[sslh] Systemd configuration

Yves Rutschle yves at rutschle.net
Wed Apr 4 10:34:47 UTC 2018 

Hi Eamon,

I don't have much (or, any) experience with systemd but:

On Tue, Mar 27, 2018 at 05:27:00PM -0400, Eamon Doyle wrote:
> /etc/sslh/sslh.cfg
> 
>     verbose: true;
>     foreground: true;

Is it correct to request foreground for systemd?

> /etc/default/sslh
> 
>     DAEMON_OPTS="--listen 192.168.12.13:443 --ssh 127.0.0.1:22 --ssl
> 127.0.0.1:444"

> /etc/systemd/system/sslh.service.d/override.conf
> 
>     [Service]
>     # Replace the start command and make it use sslh-select
>   ExecStart=
>     ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS

You're not actually using the configuration file (but the
settings here should work).

> 
>     # Run sslh as an user and use capabilities to bind ports
>     User=sslh
>     # Systemd 229
>     # AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
>     # Systemd 228 and bellow
>     SecureBits=keep-caps
>     Capabilities=cap_net_bind_service,cap_net_admin+pie

I would guess a messup in this area, but what? It's possible
that systemd starts sslh directly as user `sslh`, which is
incompatible with asking sslh to change uid (because it
won't have the rights to do so), as specified in the
configuration file -- however I understand the configuration
file shouldn't be used, so I'm confused.

> Output of systemctl status sslh.server
> 
>         sslh.service - SSL/SSH multiplexer
>    Loaded: loaded (/lib/systemd/system/sslh.service; enabled; vendor
> preset: enabled)
>   Drop-In: /etc/systemd/system/sslh.service.d
>            └─override.conf
>    Active: failed (Result: exit-code) since Tue 2018-03-27 16:17:44
> CDT; 911ms ago
>      Docs: man:sslh(8)
>   Process: 15386 ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev
> lo table 0x4155 (code=exited, status=2)

Now my understanding is that this command is already
failing.

>   Process: 15385 ExecStartPre=/sbin/ip rule add fwmark 0x4155 lookup
> 0x4155 (code=exited, status=0/SUCCESS)
>  Main PID: 11239 (code=exited, status=213/SECUREBITS)

And the other thing that confuses me is that sslh can return
exit status from 1 to 5 depending on the error type, but I
don't see any way it would return 213?

Y.

More information about the sslh mailing list