How to configure multiple instances of sshd in RHEL 7 or 8?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • openssh-server

Issue

How to configure multiple instances of sshd in Red Hat Enterprise Linux 7 or 8? Is that supported?

Resolution

This resolution applies to Red Hat Enterprise Linux 7 or 8. If you want to run multiple instances of sshd on RHEL 5 or RHEL 6, please see How to configure multiple instances of sshd in RHEL 5 or 6? describing the same for these RHEL versions.

Running multiple instances of sshd on RHEL7 or 8 is supported. Follow the steps below to configure a second instance of sshd:

  1. Make a copy of the sshd_config file (to be used by the second daemon).

    # cp /etc/ssh/sshd{,-second}_config
    #
    
  2. Edit sshd-second_config to assign a different port number. Use Port keyword to achieve that. See sshd_config(5) for documentation on these keywords. Make sure this port is not in use by any other service.

    Port 22220
    
  3. Make a copy of the systemd unit file for the sshd service.

    # cp /usr/lib/systemd/system/sshd.service  /etc/systemd/system/sshd-second.service   
    #
    
  4. Alter /etc/systemd/system/sshd-second.service in the following way:

    • Modify Description

      Description=OpenSSH server second instance daemon
      
    • Add the -f /etc/ssh/sshd-second_config option to sshd, so that the alternative configuration file is used

      ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd-second_config $OPTIONS
      

      Note: The ExecStart line may differ, depending on the RHEL sub-release. Keep the rest of the line as is.

  5. If using SELinux, add the port for the second instance of sshd to SSH ports, otherwise the second instance of sshd will be rejected to bind to the port:

    # yum -y install policycoreutils-python
    # semanage port -a -t ssh_port_t -p tcp 22220
    #
    
  6. Run a reload so that systemd can pick up the changes:

    # systemctl daemon-reload
    #
    
  7. Start sshd-second.service and enable the service, so that it starts automatically upon boot:

    # systemctl enable sshd-second.service --now
    Created symlink from /etc/systemd/system/multi-user.target.wants/sshd-second.service to /etc/systemd/system/sshd-second.service.
    # 
    

Diagnostic Steps

Whether the second sshd instance is started, can be checked with systemctl:

# systemctl status sshd-second.service
sshd-second.service - OpenSSH server second instance daemon
   Loaded: loaded (/etc/systemd/system/sshd-second.service; enabled)
   Active: active (running) since Mon 2014-08-18 12:58:25 CEST; 1s ago
 Main PID: 4799 (sshd)
   CGroup: /system.slice/sshd-second.service
           `-4799 /usr/sbin/sshd -D -f /etc/ssh/sshd-second_config

Aug 18 12:58:25 server systemd[1]: Starting OpenSSH server second instance daemon...
Aug 18 12:58:25 server systemd[1]: Started OpenSSH server second instance daemon.
Aug 18 12:58:25 server sshd[4799]: Server listening on 0.0.0.0 port 22220.
Aug 18 12:58:25 server sshd[4799]: Server listening on :: port 22220.
# 

Users can login from a client using the -p option of ssh:

$ ssh -p 22220 user@server

If firewall is in use, please make sure that it is configured appropriately in order to allow connections to the second instance of sshd.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments