How is it possible to run two instances of sshd?

wowbaggerHU · April 25, 2017, 2:30pm

Hello Everyone,

I would like to run two instances of the SSH daemon on my Omnia.
They would have to run with different configs, and bind to different IPs and ports (eg: 0.0.0.0:22: no password auth, only pubkeys, only one certain user allowed; MGMT_IP:4444: root login allowed, password auth allowed)
How would this setup be possible with the OpenSSH running on the Omnia?
I had this setup earlier on other OpenWRT routers running dropbear, and there it was really easy to set up, even with LUCI.

Any help would be welcome!
Thank you!
János

Maxmilian_Picmaus · April 25, 2017, 4:59pm

There is this config /etc/config/sshd you can play with (after changing it, reload the daemon). As there are other services (data collect reporting, honey/minipots …etc) Dropbear is not installed by default. You can install it for sure, together with luci-app module (via luci or in shell using opkg). You can also run lxc container with some linux and have separate sshd there if you prefer linux style over openwrt

There is also this doku https://www.turris.cz/doc/en/howto/ssh and https://www.turris.cz/doc/en/howto/ssh_honeypot

mazhead · April 25, 2017, 6:04pm

You don’t really need to run separate ports (does not really add security and increases maintenance).

For the password from internal lan it should be enough (depending on your lan range) something like this in your sshd.conf:

PasswordAuthentication no

Match address 192.168.1.0/24
PasswordAuthentication yes

First is global denial of passwords, second is whitelist for lan only (modify your lan range).
After this restart sshd.

wowbaggerHU · April 26, 2017, 7:23am

Thanks for your reply!
With the multiple sshd instances I intend to manage the base OS of Omnia, not some container running on it.
For this reason, I think that the container-based solutions are not suitable.

wowbaggerHU · April 26, 2017, 7:49am

Hmm, thanks for the information. I did not know, that it is possible to something like this:

Match address 192.168.1.0/24
PasswordAuthentication yes

Does the match subsection affect only the statement immediately following it, or multiple statements, like

Match address 192.168.1.0/24
PasswordAuthentication yes
AllowedUsers username

Or is there a closing pair for the Match section?
Furtermore, how does that interbreed with the uci config file syntax?
Does the following work?

option Match address 192.168.1.0/24
option PasswordAuthentication yes
option AllowedUsers username

mazhead · April 26, 2017, 7:52am

it should match multiple and there should not be a closing section, that is why you should put it on the end of the config.
Try to experiment with it.

wowbaggerHU · April 29, 2017, 7:01pm

Just for the record, the correct config syntax for the Match is the following:

config match
    option type Address
    option match 192.168.1.0/24

option PasswordAuthentication yes
option option PermitRootLogin yes

Unfortunately the option AllowedUsers username option can’t be specified in a match section with the default config parser of the openssh TurrisOS package