Dual Instance of SSH - CentOS and RHEL

This guide is for configuring dual instances of ssh on a single server and bind them to seprate NIC's/Interfaces/Ethernet ports. Usually this is required in DEV and Prod environments wherein you need additional security and separation of bandwidth and keep DEV and Prod users access limited.

For this guide let’s assume 2 Instances of sshd running on 2 Interfaces of a single server.

SSH config on interfaces:

  1. sshd = For DEV Users                    = eth0 : 172.16.66.200
  2. sshd-prod = For PROD users       = eth1 : 172.16.66.201

We would use the same default port for 2nd SSH instance but bind that to the production interface (eth1) and then create and rename that to “sshd-prod”.

Make a copy of the sshd_config file (to be used by the second daemon)

# cp -a /etc/ssh/sshd_config /etc/ssh/sshd_prod_config 

Edit the "/etc/ssh/sshd_prod_config" file binding sshd_prod to eth1 Interface IP and to a different Process ID file location

ListenAddress 172.16.66.201 
PidFile /var/run/sshd-prod.pid 

Make a symlink to the sshd binary and make a copy of the sshd init script

# ln -s /usr/sbin/sshd /usr/sbin/sshd-prod 
# cp /etc/rc.d/init.d/sshd /etc/rc.d/init.d/sshd-prod 

Find the lines below in the "/etc/rc.d/init.d/sshd-prod" file and make the changes accordingly.

# config: /etc/ssh/sshd_prod_config
# pidfile: /var/run/sshd-prod.pid
[ -f /etc/sysconfig/sshd-prod ] && . /etc/sysconfig/sshd-prod
prog="sshd-prod"
SSHD=/usr/sbin/sshd-prod
PID_FILE=/var/run/sshd-prod.pid

Create the "/etc/sysconfig/sshd-prod" file with the following contents:

OPTIONS="-f /etc/ssh/sshd_config-prod"

Create a separate PAM configuration file for the new sshd-prod service.

# cp /etc/pam.d/sshd /etc/pam.d/sshd-prod

If SElinux is enabled, set the security context for the sshd-second service

# semanage fcontext -a -e /etc/init.d/sshd /etc/init.d/sshd-prod
# semanage fcontext -a -e /usr/sbin/sshd /usr/sbin/sshd-prod
# semanage fcontext -a -e /etc/ssh/sshd_config /etc/ssh/sshd_prod_config
# restorecon -v /etc/init.d/sshd-prod /usr/sbin/sshd-prod /etc/ssh/sshd_prod_config

Allow the required ports on iptables

Restart the sshd service and the newly created sshd-prod service, and use chkconfig to start the sshd-prod service on reboot.

# service sshd restart
# service sshd-prod start
# chkconfig --add sshd-prod

If you have got "hosts.allow" configured, you will need to update it with sshd-prod and the IP.

Ex. 10.0.10.10 through production interface. That would be as follows in hosts.allow

sshd-prod : 10.0.10.10

Linux Related Articles . . .