[Bug 1834128] Re: Multiple sshd services cannot be executed

Luke A. Perkins public at epicdgs.us
Wed Jul 3 14:13:50 UTC 2019 

The way I created this was to implement 2 sshd services called wan_sshd
and lan_sshd. I used the existing sshd.service files as templates. See
attached files. This solution reliably works using Ubuntu 18.04.2 LTS
with OpenSSH 7.6p1.

Addition things I had to do:

1) Delete the sshd.service, sshd.socket, and sshd at .service in the /lib/systemd/system directory.
2) Perform a "sudo systemctl disable ssh". All this does is delete the links to the files in step #1.
3) Delete the /etc/rc*.d/S01ssh files.
4) Delete the /etc/init.d/ssh
5) Replace the /etc/default/ssh with the ssh.default in the ZIP file.
6) Delete the /etc/ssh/sshd_config. Add the sshd_*_config files from the ZIP file.
7) Add the wan_sshd* and lan_sshd* files to the /lib/systemd/system directory from the ZIP file. NOTE: Files called _at.service should be renamed to @.service. 
8) Generate your own key files and make appropriate changes to the sshd_*_config files.
9) Add the usr_lib_tmpfiles_d.conf from the ZIP file as /usr/lib/tmpfiles.d/sshd.conf
10) Reboot the machine and make sure /run/sshd exists BEFORE enabling the 2 services.

I make the assumption that the reader has the skill set to use systemctl
to get the services started. I also assume the reader has the skill set
to edit a shsd_*_config file.

** Attachment added: "Files from my server that work."
   https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1834128/+attachment/5274899/+files/SampleDualServer.zip

** Changed in: openssh (Ubuntu)
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1834128

Title:
  Multiple sshd services cannot be executed

Status in openssh package in Ubuntu:
  New

Bug description:
  OpenSSH 7.6p1
  Ubuntu 18.04.2 (LTS) (Bionic)

  See also Ticket #1831765, #1690485, and #1832110 regarding the path of
  the privilege separation directory (aka: /run/sshd).

  The current Debian installer sets the RuntimeDirectory=sshd (i.e.
  /run/sshd) in sshd.service (i.e. /lib/systemd/system/sshd.service) and
  sshd at .service (i.e. /lib/systemd/system/sshd at .service). This is not
  the best means of implementing this service. The problem is that the
  systemd deletes the RuntimeDirectory resource as soon as the service
  is stopped. When this happens, other sshd services will fault since
  the privileged separation directory is no longer there. We need to
  modify the configuration as follows:

  1) Create /usr/lib/tmpfiles.d/sshd.conf that defines the /run/sshd directory with root:root as the owner and the protection of 0755.
  2) Change the assignment of the RuntimeDirectory in sshd.service to something other than sshd (i.e. /run/sshd).
  3) Change the assignment of the RuntimeDirectory in sshd at .service to something other than sshd (i.e. /run/sshd).

  Both OpenSSH and Ubuntu have declined to provision a means of
  adjusting the Privilege Separation directory. Since both teams do not
  want to address this, we need to have a means of implementing multiple
  instance sshd invocation using  systemd and avoiding using the
  RuntimeDirectory assignment of /run/sshd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1834128/+subscriptions

More information about the foundations-bugs mailing list