Re: when the sshd hits the fan

[Eugene M. Zheganin]

Hi.

On 23.09.2015 15:11, Miroslav Lachman wrote:
> Eugene M. Zheganin wrote on 09/23/2015 10:44:
>> Hi.
>>
>> I'm trying to understand why the sshd still starts after local daemons,
>> out-of-the-box, and what it takes to make this extremely vital service
>> to start before non-system (local) ones. I bet I'm not the first one to
>> ask, so why isn't this already done ? Seems quite easy for me.
>
> I was thinking about this a long time ago and instead of trying to
> change FreeBSD, 
But  why ?

> I just added one simple file on each of our servers:
>
>
> ~/> cat /usr/local/etc/rc.d/sshd_reorder
> #!/bin/sh
>
> # PROVIDE: sshd_reorder
> # REQUIRE: LOGIN sshd
>
> ## this file is just to start sshd earlier on the boot
> ## mainly before long starting processes like jails, mysql, apache etc.
> ##
> ## place this file in to /usr/local/etc/rc.d/sshd_reorder
> ## and make it executable chmod 0555 /usr/local/etc/rc.d/sshd_reorder
>
>
> It is not perfect, because some services are still started before sshd.
>
Yeah, as I said, workaround is quite simple. But I don't see a single
reason to avoid committing this (or similar) workaround to the official
source tree. This would rid lots of people to reapply this fix during
each upgrade cycle, thus making the life easier.

Eugene.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Miroslav Lachman]

Eugene M. Zheganin wrote on 09/23/2015 12:38:


I was thinking about this a long time ago and instead of trying to
change FreeBSD,

But  why ?


I tried it before with some other changes (e-mails / PRs can be found) 
without much success so I gave up. I rather keep my changes local 
without modification of FreeBSD sources.


Miroslav Lachman
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Dag-Erling Smørgrav]

"Eugene M. Zheganin"  writes:
> I'm trying to understand why the sshd still starts after local daemons,
> out-of-the-box, and what it takes to make this extremely vital service
> to start before non-system (local) ones. I bet I'm not the first one to
> ask, so why isn't this already done ? Seems quite easy for me.

"non-system (local)" services can also be extremely vital: quagga, for
instance.

In practice, it is probably fine to move sshd before LOGIN.

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Matt Smith]

On Sep 23 12:44, Kurt Jaeger wrote:


It did enter the PR system.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190447

I'll have a look at it, it annoys me as well 8-}



If this type of thing is being done on the base system sshd it would 
also be useful to look at the port version of ssh as well? I use the 
port and it has always annoyed me that I get constant "connection 
refused" whilst I'm waiting for the server to fully boot up!


--
Matt
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Miroslav Lachman]

Eugene M. Zheganin wrote on 09/23/2015 10:44:

Hi.

I'm trying to understand why the sshd still starts after local daemons,
out-of-the-box, and what it takes to make this extremely vital service
to start before non-system (local) ones. I bet I'm not the first one to
ask, so why isn't this already done ? Seems quite easy for me.


I was thinking about this a long time ago and instead of trying to 
change FreeBSD, I just added one simple file on each of our servers:



~/> cat /usr/local/etc/rc.d/sshd_reorder
#!/bin/sh

# PROVIDE: sshd_reorder
# REQUIRE: LOGIN sshd

## this file is just to start sshd earlier on the boot
## mainly before long starting processes like jails, mysql, apache etc.
##
## place this file in to /usr/local/etc/rc.d/sshd_reorder
## and make it executable chmod 0555 /usr/local/etc/rc.d/sshd_reorder


It is not perfect, because some services are still started before sshd.

Miroslav Lachman
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Kurt Jaeger]

Hi!

> > I'm trying to understand why the sshd still starts after local daemons,
> > out-of-the-box, and what it takes to make this extremely vital service
> > to start before non-system (local) ones. I bet I'm not the first one to
> > ask, so why isn't this already done ? Seems quite easy for me.
> 
> The fix is quite simple:  Add
> 
> # BEFORE: mail
> 
> to /etc/rc.d/sshd
> 
> I tried to submit a PR on that about a year ago, but it never
> seemed to make it into the PR system.

