How is it possible to run two instances of sshd?

Hello Everyone,

I would like to run two instances of the SSH daemon on my Omnia.
They would have to run with different configs, and bind to different IPs and ports (eg: no password auth, only pubkeys, only one certain user allowed; MGMT_IP:4444: root login allowed, password auth allowed)
How would this setup be possible with the OpenSSH running on the Omnia?
I had this setup earlier on other OpenWRT routers running dropbear, and there it was really easy to set up, even with LUCI.

Any help would be welcome!
Thank you!

There is this config /etc/config/sshd you can play with (after changing it, reload the daemon). As there are other services (data collect reporting, honey/minipots …etc) Dropbear is not installed by default. You can install it for sure, together with luci-app module (via luci or in shell using opkg). You can also run lxc container with some linux and have separate sshd there if you prefer linux style over openwrt :slight_smile:

There is also this doku and

You don’t really need to run separate ports (does not really add security and increases maintenance).

For the password from internal lan it should be enough (depending on your lan range) something like this in your sshd.conf:

PasswordAuthentication no

Match address
PasswordAuthentication yes

First is global denial of passwords, second is whitelist for lan only (modify your lan range).
After this restart sshd.

1 Like

Thanks for your reply!
With the multiple sshd instances I intend to manage the base OS of Omnia, not some container running on it.
For this reason, I think that the container-based solutions are not suitable.

Hmm, thanks for the information. I did not know, that it is possible to something like this:

Match address
PasswordAuthentication yes

Does the match subsection affect only the statement immediately following it, or multiple statements, like

Match address
PasswordAuthentication yes
AllowedUsers username

Or is there a closing pair for the Match section?
Furtermore, how does that interbreed with the uci config file syntax?
Does the following work?

option Match address
option PasswordAuthentication yes
option AllowedUsers username

it should match multiple and there should not be a closing section, that is why you should put it on the end of the config.
Try to experiment with it. :slight_smile:

Just for the record, the correct config syntax for the Match is the following:

config match
    option type Address
    option match

option PasswordAuthentication yes
option option PermitRootLogin yes

Unfortunately the option AllowedUsers username option can’t be specified in a match section with the default config parser of the openssh TurrisOS package