I would like to suggest adding a fallback in the event that somehow the sshd_config port number is invalid. Example: Port != (1<= or >=65535) By default fall by to port 22, and spit out an error. Same would go for if the new port is already in use, fall back to port 22 and spit out an error. Why is this a good idea? Would be a good idea because people are human and make mistakes, and you shouldn't have to wipe your server just because an invalid port was used by accident. Why is this a bad idea? I see no reason why this would be a bad idea that I am aware of.
On Thu, Jul 30, 2015 at 08:30:28PM +0000, Stop Spazzing wrote:> Why is this a good idea? Would be a good idea because people are human and > make mistakes, and you shouldn't have to wipe your server just because an > invalid port was used by accident.Why would one have to _WIPE_ a server because of a misconfigured sshd? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
On Jul 30, 2015, at 1:30 PM, Stop Spazzing <stopspazzing at gmail.com> wrote:> I would like to suggest adding a fallback in the event that somehow the > sshd_config port number is invalid. > > Example: > Port != (1<= or >=65535) > > By default fall by to port 22, and spit out an error. Same would go for if > the new port is already in use, fall back to port 22 and spit out an error. > > Why is this a good idea? Would be a good idea because people are human and > make mistakes, and you shouldn't have to wipe your server just because an > invalid port was used by accident. > > Why is this a bad idea? I see no reason why this would be a bad idea that I > am aware of.I can think of at least one reason why this is a bad idea. There are a lot of ssh port scanners out there connecting on port 22, and people often put their ssh servers on non-standard ports to reduce the amount of this sort of traffic they receive. If you think you have configured a non-standard port and happen to get it wrong, I don?t think you?d want the SSH server to start up on the default port. It would be better to let you know the port is wrong and fail to start until you fixed the problem and selected a valid non-standard port. -- Ron Frederick ronf at timeheart.net
I see your point and that makes valid sense;I even change default port. "It would be better to let you know the port is wrong and fail to start until you fixed the problem and selected a valid non-standard port." Is there any reason something like this isn't implemented already? Could it be implemented? On Thu, Jul 30, 2015 at 2:02 PM Ron Frederick <ronf at timeheart.net> wrote:> On Jul 30, 2015, at 1:30 PM, Stop Spazzing <stopspazzing at gmail.com> wrote: > > I would like to suggest adding a fallback in the event that somehow the > sshd_config port number is invalid. > > Example: > Port != (1<= or >=65535) > > By default fall by to port 22, and spit out an error. Same would go for if > the new port is already in use, fall back to port 22 and spit out an error. > > Why is this a good idea? Would be a good idea because people are human and > make mistakes, and you shouldn't have to wipe your server just because an > invalid port was used by accident. > > Why is this a bad idea? I see no reason why this would be a bad idea that I > am aware of. > > > I can think of at least one reason why this is a bad idea. There are a lot > of ssh port scanners out there connecting on port 22, and people often put > their ssh servers on non-standard ports to reduce the amount of this sort > of traffic they receive. If you think you have configured a non-standard > port and happen to get it wrong, I don?t think you?d want the SSH server to > start up on the default port. It would be better to let you know the port > is wrong and fail to start until you fixed the problem and selected a valid > non-standard port. > > -- > Ron Frederick > ronf at timeheart.net > > > >
On Thu, Jul 30, 2015 at 4:49 PM, Marc Haber <mh+openssh-unix-dev at zugschlus.de> wrote:> On Thu, Jul 30, 2015 at 08:30:28PM +0000, Stop Spazzing wrote: >> Why is this a good idea? Would be a good idea because people are human and >> make mistakes, and you shouldn't have to wipe your server just because an >> invalid port was used by accident. > > Why would one have to _WIPE_ a server because of a misconfigured sshd? > > Greetings > MarcIf you don't have console access, or it takes a long time to arrange, screwing up sshd_config means you are dead in the water. This is why sshd's default "re-exec sshd and associate it with the terminal sesson" is so invaluable: it allows you to restart the daeemon, and test the new daemon, without losing your active session.
Apparently Analagous Threads
- Feature Request: Invalid sshd port fallback
- Duplicate value used in disconnect reason definitons
- [Bug 2147] New: OpenSSH remote forwarding of dynamic ports doesn't work when you create more than one
- [Bug 2366] New: ssh-keygen doesn't correctly decode new format GCM-encrypted keys
- Keyboard Interactive Attack?