Date: Wed, 23 Sep 2015 20:09:54 +0500 From: "Eugene M. Zheganin" <emz@norma.perm.ru> To: stable@freebsd.org Subject: Re: when the sshd hits the fan Message-ID: <5602C0C2.5010102@norma.perm.ru> In-Reply-To: <86wpvhjm7g.fsf@nine.des.no> References: <56026686.8030308@norma.perm.ru> <86wpvhjm7g.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi. On 23.09.2015 18:32, Dag-Erling Smørgrav wrote: > "Eugene M. Zheganin" <emz@norma.perm.ru> writes: >> I'm trying to understand why the sshd still starts after local daemons, >> out-of-the-box, and what it takes to make this extremely vital service >> to start before non-system (local) ones. I bet I'm not the first one to >> ask, so why isn't this already done ? Seems quite easy for me. > "non-system (local)" services can also be extremely vital: quagga, for > instance. > > In practice, it is probably fine to move sshd before LOGIN. > I have spoken with some local FreeBSD gurus and some of the FreeBSD developers. There's two opinions on that: - conservative one: no rcorder modification is required, however, LOGIN target should be splitted in two, for maintaining a working securitylevel feature, LOGIN1 and LOGIN2. And sshd should require LOGIN1. And all the non-base services should require LOGIN2. And this requires modification of all the ports, thus making this way unuseable. - modern one: rcorder coding is required, to start base system services befor the non-base. I have spoke with one of the pkgng authors, he's able to help, but this requires some funding, because he's currently working on pkg and cannot provide more resources on fee-free basis. So, the question is, can we fund this from FreeBSD Foundation or some other sources ? Reading this thread I understand that this question arises quite often, and it seems like noone is willing to code on his own. Eugene.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5602C0C2.5010102>