I am trying to set up a redundant CARP cluster with routing separation with rtables. All works fine, but how do i tell sshd to start only in rdomain 2? I know i can start it manually with
# route -T4 exec /usr/sbin/sshd
But there seems no integration of rdomains in the sshd config.
You can write customized(invoked via route -T4) ssh daemon with rc.d(8), rcctl(8), rc.subr(8).
Disable original sshd in /etc/rc.conf and put /etc/rc.d/rdomainsshd.
The template script for /etc/rc.d/rdomainssshd is:
/usr/ports/infrastructure/templates/rc.template
Here are OpenBSD Manual Pages:
sshd_config(5) shows:
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
ListenAddress hostname|address [rdomain domain]
ListenAddress hostname:port [rdomain domain]
ListenAddress IPv4_address:port [rdomain domain]
ListenAddress [hostname|address]:port [rdomain domain]
The optional rdomain qualifier requests sshd(8) listen in an
explicit routing domain. If port is not specified, sshd will
listen on the address and all Port options specified. The
default is to listen on all local addresses on the current
default routing domain. Multiple ListenAddress options are
permitted. For more information on routing domains, see
rdomain(4).
So ensure your sshd config has eg. ListenAddress 0.0.0.0 rdomain 1. To create an instance of sshd just do:
# ln -s sshd /etc/rc.d/sshd_rdomainX
# rcctl enable sshd_rdomainX
# rcctl set sshd_rdomainX flags -f /etc/ssh/sshd_config-rdomainX
To test it try:
mx1# /usr/sbin/sshd -T -f /tmp/sshd_config | grep listenaddress
listenaddress 0.0.0.0:22 rdomain 1
mx1# /usr/sbin/sshd -D -d -f /tmp/sshd_config
...
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-f'
debug1: rexec_argv[4]='/tmp/sshd_config'
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22 rdomain 1.
...
