LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
Reload this Page Multiple SSH Daemons - FC11
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
LinkBack Search this Thread
Old 02-05-2010, 08:13 AM   #1
mattcauthon
LQ Newbie
 
Registered: Feb 2010
Location: Atlanta, GA
Distribution: Fedora Core 11
Posts: 2

Rep: Reputation: 0
Multiple SSH Daemons - FC11

Hey Guys,

Big fan.., love your work

Background:
For VNC over ssh tunnel . I started allowing port 22 through my router to my home FC11 machine so I could vnc from work. I started noticing that people were probing for brute force access to ssh while looking through /var/log/secure. So i thought - why not setup a separate sshd daemon at a high number port, and only forward outside traffic to that higher port sshd for which I would make a stricter sshd_config file. I turned off forwarding of 22, and made a rule for 44112. I found this article at fixunix.com to setup dual sshd and did the following.
http://fixunix.com/ssh/364505-runnin...ne-server.html

Code:
cp -p /etc/ssh/ssh_config /etc/ssh/external_ssh_config

cp-p /etc/ssh/sshd_config /etc/ssh/external_sshd_config
 then modified for different port and more strict logins.

cp - p /etc/rc.d/init.d/sshd /etc/rc.d/init.d/external_sshd
 then modified for all pointers to point to "external_sshd" - even pid file.

ln -s /usr/sbin/sshd /usr/sbin/external_sshd

ln -s /etc/pam.d/sshd /etc/pam.d/external_sshd

add "OPTIONS -f /etc/sshd/external_sshd_config" to /etc/sysconfig/external_sshd

chkconfig --add external_sshd

service external_sshd start

doing a
Quote:
ps -e | grep sshd
shows:

Code:
 1827 ?        00:00:01 sshd
23534 ?        00:00:00 external_sshd
However, when I try to connect to ssh from another(internal or external) computer just to test - as soon as I type in the password - it says "connection closed"

doing

Quote:
tail -n 25 /var/log/secure
shows:
Code:
Feb  4 11:39:59 orion external_sshd[23536]: Accepted password for mevel from 192.168.1.3 port 64907 ssh2     
Feb  4 11:39:59 orion external_sshd[23536]: pam_selinux(external_sshd:session): conversation failed          
Feb  4 11:39:59 orion external_sshd[23536]: pam_selinux(external_sshd:session): No response to query: Would you like to enter a security context? [N]                                                                                                                 
Feb  4 11:39:59 orion external_sshd[23536]: pam_selinux(external_sshd:session): Unable to get valid context for devel              
Feb  4 11:39:59 orion external_sshd[23536]: pam_unix(external_sshd:session): session opened for user devel by (uid=0)              
Feb  4 11:39:59 orion external_sshd[23536]: error: PAM: pam_open_session(): Authentication failure                                 
Feb  4 11:39:59 orion external_sshd[23536]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument               
Feb  4 11:41:58 orion userhelper[23545]: pam_timestamp(system-config-selinux:session): updated timestamp file `/var/run/sudo/root/4'                                                                                                                                  
Feb  4 11:41:58 orion userhelper[23548]: running '/usr/share/system-config-selinux/system-config-selinux.py ' with root privileges on behalf of 'root'                                                                                                                
Feb  4 11:51:41 orion external_sshd[23570]: Accepted password for mevel from 192.168.1.3 port 64911 ssh2                           
Feb  4 11:51:41 orion external_sshd[23570]: pam_selinux(external_sshd:session): Open Session                                       
Feb  4 11:51:41 orion external_sshd[23570]: pam_selinux(external_sshd:session): conversation failed
Feb  4 11:51:41 orion external_sshd[23570]: pam_selinux(external_sshd:session): No response to query: Would you like to enter a security context? [N]
Feb  4 11:51:41 orion external_sshd[23570]: pam_selinux(external_sshd:session): Unable to get valid context for devel
Feb  4 11:51:41 orion external_sshd[23570]: pam_unix(external_sshd:session): session opened for user devel by (uid=0)
Feb  4 11:51:41 orion external_sshd[23570]: error: PAM: pam_open_session(): Authentication failure
Feb  4 11:51:41 orion external_sshd[23570]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

It looks like pam_selinux yakks about the security context thing.
I don't understand though what the significance of security context is - or how to go about resolving this type of problem, so I thought I'd ask for help from the friendlies. Keep in mind that ssh-ing to the normal daemon on port 22 still works fine.

