[Bug 1991592] Re: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config

Thu Oct 6 15:50:19 UTC 2022

On Thu, Oct 06, 2022 at 02:34:40PM -0000, Corey Reichle wrote:
> > Socket activation provides a smoother (runtime) UX for users
> 
> SSHD configuration is not a user issue, but a systems administration
> issue.

Maybe, but more important is the UX for users of ssh clients who aren't
trying to deviate from default configuration, and for users who want
density by default and don't need sshd running on every instance. Socket
activation provides a smoother UX for these user stories.

It sounds like your objections relate to the use of socket activation
and how it is implemented in configuration files in general, rather than
ssh specifically. The same goes for your ideas about moving daemon
configuration into systemd unit files. I think your views on both of
these issues contradict the general direction that our entire ecosystem
is taking. Essentially you seem to be asking for a complete reversal in
direction of how socket activation is used and configured in Debian and
Ubuntu.

You're entitled to your opinions and I wouldn't want to rule anything
out, but this is the wrong venue for these discussions as they are far
wider reaching than just ssh. I suggest you use
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss instead.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1991592

Title:
  openssh-server should ship a systemd generator to generate ssh socket
  port configuration from sshd_config

Status in openssh package in Ubuntu:
  Triaged

Bug description:
  A criticism of the existing sshd socket activation implementation is
  that Port/ListenAddress options are migrated on a one-time basis at
  package upgrade time, and afterwards users get the surprising behavior
  that Port/ListenAddress settings added to sshd_config are ignored.

  A systemd generator could be used to change the ssh socket unit
  configuration on boot, and on each change of /etc/ssh/sshd_config.
  Sample implementation from Dimitri:

  ssh.socket:
  [Unit]
  Wants=sshd-config.path

  #
  # Note the below defaults are cleared and overriden by
  #    /lib/systemd/system-generators/sshd-generator
  # based on the sshd config from the sshd -T output
  #
  ListenStream=[::]:22
  ListenStream=0.0.0.0:22

  diff --git a/systemd/sshd-config.path b/systemd/sshd-config.path
  new file mode 100644
  index 000000000..cfa9674a3
  --- /dev/null
  +++ b/systemd/sshd-config.path
  @@ -0,0 +1,4 @@
  +[Unit]
  +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
  +[Path]
  +PathChanged=/etc/ssh/sshd_config
  diff --git a/systemd/sshd-config.service b/systemd/sshd-config.service
  new file mode 100644
  index 000000000..b009ea52c
  --- /dev/null
  +++ b/systemd/sshd-config.service
  @@ -0,0 +1,5 @@
  +[Unit]
  +Description=Regenerate ssh.socket.d/ssh-listen.conf drop-in
  +
  +[Service]
  +ExecStart=/bin/systemctl daemon-reload
  diff --git a/systemd/sshd-generator b/systemd/sshd-generator
  new file mode 100755
  index 000000000..72c6aac04
  --- /dev/null
  +++ b/systemd/sshd-generator
  @@ -0,0 +1,10 @@
  +#!/bin/sh
  +set -eu
  +mkdir -p /run/sshd
  +sshd -t
  +mkdir -p $1/ssh.socket.d
  +target="$1/ssh.socket.d/ssh-listen.conf"
  +echo '[Socket]' > $target
  +echo 'ListenStream=' >> $target
  +sshd -T | sed -n 's/^listenaddress /ListenStream=/p' >> $target
  +rmdir --ignore-fail-on-non-empty /run/sshd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592/+subscriptions