Hi all,
I'm wondering whether it is feasible or not to run two distinct sshd daemons with different config options!
I have a CentOS 4.4 gateway with 2 Ethernet interfaces. One is connected to the Internet and the other to the LAN.
Basically, what I would like to do is having a sshd that listens to the LAN interface with password enabled auth. and a sshd bound to the Internet interface with forced key auth. (no password auth. allowed).
I'm not sure that such a thing is possible using a single sshd_config file. What do you think would be the best way to do this? Is there someone here that already made a similar setup?
Thanks for any help / ideas.
Regards, Gilles.
It's possible. Try http://www.snailbook.com/faq/auth-source.auto.html
Cheers,
Mike
Gilles CHAUVIN wrote:
Hi all,
I'm wondering whether it is feasible or not to run two distinct sshd daemons with different config options!
I have a CentOS 4.4 gateway with 2 Ethernet interfaces. One is connected to the Internet and the other to the LAN.
Basically, what I would like to do is having a sshd that listens to the LAN interface with password enabled auth. and a sshd bound to the Internet interface with forced key auth. (no password auth. allowed).
I'm not sure that such a thing is possible using a single sshd_config file. What do you think would be the best way to do this? Is there someone here that already made a similar setup?
Thanks for any help / ideas.
Regards, Gilles. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Gilles CHAUVIN wrote:
Hi all,
I'm wondering whether it is feasible or not to run two distinct
sshd
daemons with different config options!
I have a CentOS 4.4 gateway with 2 Ethernet interfaces. One is connected to the Internet and the other to the LAN.
Basically, what I would like to do is having a sshd that listens to the LAN interface with password enabled auth. and a sshd bound to
the
Internet interface with forced key auth. (no password auth.
allowed).
I'm not sure that such a thing is possible using a single
sshd_config
file. What do you think would be the best way to do this? Is there someone here that already made a similar setup?
Thanks for any help / ideas.
We have done that using a chroot in different ports and it is extremely easy, but that might not be useful to you.
Gabriel
Regards, Gilles. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Send instant messages to your online friends http://uk.messenger.yahoo.com
Gilles CHAUVIN wrote:
Hi all,
I'm wondering whether it is feasible or not to run two distinct
sshd
You could also run it via xinetd
and in each xinedt "sshd-1 sshd-2" specify the config files to use with the -f option
for instance
service ssh { log_on_failure = ATTEMPT HOST listen = 0.0.0.0 port = 22 socket_type = stream user = root server = /usr/sbin/sshd -f <configfile> server_args = -i wait = no instances = 5 cps = 2 30 }
hth
On 10/31/06, Gilles CHAUVIN gcnweb@gmail.com wrote:
Hi all,
I'm wondering whether it is feasible or not to run two distinct sshd daemons with different config options!
I have a CentOS 4.4 gateway with 2 Ethernet interfaces. One is connected to the Internet and the other to the LAN.
Basically, what I would like to do is having a sshd that listens to the LAN interface with password enabled auth. and a sshd bound to the Internet interface with forced key auth. (no password auth. allowed).
I'm not sure that such a thing is possible using a single sshd_config file. What do you think would be the best way to do this? Is there someone here that already made a similar setup?
You need 2 different sshd_config files for there. 2 ways to achieve this
a) in /etc/rc.d/local
use sshd with -f parameter means you will pass another config file to it
b) creating another sshd daemon
i ) copy /etc/init.d/sshd to /etc/init.d/sshd1
Changes the settings where sshd is coming to sshd1 or something else. For example see below I have not pasted the whole file just few portions . I have change few settings like sshd to sshd1 , adding options file. You need to change all sshd to sshd1
/bin/bash # # Init file for OpenSSH server daemon # # chkconfig: 2345 55 25 # description: OpenSSH server daemon # # processname: sshd # config: /etc/ssh/ssh_host_key # config: /etc/ssh/ssh_host_key.pub # config: /etc/ssh/ssh_random_seed # config: /etc/ssh/sshd_config # pidfile: /var/run/sshd1.pid
# source function library . /etc/rc.d/init.d/functions
# pull in sysconfig settings [ -f /etc/sysconfig/sshd1 ] && . /etc/sysconfig/sshd1
RETVAL=0 prog="sshd1"
# Some functions to make the below more readable KEYGEN=/usr/bin/ssh-keygen SSHD=/usr/sbin/sshd1 RSA1_KEY=/etc/ssh/ssh_host_key RSA_KEY=/etc/ssh/ssh_host_rsa_key DSA_KEY=/etc/ssh/ssh_host_dsa_key PID_FILE=/var/run/sshd1.pid OPTIONS="-f /etc/ssh/sshd_config1" do_rsa1_keygen() { if [ ! -s $RSA1_KEY ]; then echo -n $"Generating SSH1 RSA host key: " if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then chmod 600 $RSA1_KEY chmod 644 $RSA1_KEY.pub if [ -x /sbin/restorecon ]; then /sbin/restorecon $RSA1_KEY.pub fi success $"RSA1 key generation" echo else failure $"RSA1 key generation" echo exit 1 fi fi }
b) cp /usr/sbin/sshd /usr/sbin/sshd1
c) cp /etc/pam.d/sshd /etc/pam.d/sshd1
d) In the sshd_config1 file change the pid to sshd1 otherwise you will face problem
start sshd1
check the connections
netstat -atpn | grep ssh
you should see 2 ssh connections
If there is any problem add the port on which ur running the second sshd daemon to /etc/services file.
Regards
Ankush Grover
-
ankush grover -
BrianSr -
first last -
Gilles CHAUVIN -
Michael Taylor