Sunday, November 15, 2009

Running Multiple SSD Daemons in Ubuntu

Introduction

There are times when running multiple sshd daemons makes sense. One of those times is when you have a server that has both a public/external interface and an private/internal interface. A LTSP server is a perfect example of this.

LTSP servers typically have an internal network that the thin clients are on and an external network that connects to the Internet. Often, the internal users are not using strong passphrases and allowing direct ssh connection from the Internet would put you system at risk.

The solution is to split up the sshd configuration by interface so you can use more secure settings for the public interface.

In this setup I also create a sshd daemon for localhost (127.0.0.1) as it is used for NOMACHINE's  nxServer and client.

Setup

Create custom files:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_internal
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_localhost
cp /etc/init.d/ssh cp /etc/init.d/ssh_internal
cp /etc/init.d/ssh cp /etc/init.d/ssh_localhost
cp /etc/default/ssh /etc/default/ssh_internal
cp /etc/default/ssh /etc/default/ssh_localhost
cp /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_internal_rsa_key
cp /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_localhost_rsa_key
cp /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_internal_dsa_key
cp /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_localhost_dsa_key

Minimal Config File Changes
These minimum changes are required to simply make the three daemons configuration different enough to run.  Later you can make modifications to increase the security of the public interface.
Edit /etc/ssh/sshd_config
  1. Edit ListenAddress to make it the ip address of the public interface
  2. Add PidFile /var/run/sshd.pid
Edit /etc/ssh/sshd_config_internal
  1. Edit ListenAddress to make it the ip address of the private interface
  2. Add PidFile /var/run/sshd_internal.pid
  3. Edit HostKey /etc/ssh/ssh_host_internal_rsa_key
  4. Edit HostKey /etc/ssh/ssh_host_internal_dsa_key
Edit /etc/ssh/sshd_config_localhost
  1. Edit ListenAddress to make it 127.0.0.1
  2. Add PidFile /var/run/sshd_localhost.pid
  3. Edit HostKey /etc/ssh/ssh_host_localhost_rsa_key
  4. Edit HostKey /etc/ssh/ssh_host_localhost_dsa_key
Init Script Changes
Here, it is easier to modify one of the scripts first and then do a search and replace to create the second script but I will show all the changes:

Edit /etc/init.d/ssh_internal

sed -i 's/usr.sbin.sshd/usr\/sbin\/sshd_internal/g' ssh_internal_temp
sed -i 's/var.run.sshd/var\/run\/sshd_internal/g' ssh_internal_temp
sed -i 's/"sshd"/"sshd_internal"/g' ssh_internal_temp
sed -i 's/etc.default.ssh/etc\/default\/ssh_internal/g' ssh_internal_temp
sed -i 's/Provides:\t\tsshd/Provides:\t\tsshd_internal/g' ssh_internal_temp

Edit /etc/init.d/ssh_localhost

sed -i 's/usr.sbin.sshd/usr\/sbin\/sshd_localhost/g' ssh_localhost_temp
sed -i 's/var.run.sshd/var\/run\/sshd_localhost/g' ssh_localhost_temp
sed -i 's/"sshd"/"sshd_localhost"/g' ssh_localhost_temp
sed -i 's/etc.default.ssh/etc\/default\/ssh_localhost/g' ssh_localhost_temp
sed -i 's/Provides:\t\tsshd/Provides:\t\tsshd_localhost/g' ssh_localhost_temp

Note that there are no capital Vs in the above.  It is a backslash \ followed by a forwardslash / as in "\/"

Create links to sshd

ln -s /usr/sbin/sshd /usr/sbin/sshd_internal
ln -s /usr/sbin/sshd /usr/sbin/sshd_localhost

Set the new init scripts to start automatically
update-rc.d sshd_internal defaults
update-rc.d sshd_localhost defaults