It did enter the PR system.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190447

I'll have a look at it, it annoys me as well 8-}

-- 
p...@opsec.eu+49 171 3101372 5 years to go !
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Alan Somers]

On Wed, Sep 23, 2015 at 3:57 AM, Doug Hardie  wrote:
>
>> On 23 September 2015, at 01:44, Eugene M. Zheganin  
>> wrote:
>>
>> Hi.
>>
>> I'm trying to understand why the sshd still starts after local daemons,
>> out-of-the-box, and what it takes to make this extremely vital service
>> to start before non-system (local) ones. I bet I'm not the first one to
>> ask, so why isn't this already done ? Seems quite easy for me.
>
> The fix is quite simple:  Add
>
> # BEFORE: mail
>
> to /etc/rc.d/sshd
>
> I tried to submit a PR on that about a year ago, but it never seemed to make 
> it into the PR system.  Many of my servers are remote and if there is an 
> issue with a port, I still need a way into the system other than driving for 
> hours.  This works.  Sshd is started early in the sequence and I can at least 
> ssh into the server.  It won’t help though if there is a syntax error in 
> /etc/rc.conf.  Those are pretty much fatal.
>

This technique works.  But if you use it, then before you reboot,
remember to run "rcorder /etc/rc.d/* /usr/local/etc/rc.d/*" and make
sure there aren't any errors about "Circular dependency".  If there
are, then the service startup order is almost guaranteed to be
something you don't want.

-Alan
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Eugene M. Zheganin]

Hi.

On 23.09.2015 18:32, Dag-Erling Smørgrav wrote:

"Eugene M. Zheganin"  writes:

I'm trying to understand why the sshd still starts after local daemons,
out-of-the-box, and what it takes to make this extremely vital service
to start before non-system (local) ones. I bet I'm not the first one to
ask, so why isn't this already done ? Seems quite easy for me.

"non-system (local)" services can also be extremely vital: quagga, for
instance.

In practice, it is probably fine to move sshd before LOGIN.

I have spoken with some local FreeBSD gurus and some of the FreeBSD 
developers. There's two opinions on that:


- conservative one: no rcorder modification is required, however, LOGIN 
target should be splitted in two, for maintaining a working 
securitylevel feature, LOGIN1 and LOGIN2. And sshd should require 
LOGIN1. And all the non-base services should require LOGIN2. And this 
requires modification of all the ports, thus making this way unuseable.
- modern one: rcorder coding is required, to start base system services 
befor the non-base. I have spoke with one of the pkgng authors, he's 
able to help, but this requires some funding, because he's currently 
working on pkg and cannot provide more resources on fee-free basis. So, 
the question is, can we fund this from FreeBSD Foundation or some other 
sources ? Reading this thread I understand that this question arises 
quite often, and it seems like noone is willing to code on his own.


Eugene.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[James Snow]

On Wed, Sep 23, 2015 at 01:37:30PM +0100, Matt Smith wrote:

> If this type of thing is being done on the base system sshd it would 
> also be useful to look at the port version of ssh as well? I use the 
> port and it has always annoyed me that I get constant "connection 
> refused" whilst I'm waiting for the server to fully boot up!

Tangential, but in case it's useful to anyone else:

  until ssh -o ConnectTimeout=2 $host; do sleep 1; done

I do this all the time for hosts where I'm waiting on boot. The timeouts
and connection refused messages serve as counters so I can do other
things while waiting and have an objective measure of whether or not
I've waited too long for a host to come up. Also handy is that it will
automatically reconnect on anything other than a deliberate log out.


-Snow

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Glenn English]

Mildly OT from a profound BSD noob:

Why is it necessary to have SSH working before the system has finished booting? 
That 'Welcome' menu times out, so I can't think of a reason, or find one from 
Goggle, for needing console access after a power failure reboot. What am I 
unaware of?

-- 
Glenn English



___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Slawa Olhovchenkov]

On Wed, Sep 23, 2015 at 09:35:09AM -0600, Glenn English wrote:

> Mildly OT from a profound BSD noob:
> 
> Why is it necessary to have SSH working before the system has
> finished booting? That 'Welcome' menu times out, so I can't think of
> a reason, or find one from Goggle, for needing console access after
> a power failure reboot. What am I unaware of?

For fixing configuration issuse, blocking some services (ordering
before sshd).
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Michael Loftis]

Sendmail for one can hang for stupidly long times waiting in dead resolvers
before allowing the system to continue booting. That's the most common
thing, RC scripts hanging waiting on external resources while you're locked
out simply because sshd starts ridiculously late. Very common problem.

On Wednesday, September 23, 2015, Glenn English  wrote:

> Mildly OT from a profound BSD noob:
>
> Why is it necessary to have SSH working before the system has finished
> booting? That 'Welcome' menu times out, so I can't think of a reason, or
> find one from Goggle, for needing console access after a power failure
> reboot. What am I unaware of?
>
> --
> Glenn English
>
>
>
> ___
> freebsd-stable@freebsd.org  mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org
> "
>


-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Eugene M. Zheganin]

Hi.

