different authentication on different ports - how can I achieve this???
 

Hi,

I'm trying to work out how I can configure sshd (on Redhat linux) so that I can have different authentication on different ports. For example I'm trying to achieve the following:
* Port X - use PubkeyAuthentication (no ChallengeResponseAuthentication) - this port is open via the firewall (external access)
* Port Y - use only ChallengeResponseAuthentication - use only internally (i.e. port is blocked at firewall)

Q1 - Is there a way to achieve this within one sshd process / one configuration file? If so how would the config look?

Q2 - If not how could I achieve this? Run two separate sshd's? If yes can you give me a couple of pointers re how to do this please? (I'm on redhat linux) Also on this topic I'm wondering how the "service" command would fit in. Currently I can use "service sshd restart" to restart my existing sshd process. If I were to be running two I'm wondering what would need to be done so I could use the "service" command on each of them separately?

Thanks in advance
Greg

You can run as many sshd's as you want, each with their own configuration.

man sshd

will tell you how to specify a config file. You can have multiple config files. You will also find a -p option, or you can specify the listen address in sshd_config. Startup the second service with the first if you want by modifying the sshd startup script, or make a copy called sshd2 or something like that. Make the appropriate changes, and make the symlinks in the rc.d directories just like you see for sshd.

thanks - I see how you can specify the host file

any pointers re how to arrange so that both instances can be managed as a linux service, i.e. using "service sshd<num>"?

Just copy /etc/init.d/sshd to /etc/init.d/sshd2 and you'll be able to user service. Service is just a script in /sbin that essentially does this for you:

/etc/init.d/sshd cmd

where cmd is start, stop, restart, etc.

thanks - and I guess the fact it's in that directory implies it will be autostarted after a reboot?

PS I assume I'll have to modify the new sshd2 file to replace "sshd" with "sshd2"?

The auto-starting will occur IF you have the proper symbolic or hard links. See how sshd is current handled in each of the various /etc/init.d/rc.*/ directories. You will see S##sshd and K##sshd links; These are for Start and Kill. They are just links to the sshd script in /etc/init.d/rc.d. The ## are numbers, which indicate the relative order that the scripts startup. Just use the same numbers that are there for the *sshd script.

Yes, replace anything inside the sshd2 script that is specific to sshd. There shouldn't be much to it, as it should be parametrized from its own file name.

[delete - oops they are sym links]

any ideas whether I would need to duplicate the following?

(a) /var/empty/sshd2/etc directory?
(b) /var/lock/subsys/sshd2 ?

(a) is for chroot; just duplicate
(b) is lock file; just lets the startup scripts know it is already started. Change the "sshd" value in the end of the start() function to "sshd2".

first past attempt but some probs
 

getting closer, seem to be able to "service httpd_local start" ok, however I have issues with stopping and status. Note the "FAILED" and the "sshd_local dead but subsys locked". I'm wondering if I've got a bug in the stop script? Extract below & full file attached.

Note: As well as duplicating some directories for this script, I also copied the actual /usr/sbin/sshd to /usr/sbin/sshd_local as I was guessing (when I had one issue) perhaps this is what was required to allow the script to discover which process to stop, i.e. it seems to use $SSHD when doing the killproc no?


Console output
Full File

There is no need to make a copy of sshd itself - you can run a program as many times as you want by the same name. If other scripts or whatnot use the name of a process, just make a symlink or hard link to the program:

ln sshd sshd_local

I don't immediately see what is causing the /etc/init.d/rc.d/sshd_local script to complain. But first things first. Are able to start, stop, and use sshd_local from the command line, using the same command line arguments that the script would provide? Getting it to work manually first is important. Then, focus on fixing the script.

RedHat/Fedora start/stop scripts are not terribly accurate or robust in terms of the PASS/FAILED status.

no supported authentication mechanism
 

Hi MrC,

Good idea re trying directly first. I am actually getting a 'no authentication mechanism' error when using the new sshd_local. The only thing I have done in the config file different is:
a) change the port number
b) set ChallengeResponseAuthentication yes (as I wasn't planning to use the public certificate approach for this internal sshd)
c) comment out the following as I'm not using certificates
# PubkeyAuthentication yes
# AuthorizedKeysFile .ssh/authorized_keys

Q1 - Is there some step I need to take perhaps to initiate the new sshd_local such as create host certificates or anything? I'm not sure why where I enter my username/password current authentication isn't working. When I've made the same changes previously to my primary sshd configuration this always seemed to work re swapping from certificate based authentication to password based authentication.

Q2 - Any way to add more logging around why exactly authentication is not working.


sshd_config_local (not working)
sshd_config (working)

thanks again
Greg

A1) You should be able to share the certificates. I recall your /etc/init.d/sshd_local script used the same locatation as the originals. So no need to customize those.

A2) Launch sshd_locale with -D and with -d for debugging, add up to 2 more d's for more verbose debugging. Pay special attention to the paths, etc. to be sure they are what you expect. And start, on another terminal, ssh with one or more -v options for verbosity there too. You should be able to see sufficient diags. to determine what is going on.

You'll have to look at your login.conf file to see what requirements exist when using ChallengeResponseAuthentication. This may be the same as keyboard interactive, and may be implemented by PAM. Therefore, the file /etc/pam.d/sshd would control logins for your exising sshd; you may have to link /etc/pam.d/sshd to /etc/pam.d/sshd_local also.

Thanks MrC

It seems (based on initial tests) to be working! I created the link "ln sshd sshd_local". I did a find across "httpd" and I think it's duplicated now:

Hopefully I won't have to post again on this thread. Thanks heaps for all the help MrC

Regards
Greg