Am I going about this the wrong way? Is there a better solution to this situation?

Thanks in advance
Last edited by mattcauthon; 02-05-2010 at 08:29 AM. Reason: cleaning/clarifying
 
Old 02-05-2010, 08:17 AM   #2
mattcauthon
LQ Newbie
 
Registered: Feb 2010
Location: Atlanta, GA
Distribution: Fedora Core 11
Posts: 2

Original Poster
Rep: Reputation: 0
/etc/rc.d/init.d/sshd :

Code:
#!/bin/bash                           
#                                     
# sshd          Start up the OpenSSH server daemon
#                                                 
# chkconfig: 2345 55 25                           
# description: SSH is a protocol for secure remote shell access. \
#              This service starts up the OpenSSH server daemon.  
#                                                                 
# processname: sshd                                               
# config: /etc/ssh/ssh_host_key                                   
# config: /etc/ssh/ssh_host_key.pub                               
# config: /etc/ssh/ssh_random_seed                                
# config: /etc/ssh/sshd_config                                    
# pidfile: /var/run/sshd.pid                                      

### BEGIN INIT INFO
# Provides: sshd   
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $syslog          
# Should-Start: $syslog                     
# Should-Stop: $network $syslog             
# Default-Start: 2 3 4 5                    
# Default-Stop: 0 1 6                       
# Short-Description: Start up the OpenSSH server daemon
# Description:       SSH is a protocol for secure remote shell access.
#                    This service starts up the OpenSSH server daemon.
### END INIT INFO                                                     

# source function library
. /etc/rc.d/init.d/functions

# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd

RETVAL=0
prog="sshd"
lockfile=/var/lock/subsys/$prog

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen                      
SSHD=/usr/sbin/sshd                             
RSA1_KEY=/etc/ssh/ssh_host_key                  
RSA_KEY=/etc/ssh/ssh_host_rsa_key               
DSA_KEY=/etc/ssh/ssh_host_dsa_key               
PID_FILE=/var/run/sshd.pid                      

runlevel=$(set -- $(runlevel); eval "echo \$$#" )

do_rsa1_keygen() {
        if [ ! -s $RSA1_KEY ]; then
                echo -n $"Generating SSH1 RSA host key: "
                if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA1_KEY                                     
                        chmod 644 $RSA1_KEY.pub                                 
                        if [ -x /sbin/restorecon ]; then                        
                            /sbin/restorecon $RSA1_KEY.pub                      
                        fi                                                      
                        success $"RSA1 key generation"                          
                        echo                                                    
                else                                                            
                        failure $"RSA1 key generation"                          
                        echo                                                    
                        exit 1                                                  
                fi                                                              
        fi                                                                      
}                                                                               

do_rsa_keygen() {
        if [ ! -s $RSA_KEY ]; then
                echo -n $"Generating SSH2 RSA host key: "
                if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA_KEY                                    
                        chmod 644 $RSA_KEY.pub                                
                        if [ -x /sbin/restorecon ]; then                      
                            /sbin/restorecon $RSA_KEY.pub                     
                        fi                                                    
                        success $"RSA key generation"                         
                        echo                                                  
                else                                                          
                        failure $"RSA key generation"                         
                        echo                                                  
                        exit 1                                                
                fi                                                            
        fi                                                                    
}                                                                             

do_dsa_keygen() {
        if [ ! -s $DSA_KEY ]; then
                echo -n $"Generating SSH2 DSA host key: "
                if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $DSA_KEY                                    
                        chmod 644 $DSA_KEY.pub                                
                        if [ -x /sbin/restorecon ]; then                      
                            /sbin/restorecon $DSA_KEY.pub                     
                        fi                                                    
                        success $"DSA key generation"                         
                        echo                                                  
                else                                                          
                        failure $"DSA key generation"                         
                        echo                                                  
                        exit 1                                                
                fi                                                            
        fi                                                                    
}                                                                             