On 23.09.2015 20:35, Glenn English wrote:

Mildly OT from a profound BSD noob:

Why is it necessary to have SSH working before the system has finished booting? 
That 'Welcome' menu times out, so I can't think of a reason, or find one from 
Goggle, for needing console access after a power failure reboot. What am I 
unaware of?

Because in the case of remote server the absence of sshd can prevent yoy 
from loggin for several minutes, even dozens of minutes, and this can be 
pretty harmful in a production environment.


Eugene.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Doug Hardie]

> On 23 September 2015, at 03:44, Kurt Jaeger  wrote:
> 
> Hi!
> 
>>> I'm trying to understand why the sshd still starts after local daemons,
>>> out-of-the-box, and what it takes to make this extremely vital service
>>> to start before non-system (local) ones. I bet I'm not the first one to
>>> ask, so why isn't this already done ? Seems quite easy for me.
>> 
>> The fix is quite simple:  Add
>> 
>> # BEFORE: mail
>> 
>> to /etc/rc.d/sshd
>> 
>> I tried to submit a PR on that about a year ago, but it never
>> seemed to make it into the PR system.
> 
> It did enter the PR system.
> 
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190447
> 
> I'll have a look at it, it annoys me as well 8-}

Thanks.  I never could find that PR in the database.  Guess I don’t quite 
understand how to successfully search it ;-)


___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Glenn English]

On Sep 23, 2015, at 10:00 AM, Michael Loftis  wrote:

> Sendmail for one can hang for stupidly long times waiting in dead resolvers 
> before allowing the system to continue booting.

So replace it with Postfix? I've been using it (on Debian Linux) for decades 
without any problems. AFAIK, it doesn't do anything pathological like that. It 
just reads its config and starts waiting for email.

> That's the most common thing, RC scripts hanging waiting on external 
> resources while you're locked out simply because sshd starts ridiculously 
> late. Very common problem.

If properly configed, shouldn't things come up in order, with their 
dependencies already running? Or is specifying boot order not possible on FBSD?

I can certainly understand the possible need for SSH, just for incase, but I'd 
think things could be set to do stuff in the proper order. Except for cyclic 
dependencies, of course -- a significant bug for the maintainers.

-- 
Glenn English



___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Lowell Gilbert]

Glenn English  writes:

> On Sep 23, 2015, at 10:00 AM, Michael Loftis  wrote:
>
>> That's the most common thing, RC scripts hanging waiting on external
>> resources while you're locked out simply because sshd starts
>> ridiculously late. Very common problem.
>
> If properly configed, shouldn't things come up in order, with their
> dependencies already running? Or is specifying boot order not possible
> on FBSD?

Yes; that's done with rcorder(8). The startup order isn't completely
defined, just the dependencies that require being started before (or,
occasionally, after) some other service.

> I can certainly understand the possible need for SSH, just for incase,
> but I'd think things could be set to do stuff in the proper
> order. Except for cyclic dependencies, of course -- a significant bug
> for the maintainers.

The discussion here is whether the "proper order" should be changed from
the current default. As for cycles in the graph, rcorder already detects
that.

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

when the sshd hits the fan

[Eugene M. Zheganin]

Hi.

I'm trying to understand why the sshd still starts after local daemons,
out-of-the-box, and what it takes to make this extremely vital service
to start before non-system (local) ones. I bet I'm not the first one to
ask, so why isn't this already done ? Seems quite easy for me.

Eugene.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Glenn English]

On Sep 23, 2015, at 1:13 PM, Lowell Gilbert 
 wrote:

> Yes; that's done with rcorder(8). The startup order isn't completely
> defined, just the dependencies that require being started before (or,
> occasionally, after) some other service.

Well, that's all that matters, except for getting SSH going before something 
gets stuck.

-- 
Glenn English



___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: when the sshd hits the fan

[Doug Hardie]

> On 23 September 2015, at 01:44, Eugene M. Zheganin  wrote:
> 
> Hi.
> 
> I'm trying to understand why the sshd still starts after local daemons,
> out-of-the-box, and what it takes to make this extremely vital service
> to start before non-system (local) ones. I bet I'm not the first one to
> ask, so why isn't this already done ? Seems quite easy for me.

The fix is quite simple:  Add

# BEFORE: mail

to /etc/rc.d/sshd

I tried to submit a PR on that about a year ago, but it never seemed to make it 
into the PR system.  Many of my servers are remote and if there is an issue 
with a port, I still need a way into the system other than driving for hours.  
This works.  Sshd is started early in the sequence and I can at least ssh into 
the server.  It won’t help though if there is a syntax error in /etc/rc.conf.  
Those are pretty much fatal.

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"