Tuesday, January 06, 2009

Setup sshd to run a second instance

In order to lock down the servers like I prefer to, yet still allow FreeNX/NX to work, I have to setup a second copy of the sshd daemon. The FreeNX/NX client requires that you have sshd running with password access (not just public key), but we prefer to only allow public-key access to our servers.

I did the following on CentOS 5, it should also work for Fedora or Red Hat Enterprise Linux (RHEL). But proceed at your own risk.

1) Create a hard link to the sshd program. This allows us to distinguish it in the process list. It also makes sure that our cloned copy stays up to date as the sshd program is patched.

# ln /usr/sbin/sshd /usr/sbin/sshd_nx

2) Copy /etc/init.d/sshd to a new name

This is the startup / shutdown script for the base sshd daemon. Make a copy of this script:

# cp -p /etc/init.d/sshd /etc/init.d/sshd_nx
# vi /etc/init.d/sshd_nx

Change the following lines:

# processname: sshd_nx
# config: /etc/ssh/sshd_nx_config
# pidfile: /var/run/sshd_nx.pid
prog="sshd_nx"
SSHD=/usr/sbin/sshd_nx
PID_FILE=/var/run/sshd_nx.pid
OPTIONS="-f /etc/ssh/sshd_nx_config -o PidFile=${PID_FILE} ${OPTIONS}"
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd_nx
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd_nx
if [ -f /var/lock/subsys/sshd_nx ] ; then

Note: The OPTIONS= line is probably new and will have to be added right after the PID_FILE= line in the file. There are also multiple lines that reference /var/lock/subsys/sshd, you will need to change all of them.

3) Copy the old sshd configuration file.

# cp -p /etc/ssh/sshd_config /etc/ssh/sshd_nx_config

4) Edit the new sshd configuration file and make sure that it uses a different port number.

Port 28822

5) Clone the PAM configuration file.

# cp -p /etc/pam.d/sshd /etc/pam.d/sshd_nx

6) Set the new service to startup automatically.

# chkconfig --add sshd_nx

...

Test it out

# service sshd_nx start
# ssh -p 28222 username@localhost

Check for errors in the log file:

# tail -n 25 /var/log/secure

...

At this point, I would go back and change the secondary configuration to only listen on the localhost ports:

ListenAddress 127.0.0.1
ListenAddress ::1

...

References:

How to Add a New "sshd_adm" Service on Red Hat Advanced Server 2.1

How to install NX server and client under Ubuntu/Kubuntu Linux (revised)

...

Follow-on notes:

This setup is specifically for cases where you do not want to allow password access to the server from outside. The way that the NXClient authenticates is basically:

1) NXClient uses a SSH public key pair to authenticate with the server

2) It then logs into the server using the supplied username/password via SSH.

So by setting things up this way, we keep public-key authentication as the only way to login to the server - but the NX server daemon is able to cross-connect to a localhost-only SSH daemon.

3 comments:

Markus Heidinger said...

I am wondering one will still be able to log on using NX from externally once you have changed the config of your secondary sshd so that it listens only on local addresses ...
Could you pls advise how this would work?
Thanks, Markus

Anonymous said...

you can use the Match keyword to achieve the same thing.

I have added

Match Address 127.0.0.1
PasswordAuthentication yes

to the *end* of sshd_config

Here is an extract from auth.log:

Jun 9 10:49:41 ip-10-xxx-9-130 sshd[23130]: Accepted publickey for nx from xxx.x.xxx.xx port xxx ssh2
Jun 9 10:49:41 ip-10-xxx-9-130 sshd[23130]: pam_unix(sshd:session): session opened for user nx by (uid=0)
Jun 9 10:49:43 ip-10-xxx-9-130 sshd[23369]: Accepted password for ubuntu from 127.0.0.1 port 37402 ssh2
Jun 9 10:49:43 ip-10-xxx-9-130 sshd[23369]: pam_unix(sshd:session): session opened for user ubuntu by (uid=0)

Thomas said...

Thanks for the information about the "Match" keyword. It looks to have been added in OpenSSH v5. CentOS 5 and RHEL 5 are still using OpenSSH v4 by default (patched with back-ported security fixes by Red Hat) and do not have the "Match" keyword.

For example, one of our RHEL 5.6 boxes has:
openssh.x86_64 4.3p2-72.el5

I'm guessing that RHEL6 / Scientific Linux 6 / CentOS6 will ship with OpenSSH v5. Which will make this technique only required for the older RHEL5 / CentOS5 boxes.