do_restart_sanity_check()
{                        
        $SSHD -t         
        RETVAL=$?        
        if [ ! "$RETVAL" = 0 ]; then
                failure $"Configuration file or keys are invalid"
                echo                                             
        fi                                                       
}                                                                

start()
{      
        [ -x $SSHD ] || exit 5
        [ -f /etc/ssh/sshd_config ] || exit 6
        # Create keys if necessary           
        if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
                do_rsa1_keygen                          
                do_rsa_keygen                           
                do_dsa_keygen                           
        fi                                              

        echo -n $"Starting $prog: "
        $SSHD $OPTIONS && success || failure
        RETVAL=$?                           
        [ "$RETVAL" = 0 ] && touch $lockfile
        echo                                
        return $RETVAL                      
}                                           

stop()
{     
        echo -n $"Stopping $prog: "
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD                      
        else                                    
            failure $"Stopping $prog"           
        fi                                      
        RETVAL=$?                               
        # if we are in halt or reboot runlevel kill all running sessions
        # so the TCP connections are closed cleanly                     
        if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then            
            trap '' TERM                                                
            killall $prog 2>/dev/null                                   
            trap TERM                                                   
        fi                                                              
        [ "$RETVAL" = 0 ] && rm -f $lockfile                            
        echo                                                            
}                                                                       

reload()
{       
        echo -n $"Reloading $prog: "
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD -HUP                 
        else                                    
            failure $"Reloading $prog"          
        fi                                      
        RETVAL=$?                               
        echo                                    
}                                               

restart() {
        stop
        start
}            

force_reload() {
        restart 
}

rh_status() {
        status -p $PID_FILE openssh-daemon
}

rh_status_q() {
        rh_status >/dev/null 2>&1
}

case "$1" in
        start)
                rh_status_q && exit 0
                start
                ;;
        stop)
                rh_status_q || exit 0
                stop
                ;;
        restart)
                restart
                ;;
        reload)
                rh_status_q || exit 7
                reload
                ;;
        force-reload)
                force_reload
                ;;
        condrestart|try-restart)
                rh_status_q || exit 0
                if [ -f $lockfile ] ; then
                        do_restart_sanity_check
                        if [ "$RETVAL" = 0 ] ; then
                                stop
                                # avoid race
                                sleep 3
                                start
                        else
                                RETVAL=6
                        fi
                fi
                ;;
        status)
                rh_status
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"
                RETVAL=2
esac
exit $RETVAL




/etc/rc.d/init.d/external_sshd :



Code:
#!/bin/bash                                                                                              
#                                                                                                        
# external_sshd         Start up the OpenSSH server daemon                                               
#                                                                                                        
# chkconfig: 2345 55 25                                                                                  
# description: SSH is a protocol for secure remote shell access. \                                       
#              This service starts up the OpenSSH server daemon.                                         
#                                                                                                        
# processname: external_sshd                                                                             
# config: /etc/ssh/ssh_host_key                                                                          
# config: /etc/ssh/ssh_host_key.pub                                                                      
# config: /etc/ssh/ssh_random_seed                                                                       
# config: /etc/ssh/external_sshd_config                                                                  
# pidfile: /var/run/external_sshd.pid                                                                    

### BEGIN INIT INFO
# Provides: external_sshd
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $syslog          
# Should-Start: $syslog                     
# Should-Stop: $network $syslog             
# Default-Start: 2 3 4 5                    
# Default-Stop: 0 1 6                       
# Short-Description: Start up the OpenSSH server daemon
# Description:       SSH is a protocol for secure remote shell access.
#                    This service starts up the OpenSSH server daemon.
### END INIT INFO                                                     

