How to run multiple sshd instances on raspberry pi
Why you may need this
There are different use cases, the most common would be to run two ssh servers with different configurations on different ports – one serving for local network and less restrictive (allow all users, password authentication, etc) and another one with more restrictions for accessing your PI from internet via port forwarding on your router.
How to build
In order to achieve the goal we will create a new systemd service, similar to standard ssh service but running as a different process and using different configuration file.
Make a copy of sshd_config
1 2 | $ cd /etc/ssh $ sudo cp sshd_config sshd-outside_config |
Use editor of your choice (I use Nano) and make desired changes to your new configuration file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for #-------- # OUR NEW INSTANCE OF SSHD SHOULD LISTEN ON PORT DIFFERENT THAN DEAULT (22) Port NNNN #-------- # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes #-------- #OUR NEW INSTANCE MUST(!!!) HAVE DIFFERENT PID FILE PidFile /var/run/sshd-outside.pid #-------- # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: #-------- # These settings will not allow to login as root, # enable key based authentication</strong> <strong>LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #-------- #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #-------- # This will not allow password authentication</strong> <strong>PasswordAuthentication no</strong> #-------- # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes |
Make a copy of ssh.service
ssh.service is a standard ssh server service. We will create a copy of it with some modifications in order to run second instance of ssh service as a separate service.
1 2 | $ cd /lib/systemd/system $ sudo cp ssh.service ssh-outside.service |
Now make necessary changes to ssh-outside.service, so our new instance will use different config and pid files.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | [Unit] Description=OpenBSD Secure Shell server After=network.target auditd.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh <strong>PIDFile=/var/run/ssh-outside.pid</strong> ExecStart=/usr/sbin/sshd -D <strong>-f /etc/ssh/sshd-outside_config</strong> $SSHD_OPTS ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure [Install] WantedBy=multi-user.target Alias=<strong>sshd-outside.service</strong> |
Save all your work.
Install the service and reboot
1 2 3 4 5 | $ sudo systemctl enable ssh-outside.service Created symlink from /etc/systemd/system/sshd-outside.service to /lib/systemd/system/ssh-outside.service. Created symlink from /etc/systemd/system/multi-user.target.wants/ssh-outside.service to /lib/systemd/system/ssh-outside.service. $ sudo reboot |
Test
After reboot you should be able to connect both to the default port 22 (with password) and to the port NNNN specified in your config file (only with the keys properly set up). Check this article if you have troubles with configuring SSH keys.
1 | $ ssh user@raspberrypi -p NNNN |
If you have trouble connecting to the alternative ssh port, connect using default port and troubleshoot. Start point for troubleshooting would be to check the status of your newly created service.
1 | $ sudo systemctl status ssh-outside.service |
If everything works fine, you can now set up port forwarding on your router and access your Raspberry Pi from outside world in a way more secure manner.