Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(document) way to configure port #9

Closed
md-work opened this issue Sep 13, 2019 · 2 comments
Closed

(document) way to configure port #9

md-work opened this issue Sep 13, 2019 · 2 comments

Comments

@md-work
Copy link

md-work commented Sep 13, 2019

I like to use a separate key for the dracut-sshd, because I don't like to have my unencrypted private SSH key on the disk.
(it's still safer than an unencrypted disk, but significant drawback to a fulldisk encryption)

But I don't like to have SSH daemons with different keys on the same port. Else SSH clients will complain. So I need to configure another port for the dracut-sshd.

Sadly I couldn't find any documentation how to configure the port.
Can I simply create an /etc/ssh/dracut_sshd_config?

(like https://github.com/dracut-crypt-ssh/dracut-crypt-ssh does it)
@md-work
Copy link
Author

md-work commented Sep 13, 2019

I just found /usr/lib/dracut/modules.d/46sshd/sshd_config and added

Port 222

Nevertheless, I don't like modifying files in /usr/lib/. Configuration should be done in /etc/.

Would do you consider adding a /etc/ssh/dracut_sshd_config?

@gsauthof
Copy link
Owner

There are several ways to resolve your issue.

You can define an extra Host declaration in your ~/.ssh/config with a separate HostKeyAlias (or alternatively even with a separate UserKnownHostsFile). Then you can connect like this without getting host-key fingerprint validation errors:

$ ssh myserver
$ ssh myserverdracut

Thus, you don't really have to to change the port of the early sshd.

If you really want to change the port you can either change it in /usr/lib/dracut/modules.d/46sshd/sshd_config (as you have mentioned it in your last comment) or change /usr/lib/dracut/modules.d/46sshd/sshd.service and add a line like

EnvironmentFile=-/etc/sysconfig/dracut-sshd

Where that file defines SSHD_OPTS with - say - -p 222.

I'll sleep on it but I'll probably add something like this to the master branch:

--- a/46sshd/sshd.service
+++ b/46sshd/sshd.service
@@ -16,6 +16,7 @@ Type=notify
 EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
 EnvironmentFile=-/etc/sysconfig/sshd
 EnvironmentFile=-/etc/sysconfig/ssh
+EnvironmentFile=-/etc/sysconfig/dracut-sshd
 
 # Start command requires the `-e` option if and only if `Type=simple`
 # is configured, see above.

I think that an dracut_sshd_config would be overkill and would make it easier to operate the dracut sshd with suboptimal/outdated sshd settings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gsauthof @md-work