# source function library
. /etc/rc.d/init.d/functions

# pull in sysconfig settings
[ -f /etc/sysconfig/external_sshd ] && . /etc/sysconfig/external_sshd

RETVAL=0
prog="external_sshd"
lockfile=/var/lock/subsys/$prog

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen                      
SSHD=/usr/sbin/external_sshd                    
RSA1_KEY=/etc/ssh/ssh_host_key                  
RSA_KEY=/etc/ssh/ssh_host_rsa_key               
DSA_KEY=/etc/ssh/ssh_host_dsa_key               
PID_FILE=/var/run/external_sshd.pid             

runlevel=$(set -- $(runlevel); eval "echo \$$#" )

do_rsa1_keygen() {
        if [ ! -s $RSA1_KEY ]; then
                echo -n $"Generating SSH1 RSA host key: "
                if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA1_KEY                                     
                        chmod 644 $RSA1_KEY.pub                                 
                        if [ -x /sbin/restorecon ]; then                        
                            /sbin/restorecon $RSA1_KEY.pub                      
                        fi                                                      
                        success $"RSA1 key generation"                          
                        echo                                                    
                else                                                            
                        failure $"RSA1 key generation"                          
                        echo                                                    
                        exit 1                                                  
                fi                                                              
        fi                                                                      
}                                                                               

do_rsa_keygen() {
        if [ ! -s $RSA_KEY ]; then
                echo -n $"Generating SSH2 RSA host key: "
                if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $RSA_KEY                                    
                        chmod 644 $RSA_KEY.pub                                
                        if [ -x /sbin/restorecon ]; then                      
                            /sbin/restorecon $RSA_KEY.pub                     
                        fi                                                    
                        success $"RSA key generation"                         
                        echo                                                  
                else                                                          
                        failure $"RSA key generation"                         
                        echo                                                  
                        exit 1                                                
                fi                                                            
        fi                                                                    
}                                                                             

do_dsa_keygen() {
        if [ ! -s $DSA_KEY ]; then
                echo -n $"Generating SSH2 DSA host key: "
                if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
                        chmod 600 $DSA_KEY                                    
                        chmod 644 $DSA_KEY.pub                                
                        if [ -x /sbin/restorecon ]; then                      
                            /sbin/restorecon $DSA_KEY.pub                     
                        fi                                                    
                        success $"DSA key generation"                         
                        echo                                                  
                else                                                          
                        failure $"DSA key generation"                         
                        echo                                                  
                        exit 1                                                
                fi                                                            
        fi                                                                    
}                                                                             

do_restart_sanity_check()
{                        
        $SSHD -t         
        RETVAL=$?        
        if [ ! "$RETVAL" = 0 ]; then
                failure $"Configuration file or keys are invalid"
                echo                                             
        fi                                                       
}                                                                

start()
{      
        [ -x $SSHD ] || exit 5
        [ -f /etc/ssh/external_sshd_config ] || exit 6
        # Create keys if necessary                    
        if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
                do_rsa1_keygen                          
                do_rsa_keygen                           
                do_dsa_keygen                           
        fi                                              

        echo -n $"Starting $prog: "
        $SSHD $OPTIONS && success || failure
        RETVAL=$?                           
        [ "$RETVAL" = 0 ] && touch $lockfile
        echo                                
        return $RETVAL                      
}                                           

stop()
{     
        echo -n $"Stopping $prog: "
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD                      
        else                                    
            failure $"Stopping $prog"           
        fi                                      
        RETVAL=$?                               
        # if we are in halt or reboot runlevel kill all running sessions
        # so the TCP connections are closed cleanly                     
        if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then            
            trap '' TERM                                                
            killall $prog 2>/dev/null                                   
            trap TERM                                                   
        fi                                                              
        [ "$RETVAL" = 0 ] && rm -f $lockfile                            
        echo                                                            
}                                                                       

reload()
{       
        echo -n $"Reloading $prog: "
        if [ -n "`pidfileofproc $SSHD`" ] ; then
            killproc $SSHD -HUP                 
        else                                    
            failure $"Reloading $prog"          
        fi                                      
        RETVAL=$?                               
        echo                                    
}                                               

