[Semibug] sshd configuration for Jails questions

Nick Holland nick at holland-consulting.net
Sun Jan 29 10:27:41 EST 2023 

On 1/25/23 16:52, Mark Moellering wrote:
> Question.  I am configuring a server , the ip address comes from DHCP but I want to run jails, which means restricting the IP Addresses sshd listens on.
> 
> Normally, this is done by IP but I don't know how to do it for DHCP.  Will using the hostname work.  for example
> ListenAddress hostname.mydomain.com <http://hostname.mydomain.com>
> 
> Or will that not work?

man sshd_config says that a hostname in that spot will work.
What it doesn't specify is what happens if the DNS resolution of
the hostname changes.  Test?

> I have seen online that some people have cron scripts that look for a change of DHCP IP and then update the sshd_config file and restart sshd but I am hoping to avoid that...
> Of course, I can use a non-standard port but not sure I want that either

Restarting sshd used to be a scary thing -- but for a number of years,
(enough that if you are running a currently supported OS, you should be
good) if you restart the master sshd process, any live connections stay
up and running.  The  reconfig would take place for new connections, old
connections don't need to be reconfigured.

So...you shouldn't need to change the sshd_config file, just put a hostname
in it.  If you detect a change of IP addresses, restart the master sshd
process. Done.

But...really, as Carl said, if you control the DHCP process here, the
proper answer is fix your DHCP server.  Pretty much every DHCP server has
a way to assign a particular IP address to particular machines.  OpenBSD's
DHCP server has always been "as good as static" -- once it assigns an IP
address to a particular machine, it never changes IP address unless
absolutely forced (and in over 20+ years of using it, I've never noticed
a forced change, and certainly never on a machine that was kept running
or run frequently) or you lose your dhcpd.leases file.

Nick.



> 
> Thanks
> 
> Mark
> P.S. Michael Lucas appears to not have addressed this in his book about Jails  ;-)
> 
> _______________________________________________
> Semibug mailing list
> Semibug at lists.nycbug.org
> https://lists.nycbug.org:8443/mailman/listinfo/semibug

More information about the Semibug mailing list