[Bug 1832110] Re: Resource Sharing with multiple sshd services
Luke A. Perkins
public at epicdgs.us
Wed Jun 12 05:31:20 UTC 2019
Robie, There are several options moving forward:
1) We need the /run/sshd file (see Ubuntu's man sshd page) to be configurable. The problem with locating the privilege separation directory in a fixed location, the systemd does not do well in multiple sshd instance assignments. The systemd will delete the processes RuntimeDirectory upon completion of the process.
2) The original OpenSSH 7.6p1 source code assigns the privilege separation directory to /var/empty (see OpenSSH man sshd page). If we assign it to /var/empty, then we get into a philosophical argument about making the /var/empty directory in an Ubuntu system.
The frustration I have with both the OpenSSH teams and the Ubuntu teams is neither want to take ownership. I am trying to provide a solution to both teams and I am getting complete rejection.
As far as the upstream support, we have 2 options, specifically:
1) Implement a command line option; I propose [-s separation_directory_name]. This would required editing only 1 file (i.e. sshd.c), so upstream modifications would be minimal.
2) Implement a sshd_config option; I propose "PrivSepDir separation_directory_name". This has less of a chance of conflicting with any upstream change. I cannot imagine a conflict but someone always has a better mouse-trap.
So how can we come to consensus on this?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1832110
Title:
Resource Sharing with multiple sshd services
Status in openssh package in Ubuntu:
Won't Fix
Bug description:
Ubuntu: 18.04.2 LTS
OpenSSH: 7.6p1
I am having a problem starting multiple sshd processes. The default
location of the sshd privilege separation directory is hard-coded to
/run/sshd (see man page). If I want to have 2 sshd services using
systemd, I need to write 2 service files, let's call them
sshd_wan.service ans sshd_lan.service. Both of these services need to
have their own "RuntimeDirectory=sshd_wan" and
"RuntimeDirectory=sshd_lan". If you do not have separate
RuntimeDirectory definitions for the 2 services, then when one service
is killed/faults/restarts/stops/etc. the systemd (or init) process
deletes the RuntimeDirectory and causes the other service to crash
since a RuntimeDirectory does not exist.
The problem is the hard-coding of the sshd Privilege Separation
Directory. We need to modify the OpenBSD/OpenSSH sshd code to
provision command line assignment of the privilege separation
directory.
I have attempted to contact the OpenSSH team (i.e. OpenSSH.com) and
they say it is a Ubuntu problem. I reported this in Ubuntu bug
#1831765 and Ubuntu (e.g. Paride Legovini, June 6, 2019 @ 2:55AM PDT)
rejected it because I described the problem using the init.d example.
I know how to modify the sshd.c file in OpenSSH 7.6p1, the problem is
getting Ubuntu and OpenSSH to admit there is a problem and it needs to
be fixed.
The problem is still there regardless if you are using Upstart (i.e.
init.d) or systemd.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1832110/+subscriptions
More information about the foundations-bugs
mailing list