Setup a 2nd sshd instance for testing remote configurations

Suppose you have a remote machine that you can ssh into. You want to make some changes to the config, but making a mistake could lock you out of the box. This is a technique for setting up a 2nd sshd instance and also how to configure it as a service.

Standalone
On the server enter /usr/sbin/sshd -D -p 2222 -f your_new_config
On the client enter ssh -p 2222 your.server.name

If you need to debug you can get messages:
On the server replace -D with -d, you can use up to three -d flags for increasing levels of verbosity.
On the client add -v, again up to three for more verbose output.

Once you are confidant with the new configuration, simply replace /etc/ssh/sshd_config and restart sshd with service sshd restart

As a Service
CAVEAT: This service expects the host keys to already be present. That's normally taken care of when the regular sshd service starts for the first time.

Place your new config into /etc/ssh/sshd_alternate_config.
Ensure the following is in the new config file:
Code:
PidFile /var/run/sshd_alternate.pid
Place sshd_alternate in /etc/rc.d and make sure it's executable.
In /etc/rc.conf add the following lines:
Code:
sshd_alternate_enable="YES"
sshd_alternate_flags="-p 2222 -f /etc/ssh/sshd_alternate_config"
Start up the new instance service sshd_alternate start
Test the configuration from a 2nd console on your workstation:
ssh -p 2222 your.server.name

You can get debug with:
ssh [B]-v [/B]-p 2222 your.server.name from the workstation. Add more -v as needed.
On the server end, stop the service with service sshd_alternate stop, then run it in the foreground with sshd -d -p 2222 -f /etc/ssh/sshd_alternate_config.

If you decide to replace /etc/ssh/sshd_config with /etc/ssh/sshd_alternate_config, make sure you comment out the line
Code:
PidFile /var/run/sshd_alternate.pid

sshd_alternate
Bash:
#!/bin/sh

# PROVIDE: sshd_alternate
# REQUIRE: LOGIN FILESYSTEMS
# KEYWORD: shutdown

. /etc/rc.subr

name="sshd_alternate"
desc="Secure Shell Daemon (Alternate)"
rcvar="sshd_alternate_enable"
command="/usr/sbin/sshd"
start_precmd="sshd_alternate_precmd"
reload_precmd="sshd_alternate_configtest"
restart_precmd="sshd_alternate_configtest"
configtest_cmd="sshd_alternate_configtest"
pidfile="/var/run/${name}.pid"
extra_commands="configtest reload"

sshd_alternate_configtest()
{
    echo "Performing sanity check on ${name} configuration."
    eval ${command} ${sshd_alternate_flags} -t
}

sshd_alternate_precmd()
{
    run_rc_command configtest
}

load_rc_config $name
run_rc_command "$1"
 
I prefer a cronjob that checks my ssh and firewall for issues every five minutes. If the cronjob finds any issues it will load a barebones "safe" config.
 
Back
Top