[sslh] Systemd configuration
Yves Rutschle
yves at rutschle.net
Wed Apr 4 10:34:47 UTC 2018
Hi Eamon,
I don't have much (or, any) experience with systemd but:
On Tue, Mar 27, 2018 at 05:27:00PM -0400, Eamon Doyle wrote:
> /etc/sslh/sslh.cfg
>
> verbose: true;
> foreground: true;
Is it correct to request foreground for systemd?
> /etc/default/sslh
>
> DAEMON_OPTS="--listen 192.168.12.13:443 --ssh 127.0.0.1:22 --ssl
> 127.0.0.1:444"
> /etc/systemd/system/sslh.service.d/override.conf
>
> [Service]
> # Replace the start command and make it use sslh-select
> ExecStart=
> ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS
You're not actually using the configuration file (but the
settings here should work).
>
> # Run sslh as an user and use capabilities to bind ports
> User=sslh
> # Systemd 229
> # AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
> # Systemd 228 and bellow
> SecureBits=keep-caps
> Capabilities=cap_net_bind_service,cap_net_admin+pie
I would guess a messup in this area, but what? It's possible
that systemd starts sslh directly as user `sslh`, which is
incompatible with asking sslh to change uid (because it
won't have the rights to do so), as specified in the
configuration file -- however I understand the configuration
file shouldn't be used, so I'm confused.
> Output of systemctl status sslh.server
>
> sslh.service - SSL/SSH multiplexer
> Loaded: loaded (/lib/systemd/system/sslh.service; enabled; vendor
> preset: enabled)
> Drop-In: /etc/systemd/system/sslh.service.d
> └─override.conf
> Active: failed (Result: exit-code) since Tue 2018-03-27 16:17:44
> CDT; 911ms ago
> Docs: man:sslh(8)
> Process: 15386 ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev
> lo table 0x4155 (code=exited, status=2)
Now my understanding is that this command is already
failing.
> Process: 15385 ExecStartPre=/sbin/ip rule add fwmark 0x4155 lookup
> 0x4155 (code=exited, status=0/SUCCESS)
> Main PID: 11239 (code=exited, status=213/SECUREBITS)
And the other thing that confuses me is that sslh can return
exit status from 1 to 5 depending on the error type, but I
don't see any way it would return 213?
Y.
More information about the sslh
mailing list