Tuesday, January 06, 2009
Setup sshd to run a second instance
In order to lock down the servers like I prefer to, yet still allow FreeNX/NX to work, I have to setup a second copy of the sshd daemon. The FreeNX/NX client requires that you have sshd running with password access (not just public key), but we prefer to only allow public-key access to our servers.
I did the following on CentOS 5, it should also work for Fedora or Red Hat Enterprise Linux (RHEL). But proceed at your own risk.
1) Create a hard link to the sshd program. This allows us to distinguish it in the process list. It also makes sure that our cloned copy stays up to date as the sshd program is patched.
# ln /usr/sbin/sshd /usr/sbin/sshd_nx
2) Copy /etc/init.d/sshd to a new name
This is the startup / shutdown script for the base sshd daemon. Make a copy of this script:
# cp -p /etc/init.d/sshd /etc/init.d/sshd_nx
# vi /etc/init.d/sshd_nx
Change the following lines:
# processname: sshd_nx
# config: /etc/ssh/sshd_nx_config
# pidfile: /var/run/sshd_nx.pid
prog="sshd_nx"
SSHD=/usr/sbin/sshd_nx
PID_FILE=/var/run/sshd_nx.pid
OPTIONS="-f /etc/ssh/sshd_nx_config -o PidFile=${PID_FILE} ${OPTIONS}"
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd_nx
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd_nx
if [ -f /var/lock/subsys/sshd_nx ] ; then
Note: The OPTIONS= line is probably new and will have to be added right after the PID_FILE= line in the file. There are also multiple lines that reference /var/lock/subsys/sshd, you will need to change all of them.
3) Copy the old sshd configuration file.
# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_nx_config
4) Edit the new sshd configuration file and make sure that it uses a different port number.
Port 28822
5) Clone the PAM configuration file.
# cp -p /etc/pam.d/sshd /etc/pam.d/sshd_nx
6) Set the new service to startup automatically.
# chkconfig --add sshd_nx
...
Test it out
# service sshd_nx start
# ssh -p 28222 username@localhost
Check for errors in the log file:
# tail -n 25 /var/log/secure
...
At this point, I would go back and change the secondary configuration to only listen on the localhost ports:
ListenAddress 127.0.0.1
ListenAddress ::1
...
References:
How to Add a New "sshd_adm" Service on Red Hat Advanced Server 2.1
How to install NX server and client under Ubuntu/Kubuntu Linux (revised)
I did the following on CentOS 5, it should also work for Fedora or Red Hat Enterprise Linux (RHEL). But proceed at your own risk.
1) Create a hard link to the sshd program. This allows us to distinguish it in the process list. It also makes sure that our cloned copy stays up to date as the sshd program is patched.
# ln /usr/sbin/sshd /usr/sbin/sshd_nx
2) Copy /etc/init.d/sshd to a new name
This is the startup / shutdown script for the base sshd daemon. Make a copy of this script:
# cp -p /etc/init.d/sshd /etc/init.d/sshd_nx
# vi /etc/init.d/sshd_nx
Change the following lines:
# processname: sshd_nx
# config: /etc/ssh/sshd_nx_config
# pidfile: /var/run/sshd_nx.pid
prog="sshd_nx"
SSHD=/usr/sbin/sshd_nx
PID_FILE=/var/run/sshd_nx.pid
OPTIONS="-f /etc/ssh/sshd_nx_config -o PidFile=${PID_FILE} ${OPTIONS}"
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd_nx
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd_nx
if [ -f /var/lock/subsys/sshd_nx ] ; then
Note: The OPTIONS= line is probably new and will have to be added right after the PID_FILE= line in the file. There are also multiple lines that reference /var/lock/subsys/sshd, you will need to change all of them.
3) Copy the old sshd configuration file.
# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_nx_config
4) Edit the new sshd configuration file and make sure that it uses a different port number.
Port 28822
5) Clone the PAM configuration file.
# cp -p /etc/pam.d/sshd /etc/pam.d/sshd_nx
6) Set the new service to startup automatically.
# chkconfig --add sshd_nx
...
Test it out
# service sshd_nx start
# ssh -p 28222 username@localhost
Check for errors in the log file:
# tail -n 25 /var/log/secure
...
At this point, I would go back and change the secondary configuration to only listen on the localhost ports:
ListenAddress 127.0.0.1
ListenAddress ::1
...
References:
How to Add a New "sshd_adm" Service on Red Hat Advanced Server 2.1
How to install NX server and client under Ubuntu/Kubuntu Linux (revised)
Sections:
Recent posts:
Samba3: Upgrading to v3.2 on CentOS 5
LVM Maximum number of Physical Extents
Xen - Issues with Windows DomU client clocks
Update #1 to Current frustrations with Thunderbird...
Current frustrations with Thunderbird
Monthly archives:
2003/04
2003/05
2003/06
2003/07
2003/08
2003/09
2003/10
2003/11
2003/12
2004/01
2004/02
2004/03
2004/04
2004/05
2004/06
2004/07
2004/08
2004/09
2004/10
2004/11
2004/12
2005/01
2005/02
2005/03
2005/04
2005/05
2005/06
2005/07
2005/08
2005/09
2005/10
2005/11
2005/12
2006/01
2006/02
2006/03
2006/04
2006/05
2006/06
2006/07
2006/08
2006/09
2006/10
2006/11
2006/12
2007/01
2007/02
2007/03
2007/04
2007/05
2007/06
2007/07
2007/08
2007/12
2008/01
2008/03
2008/04
2008/05
2008/06
2008/07
2008/08
2008/09
2008/10
2008/11
2008/12
2009/01
2009/02
2009/03
2009/04
2009/05
2009/06
2009/07
2009/08
2009/09
2009/10
2009/11
2009/12
2010/06
Copyright 2003-2010, Thomas G. Harold, All Rights Reserved
