Bug#667679: openssh-server: Multiple OpenSSH daemons setup with modified init script

[Frank Guthausen <fg-debian-bug-2010@datenschutzraum.org>]

Package: openssh-server
Version: 1:5.5p1-6+squeeze1
Severity: wishlist
Tags: patch

Several setups need different OpenSSH daemons to be run with different
config files. Usually this needs a rewrite of a renamed /etc/init.d/ssh
script, which could need some improvements. The handling of pid files is
done by the daemon itself and by the start-stop-daemon, changes of this
or of config files need to be edited at many places and so on.

An improved version of the init script is included. It is based upon the
script used in Debian Squeeze. It provides a few more detailed feedbacks
if it does not start, but the main feature is: it can be copied to any
name and this name will be used to look for default file and config file
and to construct pid file and pid dir.

Example: copy it to /etc/init.d/ssh3

You may immediately run an instance of OpenSSH daemon with
config:		/etc/ssh/ssh3d_config
default:	/etc/default/ssh3
pid dir:	/var/run/ssh3d
pid file:	/var/run/ssh3d.pid

As an option you can change the binary to /usr/sbin/ssh3d if necessary
just by toggling some comments. A fallback check against overwrite of
pid file of the original OpenSSH daemon can be enabled.

Even the daemon dependent log string will vary with the script name.
The startup preventing file /etc/ssh/sshd_not_to_be_run will vary with
the script name, too.

--- snip ---
#! /bin/sh

### BEGIN INIT INFO
# Provides:		sshd
# Required-Start:	$remote_fs $syslog
# Required-Stop:	$remote_fs $syslog
# Default-Start:	2 3 4 5
# Default-Stop:		
# Short-Description:	OpenBSD Secure Shell server
### END INIT INFO

set -e

# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon 3rd instance

# If used to start other instances of a OpenSSH daemon:
# Make sure it does not interfere with the regular ssh daemon
# Don't forget to change ``Provides:'' when starting another instance at boot time via update-rc.d

check_conflict() {
if [ ${SSH_ID} = "ssh" ] ; then
	echo "this instance conflicts with regular sshd instance"
	exit 1
fi
}

check_conflict_pid() {
if [ ${PID_FILE} = "sshd.pid" ] ; then
	echo "this instance conflicts with pidfile for the regular sshd instance"
	exit 1
fi
}

SSH_ID=${0##*/}						# service is identified by basename of this script
#SSH_ID="ssh"						# comment or delete this line for non-default ssh daemon
#check_conflict						# uncomment this line for non-default ssh daemons
SCRIPT_NAME="/etc/init.d/${SSH_ID}"			# default: /etc/init.d/ssh
DAEMON_PATH="/usr/sbin"
DAEMON_FILE="${SSH_ID}d"				# this is a patched binary with changed hardcoded pidfile value
DAEMON_NAME="${DAEMON_PATH}/sshd"			# default: /usr/sbin/sshd
#DAEMON_NAME="${DAEMON_PATH}/${DAEMON_FILE}"		# uncomment to use a patched version for non-default ssh daemon
							# or a symlink to original sshd
PID_DIR="/var/run/${DAEMON_FILE}" # not PATH but DIR	# default: /var/run/sshd
PID_FILE="${PID_DIR}.pid"				# default: /var/run/sshd.pid
							# if not set, pidfile will default to hardcoded deamon value
#check_conflict_pid					# uncomment this line for non-default ssh daemons
DEFAULT_PATH="/etc/default"
DEFAULT_FILE=${SSH_ID} 					# default: ssh
DEFAULT_NAME="${DEFAULT_PATH}/${DEFAULT_FILE}"		# default: /etc/default/ssh
CONFIG_PATH="/etc/ssh"
CONFIG_FILE="${DAEMON_FILE}_config"
CONFIG_NAME="${CONFIG_PATH}/${CONFIG_FILE}"		# default: /etc/ssh/sshd_config
NOT_TO_RUN_CHECK="${CONFIG_PATH}/${DAEMON_FILE}_not_to_be_run"
							# default: /etc/ssh/sshd_not_to_be_run
LOG_ACTION_MSG="OpenBSD Secure Shell server not in use (${CONFIG_PATH}/${DAEMON_FILE}_not_to_be_run)"
							# default:
	    						# "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)"

DAEMON_NAME_EXISTS_EXECUTABLE=1
test -x ${DAEMON_NAME} || DAEMON_NAME_EXISTS_EXECUTABLE=0
if [ ${DAEMON_NAME_EXISTS_EXECUTABLE} = 0 ] ; then
	echo "No executable daemon file"
	exit 1
fi

DAEMON_IS_OPENSSH=1
#( ${DAEMON_NAME} -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || (echo "no OpenSSH daemon" && exit 0)
( ${DAEMON_NAME} -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || DAEMON_IS_OPENSSH=0
if [ ${DAEMON_IS_OPENSSH} = 0 ] ; then
	echo "Not an OpenSSH daemon"
	exit 1
fi

umask 022

if test -f ${DEFAULT_NAME}; then
    . ${DEFAULT_NAME}
fi

.. /lib/lsb/init-functions

if [ -n "$2" ]; then
    SSHD_OPTS="$SSHD_OPTS $2"
fi

# Now force an pidfile
SSHD_OPTS="$SSHD_OPTS -o PidFile=${PID_FILE}"

# Are we running from init?
run_by_init() {
    ([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ]
}

check_for_no_start() {
    # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
    if [ -e ${NOT_TO_RUN_CHECK} ]; then 
	if [ "$1" = log_end_msg ]; then
	    log_end_msg 0
	fi
	if ! run_by_init; then
	    log_action_msg "${LOG_ACTION_MSG}"
	fi
	exit 0
    fi
}

