Bug 242642 - [Feature] Include rt-sshd in RHEL5-RT Distribution
[Feature] Include rt-sshd in RHEL5-RT Distribution
Status: CLOSED NOTABUG
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: realtime-kernel (Show other bugs)
1.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Guy Streeter
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-05 05:22 EDT by IBM Bug Proxy
Modified: 2016-02-09 20:32 EST (History)
5 users (show)

See Also:
Fixed In Version: August
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-09 15:21:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
rt-sshd script source (3.29 KB, text/plain)
2007-06-05 05:22 EDT, IBM Bug Proxy
no flags Details
rt-sshd (3.91 KB, text/plain)
2007-07-18 07:26 EDT, IBM Bug Proxy
no flags Details
rt-sshd (3.94 KB, text/plain)
2007-07-24 02:35 EDT, IBM Bug Proxy
no flags Details
rt-sshd (4.08 KB, text/plain)
2007-08-08 05:55 EDT, IBM Bug Proxy
no flags Details
sysconfig-rt-sshd (198 bytes, text/plain)
2007-08-08 05:56 EDT, IBM Bug Proxy
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
IBM Linux Technology Center 35219 None None None Never

  None (edit)
Description IBM Bug Proxy 2007-06-05 05:22:43 EDT
LTC Owner is: dvhltc@us.ibm.com
LTC Originator is: dvhltc@us.ibm.com


rt-sshd
-------

Purpose
~~~~~~~
'rt-sshd' is a program that runs as a service to start/stop the ssh
daemon with several RT attributes. It enables running secondary sshd as a
SCHED_FIFO 99 process, listening on port number 9988. This is very
useful in logging into the system when there are a number of RT
processes running and the primary non-real-time sshd is starving and
thus refusing to allow logins.

Design
~~~~~~
When started, the program generates RSA and DSA keys and then starts
the ssh daemon as SCHED_FIFO 99 process as follows:

-------------------------------------------------------------------------------
chrt -f 99 /usr/sbin/sshd -p 9988 -o PidFile=/var/run/rt-sshd.pid -o UseDNS=no
-------------------------------------------------------------------------------

Stopping the service, kills the FIFO 99 ssh daemon.

Usage
~~~~~
-----------------------------------------------------------------------
rt-sshd {start|stop|restart|reload|condrestart|status}
-----------------------------------------------------------------------

Category
~~~~~~~~
Developer tool & general usage utility
Comment 1 IBM Bug Proxy 2007-06-05 05:22:43 EDT
Created attachment 156191 [details]
rt-sshd script source
Comment 2 Tim Burke 2007-06-05 09:48:01 EDT
Assigning to Guy Streeter.
We are likely to include several debug/diagnostic packages (which are not
intended for use in full deployment mode). this may well be an example of that
category.  assiging to Guy to initiate internal discussions on the topic.  if it
seems useful, then the request is for Guy to ensure the packaging is all set and
that the usage info gets mention in the HOWTO.

---------------

My main concern with this one is to hopefully get the packaging such that it is
independent of the core sshd package.  Its ok to have a dependency on that
package, but would prefer not to muck with that package directly - so that we
can simply inherit the maintenance stream for the sshd package without having to
maintain a complete branch.
Comment 3 Guy Streeter 2007-06-26 15:53:09 EDT
I don't see anything in the attached script that indicates it requires any sshd
package changes. Am I missing something?
Comment 4 Guy Streeter 2007-06-28 16:40:59 EDT
Do you want to include Copyright and License text in this script?
Comment 5 IBM Bug Proxy 2007-07-02 13:45:21 EDT
----- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-07-02 13:40 EDT -------
Yes, we want to add GPL license as well as author information to the script.
Since rt-sshd is based on /etc/init.d/sshd script, we want to mention something
like "Modified from original script by <author> by <ibm author>". However, there
is no license, copyright or author information in the original script. We based
the script on /etc/init.d/sshd script provided by
openssh-server-3.9p1-8.RHEL4.9. (The one shipped with RHEL4U2)

Could you please let us know the author and copyright information for the script? 
Comment 6 Guy Streeter 2007-07-02 16:14:34 EDT
I have asked our openssh maintainer about the authorship and license of the
/etc/init.d/sshd script.
Comment 7 Guy Streeter 2007-07-09 11:48:55 EDT
Our openssh maintainer says there is no information available about the author
of the init script, that it came from a contrib directory.
The license for openssh is BSD. Information is in the
/usr/share/doc/openssh-4.3p2/LICENCE file, installed by the openssh rpm.
Comment 8 IBM Bug Proxy 2007-07-18 07:25:31 EDT
----- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-07-18 07:19 EDT -------
Hi RH,

Since we don't have author information for this script, we have put the
following two lines about the origin of the script:
# Based on /etc/init.d/sshd from RedHat's openssh-server-3.9p1-8.RHEL4.9 rpm.
# Customized for RHEL5-RT by Theodore Ts'o <tytso at mit.edu>

We have also put in GPL license.

