sshd vs openvpn

[Pawel Golaszewski]

On Tue, 7 Oct 2008, Elan Ruusamäe wrote:
> we had suffered one incident when one server did not came "up" because openvpn 
> had server certificate which was protected by password and therefore it was 
> waiting for password input and no other service (sshd was crucial) was not 
> brought up until someone pressed enter.
> 
> $ l /etc/rc.d/rc3.d/*vpn
> lrwxrwxrwx 1 root root 24 2008-09-02 00:08 /etc/rc.d/rc3.d/S11openvpn -> /etc/rc.d/init.d/openvpn*
> 
>  l /etc/rc.d/rc3.d/*sshd
> lrwxrwxrwx 1 root root 21 2008-07-28 22:14 /etc/rc.d/rc3.d/S55sshd -> /etc/rc.d/init.d/sshd*
> 
> perhaps cchange start priorities so that sshd is started before openvpn?
> then there could be other services that block startup same way?

apache with certificate password protected?

> change sshd to be as early as possible?

Yes, sshd is critical and we should do everything to make it available.

> out of my mind came that sshd should be after "random" and "network" 
> initscripts... nothing else should matter... however if you depend sshd 
> being "visible" also in openvpn device we can't do this...

It could be problem in some configurations.
I.e. all routing daemons should start earlier...

> maybe it would be possible to setup some timeout for openvpn key input 
> and then proceed further if no passphrase was input within that time 
> period?

That kind of thing should be done for _every_ service started. Few days 
ago I had problem with hc-cron which hung while starting. /etc/nologin has 
left and all the users had problems. It's good that root can login apart 
nologin, but the problem stays.

Every service should have some period of time (lets say... 5 minutes). 
After that time it's killed.

> any other toughts?

-- 
pozdr.  Paweł Gołaszewski          jid:blues<at>jabber<dot>gda<dot>pl
--------------------------------------------------------------------------
If you think of MS-DOS as mono, and Windows as stereo, then Linux is Dolby
Pro-Logic Surround Sound with Bass Boost and all the music is free.