Change SSH port on remote host

[munnik]

Hi,

I want to change the ssh port on my remote host from the default 22 to some other port to prevent some ssh attacks. I added the line services.openssh.ports = [ 12345 ]; to my config and then tried to deploy it using nix run github:serokell/deploy-rs .. Deploy-rs is now waiting for a confirmation it never gets:

⭐ ❌ [activate] [ERROR] Failed to get activation confirmation: Error waiting for confirmation event: Timeout elapsed for confirmation
thread 'tokio-runtime-worker' panicked at /build/source/src/deploy.rs:488:41:
called `Result::unwrap()` on an `Err` value: SSHActivateExit(Some(1))
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at /build/source/src/deploy.rs:523:30:
called `Result::unwrap()` on an `Err` value: RecvError(())

When I add sshOpts = [ "-p" "12345" ]; it will never connect to the node. What is the correct way to handle this ssh port change?

[sedlund]

if you are applying a change to the remote that changes the ssh port you have to add --magic-rollback false for that apply to disable the verification.

Because deploy-rs is unable to verify the connectivity the activation script on the remote is rolling back the port change and you receive this error.

in future connections you will then have sshOpts = [ "-p" "12345" ]; in the config to connect to the non standard port

[munnik]

Got it. I think a saver way is to first let ssh listen both on the old and new port, and run deploy-rs with the old port. If that is successful, you can remove the old port from the ssh config and add the sshOpts = [ "-p" "12345" ]; to deploy-rs.