32

I've made some changes to sshd_config file and therefore need to restart. I'm looking tips on safely restarting ssh when getting physical access to the server would be a huga PITA.

Mitch
  • 547
  • 1
  • 5
  • 10

7 Answers7

44

Restarting sshd while logged in via ssh will not disconnect your ssh connection.

If you're worried about your configuration, log in a few times via ssh, and restart. If you can no longer ssh in, with new connections, you now have access to fix the problems.

Mentioned below in a comment by @Milan Babuškov: sshd -t will test your configuration for syntax correctness, if you really want to be certain.

Another suggestion, by @Ronald Pottol was to set up a cron task to restart the server with a known working configuration. Perhaps overkill, but if you're updating a mission critical server, etc... sometimes you can never be too careful.

Francisco R
  • 105
  • 4
cpbills
  • 2,720
  • 18
  • 12
  • Thats pretty easy, makes sense too. Thanks for the really quick reply. FYI the changes I was making worked great ;) – Mitch May 12 '10 at 17:56
  • 1
    Regarding `sshd -t` indeed, straight from the authoritative source: [Test mode. Only check the validity of the configuration file and sanity of the keys. This is useful for updating sshd reliably as configuration options may change.](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8?query=sshd&sec=8) – Stéphane Gourichon Nov 21 '15 at 18:57
6

If you have access to the hardware you may consider putting a terminal on the serial port /dev/ttyS0 . Then you can have a back door into your server.

simply add 

SO:2345:respawn:/sbin/mingetty ttySO

to your /etc/inittab and a terminal will spawn over your serial port. You can use a serial port concentrator or use a null modem from the server next to it.

keithosu
  • 336
  • 2
  • 15
  • Cool! Is this a pretty standard practice? – Mitch May 12 '10 at 17:58
  • 3
    Pretty standard, so long as you have a way to connect to the machine that is the serial terminal server. – Kamil Kisiel May 12 '10 at 18:43
  • 2
    It can be but due to virtualization it is not as necessary because you can manage via the Hypervisor. Another cool thing is if the BIOS supports it is "Console Redirection" this will show all of the BIOS screens via your serial console. GRUB also has the ability to display to serial console. So there is no need for remote video to see if your server will come back online. – keithosu May 12 '10 at 18:47
4

Don't worry, your current session won't be disconnected, even if there's a problem with the new configuration.

After applying the new configuration and restarting sshd, just try to login a couple of times and take a look at the logs to see if everything is ok.

Marco Ramos
  • 3,120
  • 23
  • 25
4

Or, use a cron or at job to start it back up, if you are feeling unlucky?

Ronald Pottol
  • 1,703
  • 1
  • 11
  • 19
  • `cron` or `at` would work, to copy a 'known' working, i.e. the old configuration, back and then do a restart of the service... – cpbills May 18 '10 at 02:11
1

Could you not Just run a kill -HUP in the PID of the SSH service? Its not clean but it works

  • 2
    Often, `SIGHUP` _is_ the clean way to reload a daemon's configuration. – user1686 May 13 '10 at 12:02
  • It *is* clean in this case. From the authoritative source: [sshd rereads its configuration file when it receives a hangup signal, SIGHUP](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sshd.8?query=sshd&sec=8) – Stéphane Gourichon Nov 21 '15 at 18:01
  • 1
    `pkill -HUP sshd` closed my connection. This worked: `kill -HUP $(pgrep -f /usr/bin/sshd)` – Tom Hale Dec 19 '16 at 04:25
0

I have found that nowadays sshd does not disconnect your sessions when restarting, especially when it is a Redhat based distro. You could always write a small script that will automatically restore your sshd config from backup and restart sshd after 5 min as a cron or at job. This will ensure that even if you get disconnected, you can get back into your server at least.

pinkgothic
  • 103
  • 4
Riaan
  • 421
  • 5
  • 13
-1

I wouldn't recommend restarting/reloading SSHD on a sshd connection. I've seen many occasions where sshd just wouldn't start back up because of a syntax error in sshd_config.

Even though everything is ok with the config file, it's risky.

Murat Arslan
  • 1
  • 9
    You can use sshd -t to test the config file beforehand. – Milan Babuškov May 12 '10 at 21:08
  • Thanks Milan, I quickly looked through man for an option like that, in Apache its -s so I must have been too focused on -s. – Mitch May 12 '10 at 21:58
  • i'm going to absorb your comment into my answer, also when sshd terminates, it does not bring down the open ssh sessions, but it's good to know your syntax is valid, if you're sweating it. – cpbills May 18 '10 at 02:10