LTC Owner is: dvhltc.com LTC Originator is: dvhltc.com rt-sshd ------- Purpose ~~~~~~~ 'rt-sshd' is a program that runs as a service to start/stop the ssh daemon with several RT attributes. It enables running secondary sshd as a SCHED_FIFO 99 process, listening on port number 9988. This is very useful in logging into the system when there are a number of RT processes running and the primary non-real-time sshd is starving and thus refusing to allow logins. Design ~~~~~~ When started, the program generates RSA and DSA keys and then starts the ssh daemon as SCHED_FIFO 99 process as follows: ------------------------------------------------------------------------------- chrt -f 99 /usr/sbin/sshd -p 9988 -o PidFile=/var/run/rt-sshd.pid -o UseDNS=no ------------------------------------------------------------------------------- Stopping the service, kills the FIFO 99 ssh daemon. Usage ~~~~~ ----------------------------------------------------------------------- rt-sshd {start|stop|restart|reload|condrestart|status} ----------------------------------------------------------------------- Category ~~~~~~~~ Developer tool & general usage utility
Created attachment 156191 [details] rt-sshd script source
Assigning to Guy Streeter. We are likely to include several debug/diagnostic packages (which are not intended for use in full deployment mode). this may well be an example of that category. assiging to Guy to initiate internal discussions on the topic. if it seems useful, then the request is for Guy to ensure the packaging is all set and that the usage info gets mention in the HOWTO. --------------- My main concern with this one is to hopefully get the packaging such that it is independent of the core sshd package. Its ok to have a dependency on that package, but would prefer not to muck with that package directly - so that we can simply inherit the maintenance stream for the sshd package without having to maintain a complete branch.
I don't see anything in the attached script that indicates it requires any sshd package changes. Am I missing something?
Do you want to include Copyright and License text in this script?
----- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-07-02 13:40 EDT ------- Yes, we want to add GPL license as well as author information to the script. Since rt-sshd is based on /etc/init.d/sshd script, we want to mention something like "Modified from original script by <author> by <ibm author>". However, there is no license, copyright or author information in the original script. We based the script on /etc/init.d/sshd script provided by openssh-server-3.9p1-8.RHEL4.9. (The one shipped with RHEL4U2) Could you please let us know the author and copyright information for the script?
I have asked our openssh maintainer about the authorship and license of the /etc/init.d/sshd script.
Our openssh maintainer says there is no information available about the author of the init script, that it came from a contrib directory. The license for openssh is BSD. Information is in the /usr/share/doc/openssh-4.3p2/LICENCE file, installed by the openssh rpm.
----- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-07-18 07:19 EDT ------- Hi RH, Since we don't have author information for this script, we have put the following two lines about the origin of the script: # Based on /etc/init.d/sshd from RedHat's openssh-server-3.9p1-8.RHEL4.9 rpm. # Customized for RHEL5-RT by Theodore Ts'o <tytso at mit.edu> We have also put in GPL license. I will attach the modified rt-sshd script to the bug. Pleaes let us know if this is fine.
Created attachment 159510 [details] rt-sshd
----- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-07-18 07:20 EDT ------- /etc/init.d/rt-sshd script with license and author information
In the header comments, the phrase "OpenSSH server daemon" appears twice. Can we change it to something like "Realtime priority OpenSSH server daemon"?
Tim Burke asked me to ask our ssh maintainer if he had any thoughts on the advisability of running a high realtime priority sshd. His only thought was that it might slightly increase the risk of a Denial-of-Service attack, using multiple simultaneous connections to the rt-sshd. I am not aware of any DoS attempts by flooding the sshd anyway.
------- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-07-24 02:28 EDT ------- (In reply to comment #14) > In the header comments, the phrase "OpenSSH server daemon" appears twice. Can we > change it to something like "Realtime priority OpenSSH server daemon"? Okay. I'll attach the changed version of rt-sshd.
Created attachment 159834 [details] rt-sshd
----- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-07-24 02:30 EDT ------- rt-sshd with a change to description of the file
There are a few other changes I'd like to suggest: The pidfile listed in the header comments and set in the PID_FILE variable is not used, but if present they ought to match the actual pidfile name to avoid confusion. Since the port number used by rt-sshd is not a defined standard, the user might want to change it should it interfere with something else. What do you think of allowing the port number to be set in the /etc/sysconfig/rt-sshd file? Is there a reason why UseDNS=no is hard-coded on the commandline?
------- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-07-30 07:29 EDT ------- (In reply to comment #20) > The pidfile listed in the header comments and set in the PID_FILE variable is > not used, but if present they ought to match the actual pidfile name to avoid > confusion. > > Since the port number used by rt-sshd is not a defined standard, the user might > want to change it should it interfere with something else. What do you think of > allowing the port number to be set in the /etc/sysconfig/rt-sshd file? I made these changes. I will post the script to rhel-rt-ibm list, so that it will draw more attention and comments.
----- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-08-08 05:52 EDT ------- I will attach here the latest version of the scripts I have sent on ML.
Created attachment 160893 [details] rt-sshd
----- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-08-08 05:53 EDT ------- /etc/rc.d/init.d/rt-sshd based on sshd from RHEL5
Created attachment 160894 [details] sysconfig-rt-sshd
----- Additional Comments From sripathi.com (prefers email at sripathik.com) 2007-08-08 05:53 EDT ------- /etc/sysconfig/rt-sshd file
rt-sshd is now available in the RT partners repo.
Has anyone tested rt-sshd with SELinux enabled & enforcing?
Has anyone realized that logins > port 1023 are spoofable by user land apps? IOW, it violates any concept of trusted path login. Anyone can bind to that port if its unused and steal passwords and then pass the connection to sshd. System logins need to be on ports requiring CAP_NET_BIND_SERVICE. Why can't port 22 be used for a realtime sshd? Or maybe sshd start a realtime shell for root and drop to non-realtime shell for uid != 0.
We'll document how to run sshd at elevated priorities for debugging purposes. Closing