How to configure multiple instances of sshd in RHEL 5 or 6?

Resolution

This resolution applies to Red Hat Enterprise Linux 5 or 6 only. If you want to run multiple instances of sshd on RHEL 7, please see another solution describing the same for RHEL 7.

Disclaimer: Writing init script for second instance is out of scope of work. Given below is just an example.

Running multiple instances of sshd on RHEL5/6 is supported. Follow the steps below to configure a second instance of the sshd daemon.

1. Make a copy of the sshd_config file (to be used by the second daemon)

   # cp /etc/ssh/sshd_config /etc/ssh/sshd_config-second
   

2. Edit the /etc/ssh/sshd_config-second file to assign a different port number and pid file. Make sure this port is not in use by any other service

   Port 5222
   PidFile /var/run/sshd-second.pid
   

3. Make a symlink to the sshd binary (see RHBZ #826720) and make a copy of the sshd init script

   # ln -s /usr/sbin/sshd /usr/sbin/sshd-second
   # cp /etc/rc.d/init.d/sshd /etc/rc.d/init.d/sshd-second
   

4. Find the lines below in the /etc/rc.d/init.d/sshd-second file and make the changes accordingly.

   # config: /etc/ssh/sshd_config-second
   # pidfile: /var/run/sshd-second.pid
   [ -f /etc/sysconfig/sshd-second ] && . /etc/sysconfig/sshd-second
   prog="sshd-second"
   SSHD=/usr/sbin/sshd-second
   PID_FILE=/var/run/sshd-second.pid
   [ -f /etc/ssh/sshd_config-second ] || exit 6
   

5. Create the /etc/sysconfig/sshd-second file with the following contents:

   OPTIONS="-f /etc/ssh/sshd_config-second"
   

6. Create a separate PAM configuration file for the new sshd-second service.

   # cp /etc/pam.d/sshd /etc/pam.d/sshd-second
   

7. If SELinux is enabled, on RHEL6 system, set the security context for the sshd-second service

   # semanage fcontext -a -e /etc/init.d/sshd /etc/init.d/sshd-second
   # semanage fcontext -a -e /usr/sbin/sshd /usr/sbin/sshd-second
   # semanage fcontext -a -e /etc/ssh/sshd_config /etc/ssh/sshd_config-second
   # restorecon -v /etc/init.d/sshd-second /usr/sbin/sshd-second /etc/ssh/sshd_config-second
   

8a. If SELinux is enabled, on RHEL5 system, instead of semanage use chcon command to change the context:

~~~
# chcon --reference=/etc/init.d/sshd /etc/init.d/sshd-second  
# chcon --reference=/usr/sbin/sshd /usr/sbin/sshd-second
# chcon --reference=/etc/ssh/sshd_config /etc/ssh/sshd_config-second 
~~~

8b. If you need to use semanage on a RHEL5 system you can use the following commands to set the context:

~~~
# semanage fcontext -a -t initrc_exec_t /etc/init.d/sshd-second  
# semanage fcontext -a -t sshd_exec_t /usr/sbin/sshd-second
# semanage fcontext -a -t etc_t /etc/ssh/sshd_config-second
# restorecon -v /etc/init.d/sshd-second /usr/sbin/sshd-second /etc/ssh/sshd_config-second 
~~~

9. If the iptables firewall is enabled, insert a rule in the INPUT chain to open the port for the sshd-second service. In this example, the rule should be inserted at slot 9, before the reject-with icmp-host-prohibited line. (The system-config-firewall GUI tool can make this step easier on RHEL 6.)

   # iptables -L --line-numbers
   Chain INPUT (policy ACCEPT)
   num  target     prot opt source               destination
   ...
   8    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
   9    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
   ...
   
   # iptables -I INPUT 9 -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT
   

10. Restart the sshd service and the newly created sshd-second service, and use chkconfig to start the sshd-second service on reboot.

    # service sshd restart
    # service sshd-second start
    # chkconfig --add sshd-second
    

11. On the client, specify the port number with the -p option to connect to the sshd-second daemon

    # ssh user1@ipaddress -p 5222