How to Run a Secondary SSH Daemon on a Non-Standard Port for Emergency Access on Ubuntu


2 views

We've all been there - you're tweaking your SSH configuration on a remote server when suddenly you find yourself locked out. The scenario typically goes like this:

# Common mistake in sshd_config
PermitRootLogin no
PasswordAuthentication no
# But you forgot to add your pubkey to authorized_keys first!

The solution is to run a temporary secondary SSH daemon on a different port while maintaining your primary SSH connection. Here's how to implement this safety net:

# Copy the existing config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_emergency

# Create a new config for the temporary daemon
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_temp
sudo nano /etc/ssh/sshd_config_temp

Key modifications needed:

Port 2222                  # Different from default 22
PidFile /var/run/sshd2.pid # Avoid PID conflict
HostKey /etc/ssh/ssh_host_rsa_key_emergency
LogLevel DEBUG             # For troubleshooting

Instead of using the init system, we'll manually start the daemon to avoid service conflicts:

# Generate new host keys if needed
sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key_emergency

# Start the secondary daemon
sudo /usr/sbin/sshd -f /etc/ssh/sshd_config_temp -D &

From another terminal, test your emergency access:

ssh -p 2222 user@yourserver.com
# Or with verbose output for debugging
ssh -vvv -p 2222 user@yourserver.com

For frequent SSH config tweakers, consider creating a helper script:

#!/bin/bash
# emergency_ssh.sh
CONFIG="/etc/ssh/sshd_config_temp"
PORT=2222

echo "Starting emergency SSH on port $PORT"
/usr/sbin/sshd -f "$CONFIG" -D &
SSHD_PID=$!

cleanup() {
    echo "Killing emergency SSH daemon (PID $SSHD_PID)"
    kill $SSHD_PID
}
trap cleanup EXIT

echo "Press CTRL+C to stop the emergency SSH daemon"
wait $SSHD_PID
  • Keep your emergency port open in the firewall: sudo ufw allow 2222/tcp
  • Consider using Fail2Ban for the emergency port too
  • Document this procedure in your team's runbook

We've all been there - you're tweaking SSH configurations on a remote server when suddenly your primary connection stops working. Maybe you messed up PasswordAuthentication settings or broke key-based auth. What you need is a parallel SSH daemon running on a different port that maintains the old configuration while you test changes to the primary one.

Ubuntu's SSH package includes a handy feature - the ability to run multiple instances of sshd with different configurations. Here's how to set it up:

# Make a copy of the original config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

# Create a new config for the secondary daemon
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.secondary

Edit /etc/ssh/sshd_config.secondary with these key changes:

Port 2222  # Different from your main SSH port
PidFile /var/run/sshd.secondary.pid
HostKey /etc/ssh/ssh_host_rsa_key_secondary
HostKey /etc/ssh/ssh_host_ecdsa_key_secondary
HostKey /etc/ssh/ssh_host_ed25519_key_secondary

Run these commands to create separate host keys for your secondary instance:

sudo ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key_secondary -N ""
sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key_secondary -N ""
sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key_secondary -N ""

You have two options to run the secondary instance:

Option 1: Manual Start (for temporary testing)

sudo /usr/sbin/sshd -f /etc/ssh/sshd_config.secondary -D &

Option 2: Systemd Service (for persistent backup)

# Create a new systemd unit file
sudo tee /etc/systemd/system/ssh-secondary.service << 'EOF'
[Unit]
Description=OpenBSD Secure Shell server (secondary instance)
After=network.target auditd.service

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_config.secondary $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify

[Install]
WantedBy=multi-user.target
EOF

# Enable and start the service
sudo systemctl daemon-reload
sudo systemctl enable --now ssh-secondary.service

Check that both SSH daemons are running:

ss -tulnp | grep ssh

You should see both ports (typically 22 and your chosen secondary port) in the output. Test connection to your secondary port:

ssh -p 2222 user@localhost

Don't forget to allow the new port through your firewall:

sudo ufw allow 2222/tcp

If your primary SSH config changes break access, you can:

  1. Connect via the secondary port
  2. Restore your original configuration
  3. Restart the primary SSH service
  4. Test before closing the secondary connection