I will attach the modified rt-sshd script to the bug. Pleaes let us know if this
is fine. 
Comment 9 IBM Bug Proxy 2007-07-18 07:26:19 EDT
Created attachment 159510 [details]
rt-sshd
Comment 10 IBM Bug Proxy 2007-07-18 07:26:26 EDT
----- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-07-18 07:20 EDT -------
 
/etc/init.d/rt-sshd script with license and author information 
Comment 11 Guy Streeter 2007-07-23 16:46:15 EDT
In the header comments, the phrase "OpenSSH server daemon" appears twice. Can we
change it to something like "Realtime priority OpenSSH server daemon"?
Comment 12 Guy Streeter 2007-07-23 17:46:49 EDT
Tim Burke asked me to ask our ssh maintainer if he had any thoughts on the
advisability of running a high realtime priority sshd.
His only thought was that it might slightly increase the risk of a
Denial-of-Service attack, using multiple simultaneous connections to the rt-sshd.

I am not aware of any DoS attempts by flooding the sshd anyway.
Comment 13 IBM Bug Proxy 2007-07-24 02:30:17 EDT
------- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-07-24 02:28 EDT -------
(In reply to comment #14)
> In the header comments, the phrase "OpenSSH server daemon" appears twice. Can we
> change it to something like "Realtime priority OpenSSH server daemon"?

Okay. I'll attach the changed version of rt-sshd. 
Comment 14 IBM Bug Proxy 2007-07-24 02:35:14 EDT
Created attachment 159834 [details]
rt-sshd
Comment 15 IBM Bug Proxy 2007-07-24 02:35:18 EDT
----- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-07-24 02:30 EDT -------
 
rt-sshd with a change to description of the file 
Comment 16 Guy Streeter 2007-07-26 12:09:03 EDT
There are a few other changes I'd like to suggest:

The pidfile listed in the header comments and set in the PID_FILE variable is
not used, but if present they ought to match the actual pidfile name to avoid
confusion.

Since the port number used by rt-sshd is not a defined standard, the user might
want to change it should it interfere with something else. What do you think of
allowing the port number to be set in the /etc/sysconfig/rt-sshd file?

Is there a reason why UseDNS=no is hard-coded on the commandline?
Comment 17 IBM Bug Proxy 2007-07-30 07:30:35 EDT
------- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-07-30 07:29 EDT -------
(In reply to comment #20)
> The pidfile listed in the header comments and set in the PID_FILE variable is
> not used, but if present they ought to match the actual pidfile name to avoid
> confusion.
> 
> Since the port number used by rt-sshd is not a defined standard, the user might
> want to change it should it interfere with something else. What do you think of
> allowing the port number to be set in the /etc/sysconfig/rt-sshd file?

I made these changes. I will post the script to rhel-rt-ibm list, so that it
will draw more attention and comments. 
Comment 18 IBM Bug Proxy 2007-08-08 05:55:20 EDT
----- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-08-08 05:52 EDT -------
I will attach here the latest version of the scripts I have sent on ML. 
Comment 19 IBM Bug Proxy 2007-08-08 05:55:54 EDT
Created attachment 160893 [details]
rt-sshd
Comment 20 IBM Bug Proxy 2007-08-08 05:56:04 EDT
----- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-08-08 05:53 EDT -------
 
/etc/rc.d/init.d/rt-sshd based on sshd from RHEL5 
Comment 21 IBM Bug Proxy 2007-08-08 05:56:38 EDT
Created attachment 160894 [details]
sysconfig-rt-sshd
Comment 22 IBM Bug Proxy 2007-08-08 05:56:49 EDT
----- Additional Comments From sripathi@in.ibm.com (prefers email at sripathik@in.ibm.com)  2007-08-08 05:53 EDT -------
 
/etc/sysconfig/rt-sshd file 
Comment 23 Guy Streeter 2007-08-22 10:42:37 EDT
rt-sshd is now available in the RT partners repo.
Comment 24 Tomas Mraz 2008-03-17 10:07:19 EDT
Has anyone tested rt-sshd with SELinux enabled & enforcing?
Comment 25 Steve Grubb 2008-06-05 10:24:24 EDT
Has anyone realized that logins > port 1023 are spoofable by user land apps?
IOW, it violates any concept of trusted path login. Anyone can bind to that port
if its unused and steal passwords and then pass the connection to sshd. 

System logins need to be on ports requiring CAP_NET_BIND_SERVICE. Why can't port
22 be used for a realtime sshd? Or maybe sshd start a realtime shell for root
and drop to non-realtime shell for uid != 0.
Comment 35 Clark Williams 2008-07-09 15:21:08 EDT
We'll document how to run sshd at elevated priorities for debugging purposes.

Closing

Note You need to log in before you can comment on or make changes to this bug.