[Bug 1991592] Re: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config

Robie Basak 1991592 at bugs.launchpad.net
Thu Oct 6 14:03:54 UTC 2022 

On Thu, Oct 06, 2022 at 01:04:05PM -0000, Corey Reichle wrote:
> If the point is to increase density, then sshd should just be off, and
> not automatically started, unless it's required for work.

Socket activation provides a smoother (runtime) UX for users, and is
well established as a mechanism to reduce runtime footprint without any
impact to users who want to use the service. Why do you think it's
preferable to have the daemon not started and without socket activation?

> If ssh is selected at install time, to be installed, and listening, then
> the user expectation is that it is installed, and listening.  Not just
> "listening as needed".

Why? What user story is broken by socket activation here?

> Or, conversely, as I proposed in the original ticket (That somehow got
> marked as a duplicate of this ticket, that was created later):  Migrate
> all configuration for openssh-server out of /etc/ssh/sshd_config, and
> into it's unit file.

I'm pretty sure this would result in far more pushback from the
community than merely enabling socket activation. We'd end up with an
order of magnitude more upgrade path issues in doing this, and we'd be
diverging from the entire rest of the community.

> No, there isn't generally an expectation that you will require two
> wholly unconnected places to be configured for something that is only
> configured in one place for every other distro, and every other OS that
> openssh-server runs on.

It's increasingly common to use socket activation on systemd-based
distros. Ubuntu may be pushing ahead on the sshd side, but socket
activation in general is already in place in various other packages.

I accept that the "two different places" configuration issue arises as a
consequence of socket activation, and this is poor UX. But the general
concept already exists in other areas (eg. After=network-online.service,
and AppArmor), and doing otherwise in the general case would require a
reversal, or even a "ban", on the use of socket activation across all
packages in Ubuntu. I don't think that makes sense, but even if it did,
it'd have to be a bigger discussion than just in this bug. As long as
socket activation is a generally acceptable pattern in Ubuntu, I see no
reason why sshd would be expected to be special and not use it.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1991592

Title:
  openssh-server should ship a systemd generator to generate ssh socket
  port configuration from sshd_config

Status in openssh package in Ubuntu:
  Triaged

Bug description:
  A criticism of the existing sshd socket activation implementation is
  that Port/ListenAddress options are migrated on a one-time basis at
  package upgrade time, and afterwards users get the surprising behavior
  that Port/ListenAddress settings added to sshd_config are ignored.

  A systemd generator could be used to change the ssh socket unit
  configuration on boot, and on each change of /etc/ssh/sshd_config.
  Sample implementation from Dimitri:

  ssh.socket:
  [Unit]
  Wants=sshd-config.path

  #
  # Note the below defaults are cleared and overriden by
  #    /lib/systemd/system-generators/sshd-generator
  # based on the sshd config from the sshd -T output
  #
  ListenStream=[::]:22
  ListenStream=0.0.0.0:22

  diff --git a/systemd/sshd-config.path b/systemd/sshd-config.path
  new file mode 100644
  index 000000000..cfa9674a3
  --- /dev/null
  +++ b/systemd/sshd-config.path
  @@ -0,0 +1,4 @@
  +[Unit]
  +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
  +[Path]
  +PathChanged=/etc/ssh/sshd_config
  diff --git a/systemd/sshd-config.service b/systemd/sshd-config.service
  new file mode 100644
  index 000000000..b009ea52c
  --- /dev/null
  +++ b/systemd/sshd-config.service
  @@ -0,0 +1,5 @@
  +[Unit]
  +Description=Regenerate ssh.socket.d/ssh-listen.conf drop-in
  +
  +[Service]
  +ExecStart=/bin/systemctl daemon-reload
  diff --git a/systemd/sshd-generator b/systemd/sshd-generator
  new file mode 100755
  index 000000000..72c6aac04
  --- /dev/null
  +++ b/systemd/sshd-generator
  @@ -0,0 +1,10 @@
  +#!/bin/sh
  +set -eu
  +mkdir -p /run/sshd
  +sshd -t
  +mkdir -p $1/ssh.socket.d
  +target="$1/ssh.socket.d/ssh-listen.conf"
  +echo '[Socket]' > $target
  +echo 'ListenStream=' >> $target
  +sshd -T | sed -n 's/^listenaddress /ListenStream=/p' >> $target
  +rmdir --ignore-fail-on-non-empty /run/sshd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592/+subscriptions

More information about the foundations-bugs mailing list