Running OpenSSH under Daemontools and UCSPI-TCP

OpenSSH is a set of computer programs which provide encrypted communications using the SSH protocol. OpenSSH provides a secure alternative for ftp (with sftp), rlogin and telnet (with ssh) and rcp (with scp). OpenBSD currently develops OpenSSH and is need of funding. If you find this document and/or OpenSSH helpful, I encourage you to make a donation.

Daemontools is a collection of tools for managing Unix services. It provides a means of monitoring a service, starting and stopping it and logging any debug and/or error messages. Daemontools provides easy service installation and removal, easy first time service startup, reliable restarts, easy, reliable signalling, clean process state and OS portability.

Ucspi-tcp is a collection of command line tools for building TCP client server applications. It is commonly used as a replacement for inetd and xinetd.

Daemontools ensures that if OpenSSH crashes, the daemon automatically restarts. Ucspi-tcp provides a wonderful mechanisms for access control to OpenSSH. Ucspi-tcp allows you to limit connections based on number, amount of memory or by IP addresses. Blocking IP addresses could be already accomplished by a program like iptables or tcp-wrappers, however a little defense in depth never hurt. Also the CDB format for the access control rules allows for quicker action with a much larger number of hosts.

Setting up the Service Directories

First verify the daemontools "svscan" process is running. Choose a location where you want the physical service directories. I usually use "/var/service", however any directory may be used as long as it is not "/service".

Create the service directories with the following commands.

# mkdir -m 1755 /var/service/sshd
# mkdir -p -m 755 /var/service/sshd/log

Download the "run" scripts for sshd and its log.

# cd /var/service/sshd
# wget -c http://www.antagonism.org/scripts/sshd-run
# mv sshd-run run
# chmod 755 run
# cd log
# wget -c http://www.antagonism.org/scripts/log-run
# mv log-run run
# chmod 755 run

Warning, before using either of my "run" scripts, make sure you understand what the commands do. In the sshd "run" script, the softlimit options I have configured do the following:

• "-m 80000000" limits the data segment per process, stack segment per process, locked physical pages per process and total of all segments per process to 80000000 bytes

The tcpserver options I have configured do the following:

• "-v" prints error and status messages
• "-R" no reverse lookup for remote host is conducted
• "-c ${CONLIMIT}" limit the number of connections to the variable CONLIMIT. In this case CONLIMIT is set to 51.
• "-x /etc/tcp/ssh.cdb" follows the rules compiled into /etc/tcp/ssh.cdb by tcprules
• "192.168.10" binds the servicce to the IP address 192.168.0.10. A value of 0 will bind this to all addresses available on the machine. I recommend against this as it is more memory intensive and it is a bad idea to bind a service to addresses you don't need.
• "22" binds the service to the TCP port 22. A value of 0 will bind the service to a free TCP port.

The sshd options I have configured do the following:

• "-i" specified that "sshd" is being run from inetd. It is not really run from inetd but rather from tcpserver. This is necessary to run sshd from daemontools with tcpserver.
• "-e" sends the output to STDERR. This required for use with multilog.
• "-f /etc/ssh/sshd_config" sets /etc/sshd/sshd_config as the config file.

Create a "ssh" file in the "/etc/tcp" directory which contains your access controls. A default control list which will allow all traffic may look like this:

:allow

After creating the file, download and edit the Makefile so the line reading "all:" contains the file name "ssh.cdb". Below is an example.

all: ssh.cdb

Running the "make" command will create/update the CDB files as needed.

Activating the Service

(The below section is taken almost verbatim from the following page created by John Simpson. I felt that his description on what happens when you activate a service was the most clear and easy to understand, so why change a thing?)

Once the directories are set up, you need to make them start running. This is done by creating a symbolic link from /service/(whatever) to the physical directory where the service lives. The "svscan" program checks /service every five seconds, and when it sees a new directory (or symbolic link) there, it starts a "supervise" process for that directory. In addition, if the directory has the sticky bit set and a child directory called "log", it starts a "supervise" process for the "log" child directory and sets up a pipe between the two processes (so that the main process's logs end up being sent to the log process).

The "supervise" program works by running the "run" script inside of whatever directory it's watching. If that child process (either the "run" script itself, or whatever process it runs using "exec") stops, it starts it back up by running the "run" script again.

The following commands will create the symbolic links needed to start the OpenSSH service.

# ln -s /var/service/sshd /service/

After running this command, wait ten seconds (to give it time to start) and then run the "svstat" command to see what's running:

# svstat /service/sshd /service/sshd/log
/service/sshd: up (pid 2542) 311723 seconds
/service/sshd/log: up (pid 2532) 311723 seconds

As long as the new services show "up" with a timer of more than one second, the services are running correctly. If the timer on a service is 0 or 1 second, then wait about five seconds and run the same command - it should now be higher than 1 second. If it's still 0 or 1, then the service is having a problem and you need to fix it. This page provides some steps to troubleshoot daemontools service installations.

Downloads

Copyright 2006-2008 Patrick R. McDonald <marlowe@antagonism.org> (GPG key)
This document last modified 2008-07-15 07:19:24 -0700