Re: sshd (base system) and openssh portable (ports) on different ports disables other

Reply: ICT builder : "Re: sshd (base system) and openssh portable (ports) on different ports disables other"
In reply to: ICT builder : "sshd (base system) and openssh portable (ports) on different ports disables other"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Matthew Seaman <matthew_at_FreeBSD.org>
Date: Thu, 06 Apr 2023 06:56:05 UTC

On 06/04/2023 01:21, ICT builder wrote:

> Im trying to setup (in a jail) sshd from base system on port 22, this 
> works.
> 
> For remote sftp I added openssh portable trough ports and set it up on a 
> different port.
> 
> Goal is to run both at same time but as soon as i start or restart 
> openssh portable port 22 sshd base system gets closed.
> 
> Once I restart base sshd port 22 is back but then the port set for 
> openssh portable gets closed.
> 
> Goggling didn't turn up anything useful so I hope someone here can tell 
> me how I can run both ssh servers (on different ports) at the same time.

The startup scripts for openssh go to great lengths to check that base 
system sshd and openssh aren't configured to listen on the same ports or 
listen addresses.  However it seems that both variants default to using 
the same /var/run/sshd.pid for their pidfile.  Unless you override that 
from your openssh config and set $openssh_pidfile appropriately in 
rc.conf that's going to cause problems, since the rc script for one will 
end up sending signals to the other process.

The two different processes would also likely use the same SSH_AUTH_SOCK 
unix domain socket to communicate with ssh-agent(1) unless speciically 
configured otherwise, but that shouldn't cause the sort of symptoms 
you're seeing and may well be what you want anyway.

Is the jail you're using a traditional jail, or a VNET jail?  VNET jails 
are preferable in almost all cases, and it's largely a matter of 
historical backwards compatibility that they aren't the default.

With a traditional jail that shares the network interface of the main 
host you need to worry about conflicting with the sshd in the main host. 
  Also, in a traditional jail there isn't a normal loopback interface -- 
any attempts to connect via lo0 will be transparently redirected to the 
external network interface.

Also, note that the sshd in the base system is already openssh-portable 
from exactly the same code-base as the ports one, and both have similar 
sets of patches applied. (Although ports is currently version 9.2p1 but 
base in STABLE/13 is version 9.1)

The difference between the ports version of openssh-portable and the 
base one is that it can be linked against some alternate Kerberos 
packages and it has some experimental capabilities to do with use of eg. 
hardware key tokens that can be enabled.

If all you need is to enable sftp, you can just turn it on in the base 
system /etc/ssh/sshd_config. To allow sftp, but restrict what can be 
accessed by different users, see eg. 
https://wiki.archlinux.org/title/SFTP_chroot or many other similar 
articles -- you need slightly different commands to manage users and 
groups on FreeBSD, but all the sshd config stuff is the same.

	Cheers,

	Matthew