the djb way

services, services!


sshd


Protocol: TCP
Standard Port: 22

If there is just one service you are sure to run on every server, it's the Secure Shell.

In our case, that means the sshd daemon from OpenSSH.

sshd is usually run by the system boot scripts. Fortunately, it is very easy to convert sshd to a daemontools service. In fact, there are a couple of ways to do this:

We will show both methods. First, the "run" script with tcpserver:


#!/bin/sh
# sshd/run
# daemontools run script for sshd service
# ** tcpserver version **
# ===
CONLIMIT=51
exec 2>&1
echo "*** Starting sshd..."
exec softlimit -m3000000 \
  tcpserver -vR \
  -c ${CONLIMIT} \
  -x /etc/tcprules/ssh.cdb \
  0 22 \
    /usr/sbin/sshd -i \
    -e -f /etc/ssh/sshd_config

### that's all, folks!

The key option for sshd here is -i, for inetd mode. This lets tcpserver do the listening for incoming connections, spawning a new copy of sshd for each new connection. The -e option logs to stderr for multilog, and the -f option points to the configuration file.

Now the "run" script without tcpserver:


#!/bin/sh
# sshd/run
# daemontools run script for sshd service
# ** "foreground" version **
# ===
exec 2>&1
echo "*** Starting sshd..."
exec \
    /usr/sbin/sshd -D \
    -e -f /etc/ssh/sshd_config

### that's all, folks!

The key difference here --other than the missing tcpserver stuff-- is the -D option. This runs sshd in the foreground, but otherwise sshd runs as usual: using its own listener for incoming connections and forking new processes for clients as necessary. The -e and -f options are the same as above.

Which version is "better"? That's for you to decide. The conventional response is that the tcpserver version is less efficient, and possibly slower to service incoming connections. This is especially possible when servicing SSH1 connections, where the use of tcpserver means sshd will generate a new server key for each client.

In practice, though, --on current commodity hardware and servicing the usual SSH2 connections-- you and your clients probably won't observe any noticeable difference in performance and response times. In its favor, the tcpserver version offers the extra layer of tcprules access control, concurrency limits, and additional logging information. The choice is yours.

Either way, you'll need a multilogger:


#!/bin/sh
# sshd/log/run
# multilogger for sshd service
# ===
exec setuidgid multilog multilog t /var/multilog/sshd

### that's all, folks!

Make the multilog directories:

# mkdir /var/multilog/sshd
# chown multilog /var/multilog/sshd

If sshd is already running, kill it and disable it in your system's startup scripts. Then link into /service:

# ln -s /var/svc.d/sshd /service/sshd

Test some connections and watch the logs. Try out both versions and decide which you prefer. Both methods provide all the benefits of daemontools: consistent start-up; easy signaling and control; restart if sshd dies; and multilog logging.


Copyright © 2002, 2003, 2004, Wayne Marshall.
All rights reserved.

Last edit 2004.02.13, wcm.