# Setup a 2nd sshd instance for testing remote configurations



## leebrown66 (Sep 21, 2018)

Suppose you have a remote machine that you can `ssh` into.  You want to make some changes to the config, but making a mistake could lock you out of the box.  This is a technique for setting up a 2nd sshd instance and also how to configure it as a service.

*Standalone*
On the server enter `/usr/sbin/sshd -D -p 2222 -f your_new_config`
On the client enter `ssh -p 2222 your.server.name`

If you need to debug you can get messages:
On the server replace `-D` with `-d`, you can use up to three `-d` flags for increasing levels of verbosity.
On the client add `-v`, again up to three for more verbose output.

Once you are confidant with the new configuration, simply replace /etc/ssh/sshd_config and restart sshd with `service sshd restart`

*As a Service*
CAVEAT: This service expects the host keys to already be present.  That's normally taken care of when the regular sshd service starts for the first time.

Place your new config into /etc/ssh/sshd_alternate_config.
Ensure the following is in the new config file:

```
PidFile /var/run/sshd_alternate.pid
```
Place sshd_alternate in /etc/rc.d and make sure it's executable.
In /etc/rc.conf add the following lines:

```
sshd_alternate_enable="YES"
sshd_alternate_flags="-p 2222 -f /etc/ssh/sshd_alternate_config"
```
Start up the new instance `service sshd_alternate start`
Test the configuration from a 2nd console on your workstation:
`ssh -p 2222 your.server.name`

You can get debug with:
`ssh [B]-v [/B]-p 2222 your.server.name` from the workstation.  Add more `-v` as needed.
On the server end, stop the service with `service sshd_alternate stop`, then run it in the foreground with `sshd -d -p 2222 -f /etc/ssh/sshd_alternate_config`.

If you decide to replace /etc/ssh/sshd_config with /etc/ssh/sshd_alternate_config, make sure you comment out the line

```
PidFile /var/run/sshd_alternate.pid
```

sshd_alternate

```
#!/bin/sh

# PROVIDE: sshd_alternate
# REQUIRE: LOGIN FILESYSTEMS
# KEYWORD: shutdown

. /etc/rc.subr

name="sshd_alternate"
desc="Secure Shell Daemon (Alternate)"
rcvar="sshd_alternate_enable"
command="/usr/sbin/sshd"
start_precmd="sshd_alternate_precmd"
reload_precmd="sshd_alternate_configtest"
restart_precmd="sshd_alternate_configtest"
configtest_cmd="sshd_alternate_configtest"
pidfile="/var/run/${name}.pid"
extra_commands="configtest reload"

sshd_alternate_configtest()
{
    echo "Performing sanity check on ${name} configuration."
    eval ${command} ${sshd_alternate_flags} -t
}

sshd_alternate_precmd()
{
    run_rc_command configtest
}

load_rc_config $name
run_rc_command "$1"
```


----------



## John Watson (Sep 27, 2018)

I prefer a cronjob that checks my ssh and firewall for issues every five minutes. If the cronjob finds any issues it will load a barebones "safe" config.


----------

