# cp /etc/rc.d/init.d/sshd /etc/rc.d/init.d/sshd-prod 

Find the lines below in the "/etc/rc.d/init.d/sshd-prod" file and make the changes accordingly.

# config: /etc/ssh/sshd_prod_config
# pidfile: /var/run/sshd-prod.pid
[ -f /etc/sysconfig/sshd-prod ] && . /etc/sysconfig/sshd-prod

Create the "/etc/sysconfig/sshd-prod" file with the following contents:

OPTIONS="-f /etc/ssh/sshd_config-prod"

Create a separate PAM configuration file for the new sshd-prod service.

# cp /etc/pam.d/sshd /etc/pam.d/sshd-prod

If SElinux is enabled, set the security context for the sshd-second service

# semanage fcontext -a -e /etc/init.d/sshd /etc/init.d/sshd-prod
# semanage fcontext -a -e /usr/sbin/sshd /usr/sbin/sshd-prod
# semanage fcontext -a -e /etc/ssh/sshd_config /etc/ssh/sshd_prod_config
# restorecon -v /etc/init.d/sshd-prod /usr/sbin/sshd-prod /etc/ssh/sshd_prod_config

Allow the required ports on iptables

Restart the sshd service and the newly created sshd-prod service, and use chkconfig to start the sshd-prod service on reboot.

# service sshd restart
# service sshd-prod start
# chkconfig --add sshd-prod

If you have got "hosts.allow" configured, you will need to update it with sshd-prod and the IP.

Ex. through production interface. That would be as follows in hosts.allow

sshd-prod :

Linux Related Articles . . .

To generate a SHA256 certficate in linux all you need to do is run this openssl command and you will...
This a very useful One liner command to insert IP and hostname into /etc/hosts file and is particularly useful when...
Its possible to use awk in Alias command. I did that by simply just modifying some parenthesis and there you...
Its possible to run a script via Alias command. All you need is to modify the .bashrc and then source...
This article will guide you on creating a custom Self-signed SSL Certificate in no time. For creating one you would...