Dual Instance of SSH - CentOS and RHEL

This guide is for configuring dual instances of ssh on a single server and bind them to seprate NIC's/Interfaces/Ethernet ports. Usually this is required in DEV and Prod environments wherein you need additional security and separation of bandwidth and keep DEV and Prod users access limited.

For this guide let’s assume 2 Instances of sshd running on 2 Interfaces of a single server.

SSH config on interfaces:

  1. sshd = For DEV Users                    = eth0 :
  2. sshd-prod = For PROD users       = eth1 :

We would use the same default port for 2nd SSH instance but bind that to the production interface (eth1) and then create and rename that to “sshd-prod”.

Make a copy of the sshd_config file (to be used by the second daemon)

# cp -a /etc/ssh/sshd_config /etc/ssh/sshd_prod_config 

Edit the "/etc/ssh/sshd_prod_config" file binding sshd_prod to eth1 Interface IP and to a different Process ID file location

PidFile /var/run/sshd-prod.pid 

Make a symlink to the sshd binary and make a copy of the sshd init script

# ln -s /usr/sbin/sshd /usr/sbin/sshd-prod 
# cp /etc/rc.d/init.d/sshd /etc/rc.d/init.d/sshd-prod 

Find the lines below in the "/etc/rc.d/init.d/sshd-prod" file and make the changes accordingly.

# config: /etc/ssh/sshd_prod_config
# pidfile: /var/run/sshd-prod.pid
[ -f /etc/sysconfig/sshd-prod ] && . /etc/sysconfig/sshd-prod

Create the "/etc/sysconfig/sshd-prod" file with the following contents:

OPTIONS="-f /etc/ssh/sshd_config-prod"

Create a separate PAM configuration file for the new sshd-prod service.

# cp /etc/pam.d/sshd /etc/pam.d/sshd-prod

If SElinux is enabled, set the security context for the sshd-second service

# semanage fcontext -a -e /etc/init.d/sshd /etc/init.d/sshd-prod
# semanage fcontext -a -e /usr/sbin/sshd /usr/sbin/sshd-prod
# semanage fcontext -a -e /etc/ssh/sshd_config /etc/ssh/sshd_prod_config
# restorecon -v /etc/init.d/sshd-prod /usr/sbin/sshd-prod /etc/ssh/sshd_prod_config

Allow the required ports on iptables

Restart the sshd service and the newly created sshd-prod service, and use chkconfig to start the sshd-prod service on reboot.

# service sshd restart
# service sshd-prod start
# chkconfig --add sshd-prod

If you have got "hosts.allow" configured, you will need to update it with sshd-prod and the IP.

Ex. through production interface. That would be as follows in hosts.allow

sshd-prod :

Most Read Articles

Add/Detect a new disk in ...

Written By Farooq Mohammed Ahmed on Sunday, 11 January 2015 19:22
Add/Detect a new disk in ...

Replace SSL Certificates ...

Written By Farooq Mohammed Ahmed on Friday, 16 December 2016 08:05
Replace SSL Certificates ...

Using awk in Alias Comman...

Written By Farooq Mohammed Ahmed on Friday, 19 February 2016 14:22
Using awk in Alias Comman...

Script to Monitor Nagios ...

Written By Farooq Mohammed Ahmed on Monday, 18 July 2016 22:48
Script to Monitor Nagios ...

Generate/Create a SHA2/SH...

Written By Farooq Mohammed Ahmed on Tuesday, 25 October 2016 13:56
Generate/Create a SHA2/SH...