# Running two sshd instances - pid file not created for 2nd instance



## freethread (Nov 2, 2012)

Actually I'm far from home and changed SSH access to my home server:


Changed default SSH port
Removed login as root
Created public/private RSA keys and changed login mode (no interactive console login, keys only)

It works as expected, but when I back home I want to access it from local LAN with interactive console, as root at default port (22). To do that I thought to create another SSHd service and called it *sshd_local*, thats what I've done:


Duplicated /etc/ssh/sshd_config in /etc/ssh/sshd_local_config
Duplicated /etc/rc.d/sshd in /etc/rc.d/sshd_local
Added *sshd_local_enable="YES"* in /etc/rc.conf
Created the shell script /usr/sbin/sshd_local that starts sshd with custom parameters

The configuration file /etc/ssh/sshd_local_config is the default one, except I enabled root access.

The /etc/rc.d/sshd_local file is modified as follow

```
[B]/etc/rc.d/sshd[/B]                     | [B]/etc/rc.d/sshd_local[/B]
-----------------------------------+-----------------------------------
# PROVIDE: sshd                    | [color="DarkOrange"]# PROVIDE: sshd_local[/color]
# REQUIRE: LOGIN cleanvar          | # REQUIRE: LOGIN cleanvar
# KEYWORD: shutdown                | # KEYWORD: shutdown
                                   |
. /etc/rc.subr                     | . /etc/rc.subr
                                   |
name="sshd"                        | [color="darkorange"]name="sshd_local"[/color]
rcvar=`set_rcvar`                  | rcvar=`set_rcvar`
command="/usr/sbin/${name}"        | command="/usr/sbin/${name}"
keygen_cmd="sshd_keygen"           | keygen_cmd="sshd_keygen"
start_precmd="sshd_precmd"         | start_precmd="sshd_precmd"
pidfile="/var/run/${name}.pid"     | pidfile="/var/run/${name}.pid"
extra_commands="keygen reload"     | extra_commands="keygen reload"
```

The content of /usr/sbin/sshd_local

```
#! /bin/sh
/usr/sbin/sshd -f /etc/ssh/sshd_local_config $*
```

I started the new service with the command
`# service sshd_local start`
and it starts, but no pid file was created in /var/run/, so executing
`# service sshd_local status`
says the service is down (not started) but it's present in process list and it works, i.e. I can access locally as root. Also the remote sshd sevice works.

What is wrong with my configuration? Thanks in advance for your replies.


----------



## iddqd (Nov 4, 2012)

Just configure it to listen on multiple ports. Something like

```
ListenAddress *:1234
ListenAddress 192.168.1.1:22
```
in sshd_config. Where 192.168.1.1 is your internal IP address. Consult `man sshd_config` for more information.


----------



## bbzz (Nov 4, 2012)

Make *ssh* listen only on 127.0.0.1. Then use *pf* to redirect to it however you like.

As for root access only on specific ports, I think you can specify in _AllowUsers_ option or even /etc/pam.d/sshd.

What's the reason for direct root access anyway?


----------



## break19 (Nov 4, 2012)

Now that someone else has given you ideas on how to do what you want, let me tell you why your way did not work:


```
# PROVIDE: sshd_local
...
name="sshd_local"
...
command="/usr/sbin/${name}"
```

Now.. expand the $name variable..
that makes command ='/usr/sbin/sshd_local'  which... does not exist.

Now, you should be able to see your mistake, and how to correct it.. hint: hardcode 'command=/usr/sbin/sshd' into the rc file. 

Chuck


----------



## freethread (Nov 4, 2012)

mmmh, I'm not sure if I understood all your advices, however I made something in the while.

The day after the new configuration, the system e-mail "Security run output" show me this:

```
alpha login failures:
Nov  2 15:11:19 alpha sshd[44842]: error: Bind to port 22 on :: failed: Address already in use.
Nov  2 15:11:19 alpha sshd[44842]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
```

I do not know if it refers to local sshd (on standard port) or the other one, however I modified the remote (WAN) sshd as follows:


```
#Port 22
Port 12345
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
AddressFamily inet
ListenAddress 192.168.50.1
```

the lines

```
#ListenAddress 0.0.0.0
#ListenAddress ::
```
was originally commented, I explicitly specified binding protocol and address, however the new e-mails still advise me the same message.

