Skip to main content
Unix & Linux

Return to Answer

added 159 characters in body
Source Link
telcoM
telcoM
  • 114.1k
  • 4
  • 163
  • 311

The root of the problem is that the use of ListenAddress brings with it the requirement that the specified address must already be up when sshd starts.

If you need sshd to listen in the Zerotier IP address only, but don't specifically have to use ListenAddress to implement it, you could use alternative ways to implement the restriction.

If you need sshd to listen in the Zerotier IP address only, but don't specifically have to use ListenAddress to implement it, you could use alternative ways to implement the restriction.

The root of the problem is that the use of ListenAddress brings with it the requirement that the specified address must already be up when sshd starts.

If you need sshd to listen in the Zerotier IP address only, but don't specifically have to use ListenAddress to implement it, you could use alternative ways to implement the restriction.

Alternative solutions
Source Link
telcoM
telcoM
  • 114.1k
  • 4
  • 163
  • 311

With your configuration, sshd.service will certainly start only after zerotier-one.service starts. But that is not enough. The sshd.service would need to wait until Zerotier has actually connected successfully, which can happen quite a bit later (in computer timescales, at least). And the current zerotier-one.service is not even trying to provide that information to systemd:

[Unit]
Description=ZeroTier One
After=network-online.target network.target
Wants=network-online.target

[Service]
ExecStart=/usr/sbin/zerotier-one
Restart=always
KillMode=process

[Install]
WantedBy=multi-user.target

You would probably have to create a Type=oneshot service (it could be called zerotier-wait-online.service) that would run a script that includes a loop that calls e.g. zerotier-cli listnetworks or just ip addr show and looks for the IP address 192.168.10.10. If it is not available, the script would sleep a few seconds and try again.

When the script would see the address has appeared, the script would exit - and that would tell systemd that any service configured to run After=zerotier-wait-online.service can now proceed. (Unlike the default Type=simple and several other service types, services of Type=oneshot are only considered "started" after their main ExecStart process has successfully exited - and that's exactly what you need.

Once you have that service working, you can change your sshd.service override to After=zerotier-wait-online.service, and then it should work as you wanted.

Note that you cannot simply require that zerotier-wait-online.service runs Before=network-online.target, because zerotier-one.service itself runs After=network-online.target. Trying to set up such a requirement would create an impossible situation.

If you need sshd to listen in the Zerotier IP address only, but don't specifically have to use ListenAddress to implement it, you could use alternative ways to implement the restriction.

In /etc/ssh/sshd_config, you could add a Match block like this, to deny access on any local IP address except the Zerotier one:

Match LocalAddress *,!192.168.10.10
    DenyUsers *

Or you could use iptables to drop/reject incoming connections if the destination address is anything except 192.168.10.10:

iptables -I INPUT 1 -p tcp --dport 22 \! -d 192.168.10.10/32 -j DROP

DROP makes blocked connection attempts hang until they time out; if you want the blocked connections to fail quickly, use a rule like this instead:

iptables -I INPUT 1 -p tcp --dport 22 \! -d 192.168.10.10/32 -j REJECT --reject-with tcp-reset

If you use ufw or some other firewall management system, there is probably a way to configure an equivalent rule to it.

With your configuration, sshd.service will certainly start only after zerotier-one.service starts. But that is not enough. The sshd.service would need to wait until Zerotier has actually connected successfully, which can happen quite a bit later (in computer timescales, at least). And the current zerotier-one.service is not even trying to provide that information to systemd:

[Unit]
Description=ZeroTier One
After=network-online.target network.target
Wants=network-online.target

[Service]
ExecStart=/usr/sbin/zerotier-one
Restart=always
KillMode=process

[Install]
WantedBy=multi-user.target

You would probably have to create a Type=oneshot service (it could be called zerotier-wait-online.service) that would run a script that includes a loop that calls e.g. zerotier-cli listnetworks or just ip addr show and looks for the IP address 192.168.10.10. If it is not available, the script would sleep a few seconds and try again.

When the script would see the address has appeared, the script would exit - and that would tell systemd that any service configured to run After=zerotier-wait-online.service can now proceed. (Unlike the default Type=simple and several other service types, services of Type=oneshot are only considered "started" after their main ExecStart process has successfully exited - and that's exactly what you need.

