配置2个sshd服务

配置2个sshd服务

我有以下任务:

  1. 配置 ssh 服务以便用户特别的无法通过它连接。
  2. 在端口 2222 上打开一个 ssh 服务器,监听 127.0.0.1。限制此服务,以便只有用户特别的可以连接。最好为此创建一个服务。

我的方法基于https://askubuntu.com/questions/324503/2-sshd-configurations-1-for-internal-and-1-external

  1. 修改/etc/ssh/sshd_config添加DenyUsers special
  2. 修改/etc/ssh/sshd_config_external设置Port 2222ListenAddress 127.0.0.1
  3. 创建/lib/systemd/system/sshd-external.service并修改它以包含新配置ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd_config_external

发布内容sshd.service

[root@bastion 0 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2020-09-19 12:54:16 UTC; 19min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1418 (sshd)
   CGroup: /system.slice/sshd.service
           └─1418 /usr/sbin/sshd -D

Sep 19 12:54:16 bastion.7eca.example.opentlc.com systemd[1]: Starting OpenSSH server daemon...
Sep 19 12:54:16 bastion.7eca.example.opentlc.com sshd[1418]: Server listening on 0.0.0.0 port 22.
Sep 19 12:54:16 bastion.7eca.example.opentlc.com sshd[1418]: Server listening on :: port 22.
Sep 19 12:54:16 bastion.7eca.example.opentlc.com systemd[1]: Started OpenSSH server daemon.
Sep 19 12:54:30 bastion.7eca.example.opentlc.com sshd[1884]: Accepted publickey for hesteban-redhat.com from 88.128.92.150 port 40092 ssh2: RSA SHA256:sWujd4yvXg62et5LzOAR7BhMGvQ5+vBNSUrgrVdUdEs
Sep 19 12:55:48 bastion.7eca.example.opentlc.com sshd[1929]: Received disconnect from 222.186.30.35 port 58344:11:  [preauth]
Sep 19 12:55:48 bastion.7eca.example.opentlc.com sshd[1929]: Disconnected from 222.186.30.35 port 58344 [preauth]
Sep 19 13:13:52 bastion.7eca.example.opentlc.com sshd[2219]: Received disconnect from 222.186.42.155 port 10630:11:  [preauth]
Sep 19 13:13:52 bastion.7eca.example.opentlc.com sshd[2219]: Disconnected from 222.186.42.155 port 10630 [preauth]

但问题出现在我启动sshd-extended.service

[root@bastion 0 ~]# systemctl start sshd-external
Job for sshd-external.service failed because a timeout was exceeded. See "systemctl status sshd-external.service" and "journalctl -xe" for details.
[root@bastion 0 ~]# journalctl -xe
        -- Unit sshd-external.service has begun starting up.
Sep 21 07:16:41 bastion.7eca.example.opentlc.com sshd[2228]: error: Bind to port 2222 on 127.0.0.1 failed: Permission denied.
Sep 21 07:16:41 bastion.7eca.example.opentlc.com sshd[2228]: fatal: Cannot bind any address.
Sep 21 07:16:41 bastion.7eca.example.opentlc.com systemd[1]: sshd-external.service: main process exited, code=exited, status=255/n/a
Sep 21 07:16:41 bastion.7eca.example.opentlc.com systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd-external.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sshd-external.service has failed.

然后,如果我再试一次,问题就说 127.0.0.1 端口 2222 已被使用


编辑

sshd-extended.service

[root@bastion 0 ~]# cat /lib/systemd/system/sshd-external.service 
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS -f /etc/ssh/sshd_config_external
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

相关内容