restart() {
        stop
        start
}            

force_reload() {
        restart 
}

rh_status() {
        status -p $PID_FILE openssh-daemon
}

rh_status_q() {
        rh_status >/dev/null 2>&1
}

case "$1" in
        start)
                rh_status_q && exit 0
                start
                ;;
        stop)
                rh_status_q || exit 0
                stop
                ;;
        restart)
                restart
                ;;
        reload)
                rh_status_q || exit 7
                reload
                ;;
        force-reload)
                force_reload
                ;;
        condrestart|try-restart)
                rh_status_q || exit 0
                if [ -f $lockfile ] ; then
                        do_restart_sanity_check
                        if [ "$RETVAL" = 0 ] ; then
                                stop
                                # avoid race
                                sleep 3
                                start
                        else
                                RETVAL=6
                        fi
                fi
                ;;
        status)
                rh_status
                RETVAL=$?
                ;;
        *)
                echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"
                RETVAL=2
esac
exit $RETVAL
 
Old 02-05-2010, 12:01 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Debian, FreeBSD
Posts: 3,755
Blog Entries: 5

Rep: Reputation: Disabled
Either shut off selinux or do (yes, this is excessive):
# restorecon -R /
 
Old 05-31-2010, 05:36 AM   #4
Per.Petersson
LQ Newbie
 
Registered: Feb 2006
Location: Sweden
Distribution: Fedora Core 4
Posts: 1

Rep: Reputation: 0
Hi,

This is part of my script setting up a second sshd for secure file transfer for a limited group of users.



cp /etc/init.d/sshd /etc/init.d/sshd_FT
cp /usr/sbin/sshd /usr/sbin/sshd_FT
cp /etc/ssh/sshd_config /etc/ssh/sshd_FT_config
mkdir -p /var/empty/sshd_FT/etc

cat /etc/init.d/sshd | sed "s#sshd#sshd_FT#g" | sed "s?PID_FILE=/var/run/sshd_FT.pid?PID_FILE=/var/run/sshd_FT.pid\nOPTIONS=\"-f /etc/ssh/sshd_FT_config\"?g" > /etc/init.d/sshd_FT
cat /etc/ssh/sshd_config | sed "s#sshd#sshd_FT#g" | sed "s?#Port 22?Port 2221?g" | sed "s?UsePAM yes?UsePAM no?g" | sed "s?# Authentication:?# Authentication:\nAllowGroups FTusers?g"> /etc/ssh/sshd_FT_config

chcon --reference=/etc/init.d/sshd /etc/init.d/sshd_FT
chcon --reference=/usr/sbin/sshd /usr/sbin/sshd_FT
chcon --reference=/etc/ssh/sshd_config /etc/ssh/sshd_FT_config

service sshd_FT start
chkconfig sshd_FT on

/bin/echo "FTusers:x:2221:FTusers" >> /etc/group



I then add the users to my group in /etc/group.


The thing that make it posible to still run selinux is the lines.

chcon --reference=/etc/init.d/sshd /etc/init.d/sshd_FT
chcon --reference=/usr/sbin/sshd /usr/sbin/sshd_FT
chcon --reference=/etc/ssh/sshd_config /etc/ssh/sshd_FT_config



/ Per
 
Old 06-16-2010, 08:22 AM   #5
brightimage
LQ Newbie
 
Registered: Jun 2010
Distribution: RHEL5
Posts: 2

Rep: Reputation: 1
Smile Fixed it for me too.
Great answer Per.

Fixed my problem too - the chcon was the solution I needed.

BTW - Instead of copying sshd, I created a symbolic link to it, so when I ran the chcon command I needed to add a -h option to get it to work on a link instead of the target.
 
  


Reply

Tags
ssh, sshd, sshdconfig


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH Multiple Problems phantom_cyph Linux - Security 8 10-20-2008 11:51 PM
multiple ssh at once Four Linux - General 2 01-25-2008 10:55 AM
LXer: ssh on multiple servers Using cluster ssh LXer Syndicated Linux News 0 01-11-2008 03:40 PM
multiple mysql daemons starting trint Slackware 1 02-08-2005 02:11 AM
Using UML or chroot for multiple daemons coindood Linux - Software 0 06-29-2004 03:14 PM


All times are GMT -5. The time now is 02:23 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration