Peter Stuge
2021-Sep-30 15:16 UTC
Howto log multiple sftpd instances with their chroot shared via NFS
Hi Hildgard, Hildegard Meier wrote:> > 4192 /usr/sbin/sftpd is likely unrelated to OpenSSH. > > To have a clean seperation of the standard sshd service on port 22 > and our sftp server that listens on another port, and both have and > shall have really nothing to do which each other, I created a new > sshd instance named "sftpd":I understand! This could actually make it much easier to use a local build for the standalone sftp server. Does the patch idea seem viable?> [Service] > EnvironmentFile=-/etc/default/sftpd > ExecStartPre=/usr/sbin/sftpd -t > ExecStart=/usr/sbin/sftpd -D $SFTPD_OPTS -f /etc/sftpd/sftpd_config > > Important for correct autostart of sftpd on boot is: > [Unit] > After=network.target auditd.service sshd.service > > Because sftpd needs to be started after sshd because only sshd > creates /run/sshd/ and that is needed by sftpd (hard compiled in sshd).systemd creates /run/sshd for the sshd.service, it's not great that the sftpd service needs to use the same path. A local sshd build allows cleanly solving that as well. These commands build an OpenSSH-8.8p1 sshd with my sftp-server patch and the alternate privsep directory: git clone https://anongit.mindrot.org/openssh.git && cd openssh && git checkout -b v88_sftplog V_8_8_P1 && wget -O 0001-sftplog.patch \ https://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210930/9b40e2d4/attachment.bin && git am 0001-sftplog.patch && autoreconf -fi -I m4 && ./configure --prefix=/usr/local/sftpd --with-privsep-path=/run/sftpd && make sshd Thanks to --prefix this sshd will not interfere with anything installed via package management. Place configuration and keys (or symlinks) in /usr/local/sftpd/etc/ and remember PidFile /run/sftpd.pid in sshd_config. In any case you can express the current dependency to systemd to avoid errors:> When stopping sshd /run/sshd/ gets deleted and you get the > following sftpd error: > fatal: Missing privilege separation directory: /run/sshd > and sftpd does not accept new connections anymore etc.Set BindsTo=sshd.service in the sftpd.service [Unit] section to tell systemd that sftpd requires sshd, and should be stopped first if sshd is being stopped. Also create a Wants: mkdir /etc/systemd/system/sshd.service.wants ln -s ../sftpd.service /etc/systemd/system/sshd.service.wants/ ..to tell systemd that it should try to start sftpd when sshd starts. Keep After=sshd.service in sftpd.service. With those changes you can stop and start sftpd while sshd continues running like before, if you stop sshd then sftpd is now stopped first, and if you start either sshd or sftpd when neither is running then both are started in the right order.> Here ps fax output :)That makes sense now. :) Kind regards //Peter
Hildegard Meier
2021-Oct-01 05:30 UTC
Aw: Re: Howto log multiple sftpd instances with their chroot shared via NFS
> Does the patch idea seem viable? > A local sshd build allows cleanly solving that as well.Thanks Peter, but one reason for the new sftp-server cluster HA architecture (and therefore the central NFS mount for the users, leading to this problem) was to be able to have maintenance of the single sftp servers without service outage, to be able to apply operating system security patches delivered by the distribution (Ubuntu in this case). I have no capacity to follow the OpenSSH security issues myself an then if needed re-compile newer patched versions (and not even then apply your patch additionally every time to it :) We do here industry production service and need to stick with vanilla distribution OpenSSH and leave the delivery security patches to Ubuntu.> Set BindsTo=sshd.service in the sftpd.service [Unit] section to > tell systemd that sftpd requires sshd, and should be stopped first > if sshd is being stopped. > > Also create a Wants: > > mkdir /etc/systemd/system/sshd.service.wants > ln -s ../sftpd.service /etc/systemd/system/sshd.service.wants/ > > ..to tell systemd that it should try to start sftpd when sshd starts. > > Keep After=sshd.service in sftpd.service. >Thanks for the hint, I will look into it, I am not so experienced with systemd yet.