Asking the system (logged as root) all the sshd processes it states:

```
# ps -a -x | grep 'sshd'
 1348  ??  Is      0:00.03 /usr/sbin/sshd -f /etc/ssh/sshd_local_config
 1355  ??  Is      0:00.01 /usr/sbin/sshd
 9374  ??  Ss      0:01.39 sshd: root@pts/0 (sshd)
 9464   0  R+      0:00.00 grep sshd
```

The last line is the grep itself, the line before the last one is my local LAN remote login (I'm logged in as root from another machine but in the same LAN).

------------------------------------------------------------------

*@iddqd*
You are saying I can bind multiple ports and addresses with the same sshd instance? Ok, it should be of some intrest, but the login mode will be the same for both local and remote.

Actually for remote (WAN) remote access I created an user with public RSA key in file $HOME/.ssh/authorized_keys2. I can only access with that user if I have private key.
For local (LAN) remote access I have no restrictions.

*@bbzz*
I have not much time to play with pf and pam and more I do not have pf enabled and never read about pam (= I'm total newbie about that), however I will think about them and try to play with them on a VM.

Why I want local (LAN) remote access using root? That LAN segment is protected from the rest of the LAN and from Internet and I'm the only one user that access that server (and know how to play with a non Windows machine).

*@break19*
I created /usr/sbin/sshd_local before reboot machine with the new configuration and as of ps output shows, it's running. What I don't see is the pid file

```
pidfile="/var/run/${name}.pid"
```
it should be expanded as

```
pidfile="/var/run/sshd_local.pid"
```

------------------------------------------------------------------

Actually the two instances works but /var/run/sshd_local.pid is not created, I'll leave it that way by now.

Many thanks for your replies, I don't know when I will return on this, this is my last day at home and it's better I will not try to make changes remotely or I will loose connection if I make a mistake.


----------



## bbzz (Nov 4, 2012)

Yeah but, can you not login as a normal user and escalate to root? What's the point of having to login directly as root?

Seems the whole issue revolves around having another *ssh* instance (a nonsense) only to allow a root login (close to a nonsense). 

Otherwise, just do what I said, listen on loopback and redirect to it using your firewall. What firewall are you using?


----------



## freethread (Nov 4, 2012)

bbzz said:
			
		

> Yeah but, can you not login as a normal user and escalate to root? What's the point of having to login directly as root?
> 
> Seems the whole issue revolves around having another *ssh* instance (a nonsense) only to allow a root login (close to a nonsense).



Well, the main difference is a RSA keys, single user WAN access vs. any user name/password LAN access. I can remove the root access, but differences still remain. I have scripts running on another machine that access the server with scp (PuTTY pscp and plink) as root, they are on the same LAN segment. If I remove root access I have to escalate to root in some way inside that scripts. In october I was far from home and that scripts was stopped because of the WAN configuration (RSA keys + single user access), now I restarted them with this new SSH configuration (WAN + LAN). I cannot run them as non root.



			
				bbzz said:
			
		

> Otherwise, just do what I said, listen on loopback and redirect to it using your firewall. What firewall are you using?



I use a very simple router/firewall (Netgear) on the segment with the WAN SSH port open (and others but not port 22). The router/firewall cannot permit port redirections, if I open port 22 it redirects on port 22 at the desired host or host range.

But...
this configuration (WAN + LAN) works. The only thing that doesn't works is the pid file of the sshd_local daemon that is not created. Also, there is an inaccuracy in my last post: with this modification

```
AddressFamily inet
ListenAddress 192.168.50.1
```
on the WAN sshd, there are no more warnings about loopback bindings in system e-mail "Security run output".


----------



## BlueCoder (Jul 8, 2015)

I'm considering doing the same thing on my firewall. On the internet connection I want public key only. On the local LAN I want to be able to login with a password. I change stuff, setup new installations and install VM's often on the local network so I don't have public keys installed yet. Having password access makes it easier to copy/install the new public key onto the machine.


----------



## junovitch@ (Jul 9, 2015)

BlueCoder said:


> I'm considering doing the same thing on my firewall. On the internet connection I want public key only. On the local LAN I want to be able to login with a password. I change stuff, setup new installations and install VM's often on the local network so I don't have public keys installed yet. Having password access makes it easier to copy/install the new public key onto the machine.



Using a Match block in your sshd_config(5) may be more effective to solve this problem.  See `man sshd_config | less -p Match`.


----------



## freethread (Jul 9, 2015)

I no more have this configuration, thanks for this advice anyway. I had a very fast look at the man page, but understood nothing. I will read it with more attention.


----------