Once you have that service working, you can change your sshd.service override to After=zerotier-wait-online.service, and then it should work as you wanted.

Note that you cannot simply require that zerotier-wait-online.service runs Before=network-online.target, because zerotier-one.service itself runs After=network-online.target. Trying to set up such a requirement would create an impossible situation.

With your configuration, sshd.service will certainly start only after zerotier-one.service starts. But that is not enough. The sshd.service would need to wait until Zerotier has actually connected successfully, which can happen quite a bit later (in computer timescales, at least). And the current zerotier-one.service is not even trying to provide that information to systemd:

[Unit]
Description=ZeroTier One
After=network-online.target network.target
Wants=network-online.target

[Service]
ExecStart=/usr/sbin/zerotier-one
Restart=always
KillMode=process

[Install]
WantedBy=multi-user.target

You would probably have to create a Type=oneshot service (it could be called zerotier-wait-online.service) that would run a script that includes a loop that calls e.g. zerotier-cli listnetworks or just ip addr show and looks for the IP address 192.168.10.10. If it is not available, the script would sleep a few seconds and try again.

When the script would see the address has appeared, the script would exit - and that would tell systemd that any service configured to run After=zerotier-wait-online.service can now proceed. (Unlike the default Type=simple and several other service types, services of Type=oneshot are only considered "started" after their main ExecStart process has successfully exited - and that's exactly what you need.

Once you have that service working, you can change your sshd.service override to After=zerotier-wait-online.service, and then it should work as you wanted.

Note that you cannot simply require that zerotier-wait-online.service runs Before=network-online.target, because zerotier-one.service itself runs After=network-online.target. Trying to set up such a requirement would create an impossible situation.

If you need sshd to listen in the Zerotier IP address only, but don't specifically have to use ListenAddress to implement it, you could use alternative ways to implement the restriction.

In /etc/ssh/sshd_config, you could add a Match block like this, to deny access on any local IP address except the Zerotier one:

Match LocalAddress *,!192.168.10.10
    DenyUsers *

Or you could use iptables to drop/reject incoming connections if the destination address is anything except 192.168.10.10:

iptables -I INPUT 1 -p tcp --dport 22 \! -d 192.168.10.10/32 -j DROP

DROP makes blocked connection attempts hang until they time out; if you want the blocked connections to fail quickly, use a rule like this instead:

iptables -I INPUT 1 -p tcp --dport 22 \! -d 192.168.10.10/32 -j REJECT --reject-with tcp-reset

If you use ufw or some other firewall management system, there is probably a way to configure an equivalent rule to it.

Source Link
telcoM
telcoM
  • 114.1k
  • 4
  • 163
  • 311

With your configuration, sshd.service will certainly start only after zerotier-one.service starts. But that is not enough. The sshd.service would need to wait until Zerotier has actually connected successfully, which can happen quite a bit later (in computer timescales, at least). And the current zerotier-one.service is not even trying to provide that information to systemd:

[Unit]
Description=ZeroTier One
After=network-online.target network.target
Wants=network-online.target

[Service]
ExecStart=/usr/sbin/zerotier-one
Restart=always
KillMode=process

[Install]
WantedBy=multi-user.target

You would probably have to create a Type=oneshot service (it could be called zerotier-wait-online.service) that would run a script that includes a loop that calls e.g. zerotier-cli listnetworks or just ip addr show and looks for the IP address 192.168.10.10. If it is not available, the script would sleep a few seconds and try again.

When the script would see the address has appeared, the script would exit - and that would tell systemd that any service configured to run After=zerotier-wait-online.service can now proceed. (Unlike the default Type=simple and several other service types, services of Type=oneshot are only considered "started" after their main ExecStart process has successfully exited - and that's exactly what you need.

Once you have that service working, you can change your sshd.service override to After=zerotier-wait-online.service, and then it should work as you wanted.

Note that you cannot simply require that zerotier-wait-online.service runs Before=network-online.target, because zerotier-one.service itself runs After=network-online.target. Trying to set up such a requirement would create an impossible situation.