check_dev_null() {
    if [ ! -c /dev/null ]; then
	if [ "$1" = log_end_msg ]; then
	    log_end_msg 1 || true
	fi
	if ! run_by_init; then
	    log_action_msg "/dev/null is not a character device!"
	fi
	exit 1
    fi
}

check_privsep_dir() {
    # Create the PrivSep empty dir if necessary
    if [ ! -d ${PID_DIR} ]; then
	mkdir ${PID_DIR}
	chmod 0755 ${PID_DIR}
    fi
}

check_config() {
    if [ ! -e ${NOT_TO_RUN_CHECK} ]; then
	${DAEMON_NAME} $SSHD_OPTS -t || exit 1
    fi
}

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin:/usr/local/sbin"

case "$1" in
  start)
	check_privsep_dir
	check_for_no_start
	check_dev_null
	log_daemon_msg "Starting OpenBSD Secure Shell server" "${DAEMON_FILE}"
	if start-stop-daemon --start --quiet --oknodo --pidfile ${PID_FILE} --exec ${DAEMON_NAME} -- $SSHD_OPTS -f ${CONFIG_NAME}; then
	    log_end_msg 0
	else
	    log_end_msg 1
	fi
	;;
  stop)
	log_daemon_msg "Stopping OpenBSD Secure Shell server" "${DAEMON_FILE}"
	if start-stop-daemon --stop --quiet --oknodo --pidfile ${PID_FILE}; then
	    log_end_msg 0
	else
	    log_end_msg 1
	fi
	;;

  reload|force-reload)
	check_for_no_start
	check_config
	log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "${DAEMON_FILE}"
	if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile ${PID_FILE} --exec ${DAEMON_NAME} -- -f ${CONFIG_NAME}; then
	    log_end_msg 0
	else
	    log_end_msg 1
	fi
	;;

  restart)
	check_privsep_dir
	check_config
	log_daemon_msg "Restarting OpenBSD Secure Shell server" "${DAEMON_FILE}"
	start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile ${PID_FILE}
	check_for_no_start log_end_msg
	check_dev_null log_end_msg
	if start-stop-daemon --start --quiet --oknodo --pidfile ${PID_FILE} --exec ${DAEMON_NAME} -- $SSHD_OPTS -f ${CONFIG_NAME}; then
	    log_end_msg 0
	else
	    log_end_msg 1
	fi
	;;

  try-restart)
	check_privsep_dir
	check_config
	log_daemon_msg "Restarting OpenBSD Secure Shell server" "${DAEMON_FILE}"
	set +e
	start-stop-daemon --stop --quiet --retry 30 --pidfile ${CONFIG_NAME}
	RET="$?"
	set -e
	case $RET in
	    0)
		# old daemon stopped
		check_for_no_start log_end_msg
		check_dev_null log_end_msg
		if start-stop-daemon --start --quiet --oknodo --pidfile ${PID_FILE} --exec ${DAEMON_NAME} -- $SSHD_OPTS -f ${CONFIG_NAME}; then
		    log_end_msg 0
		else
		    log_end_msg 1
		fi
		;;
	    1)
		# daemon not running
		log_progress_msg "(not running)"
		log_end_msg 0
		;;
	    *)
		# failed to stop
		log_progress_msg "(failed to stop)"
		log_end_msg 1
		;;
	esac
	;;

  status)
	status_of_proc -p ${PID_FILE} ${DAEMON_NAME} ${SSH_ID} && exit 0 || exit $?
	;;

  *)
	log_action_msg "Usage: ${SCRIPT_NAME} {start|stop|reload|force-reload|restart|try-restart|status}"
	exit 1
esac

exit 0
--- snap ---

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser             3.112+nmu2           add and remove users and groups
ii  debconf [debconf-2. 1.5.36.1             Debian configuration management sy
ii  dpkg                1.15.8.12            Debian package management system
ii  libc6               2.11.3-2             Embedded GNU C Library: Shared lib
ii  libcomerr2          1.41.12-4stable1     common error description library
ii  libgssapi-krb5-2    1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k
ii  libkrb5-3           1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries
ii  libpam-modules      1.1.1-6.1+squeeze1   Pluggable Authentication Modules f
ii  libpam-runtime      1.1.1-6.1+squeeze1   Runtime support for the PAM librar
ii  libpam0g            1.1.1-6.1+squeeze1   Pluggable Authentication Modules l
ii  libselinux1         2.0.96-1             SELinux runtime shared libraries
ii  libssl0.9.8         0.9.8o-4squeeze7     SSL shared libraries
ii  libwrap0            7.6.q-19             Wietse Venema's TCP wrappers libra
ii  lsb-base            3.2-23.2squeeze1     Linux Standard Base 3.2 init scrip
ii  openssh-blacklist   0.4.1                list of default blacklisted OpenSS
ii  openssh-client      1:5.5p1-6+squeeze1   secure shell (SSH) client, for sec
ii  procps              1:3.2.8-9            /proc file system utilities
ii  zlib1g              1:1.2.3.4.dfsg-3     compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.4-1  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)
pn  ufw                           <none>     (no description available)

-- debconf information excluded