[Supervisor-users] Is it wise to let supervisord start sshd?

Discussion:

Lennart Ramberg

2015-09-22 06:57:59 UTC

Hello,

Currently my sshd is started via a script executed by etc/init.d/rcS
Would it be wise to instead let supervisord start sshd?
(I assume it must be started by supervisord, or it can't be supervised.)

/Lennart

Mikko Ohtamaa

2015-09-22 09:44:28 UTC

Permalink

Post by Lennart Ramberg
Currently my sshd is started via a script executed by etc/init.d/rcS
Would it be wise to instead let supervisord start sshd?
(I assume it must be started by supervisord, or it can't be supervised.)

Unless you know any specific reason why you would do this, stick to the
distribution policy.

--
Mikko Ohtamaa
http://opensourcehacker.com
http://twitter.com/moo9000

Gustavo Carneiro

2015-09-22 09:59:31 UTC

Permalink

I agree with Mikko that your main sshd should probably be left alone. But
if for some reason you need to start a second sshd instance, listening on a
different port and with different config file, it's pretty easy:

[program:my_sshd]
command = /usr/sbin/sshd -D -f /my/sshd_config
redirect_stderr=true
stopasgroup=true
killasgroup=true

Post by Mikko Ohtamaa

Unless you know any specific reason why you would do this, stick to the
distribution policy.
--
Mikko Ohtamaa
http://opensourcehacker.com
http://twitter.com/moo9000
_______________________________________________
Supervisor-users mailing list
https://lists.supervisord.org/mailman/listinfo/supervisor-users

--
Gustavo J. A. M. Carneiro
Gambit Research
"The universe is always one step beyond logic." -- Frank Herbert

Lennart Ramberg

2015-09-22 10:13:46 UTC

Permalink

Thanks guys,

No, no specific reason.
Just concerned about losing contact with a remote system, should sshd stop
for whatever reason.

/Lennart

Post by Gustavo Carneiro
I agree with Mikko that your main sshd should probably be left alone. But
if for some reason you need to start a second sshd instance, listening on a
[program:my_sshd]
command = /usr/sbin/sshd -D -f /my/sshd_config
redirect_stderr=true
stopasgroup=true
killasgroup=true

Post by Mikko Ohtamaa

--
Gustavo J. A. M. Carneiro
Gambit Research
"The universe is always one step beyond logic." -- Frank Herbert

Stephane Martin

2015-09-22 17:06:20 UTC

Permalink

Hummm... i think we all lost control of a server after blunty modifying
the SSH configuration remotely, at least once ;)

If you're concerned, you could set up a second 'backup' SSH server, eg
on port 2222, either with a second OpenSSH instance, or with dropbear,
using supervisor, and leaving the main instance untouched.

Of course it has a security impact (attack surface++) and should be done
carefully.

Regards,
Stephane

Post by Lennart Ramberg
Thanks guys,
No, no specific reason.
Just concerned about losing contact with a remote system, should sshd
stop for whatever reason.
/Lennart
I agree with Mikko that your main sshd should probably be left
alone. But if for some reason you need to start a second sshd
instance, listening on a different port and with different config
[program:my_sshd]
command = /usr/sbin/sshd -D -f /my/sshd_config
redirect_stderr=true
stopasgroup=true
killasgroup=true
On 22 September 2015 at 10:44, Mikko Ohtamaa
Currently my sshd is started via a script executed by
etc/init.d/rcS
Would it be wise to instead let supervisord start sshd?
(I assume it must be started by supervisord, or it can't be
supervised.)
Unless you know any specific reason why you would do this, stick
to the distribution policy.
--
Mikko Ohtamaa
http://opensourcehacker.com
http://twitter.com/moo9000
_______________________________________________
Supervisor-users mailing list
https://lists.supervisord.org/mailman/listinfo/supervisor-users
--
Gustavo J. A. M. Carneiro
Gambit Research
"The universe is always one step beyond logic." -- Frank Herbert
_______________________________________________
Supervisor-users mailing list
https://lists.supervisord.org/mailman/listinfo/supervisor-users