[Bug 1991592] Re: openssh-server should ship a systemd generator to generate ssh socket port configuration from sshd_config

Thu Oct 6 13:04:05 UTC 2022

> The point is to reduce footprint for greater density in production
environments. Most instances don't need an ssh daemon running all the
time.

If the point is to increase density, then sshd should just be off, and
not automatically started, unless it's required for work.

People install openssh-server, so a container/server/whatever has 22
listening on the ports required.

If people need to squeeze 3MB from RAM, a better solution is to just
have them never enable it, except when they need it, using a container
entry point, or some other hook system that turns it on as required, and
then off.

If ssh is selected at install time, to be installed, and listening, then
the user expectation is that it is installed, and listening.  Not just
"listening as needed".

Or, conversely, as I proposed in the original ticket (That somehow got
marked as a duplicate of this ticket, that was created later):  Migrate
all configuration for openssh-server out of /etc/ssh/sshd_config, and
into it's unit file.

No, there isn't generally an expectation that you will require two
wholly unconnected places to be configured for something that is only
configured in one place for every other distro, and every other OS that
openssh-server runs on.

One configuration to rule them all, so to speak.  And I think at this
point, moving config for openssh-server into a unit file, is probably
the best course.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1991592

Title:
  openssh-server should ship a systemd generator to generate ssh socket
  port configuration from sshd_config

Status in openssh package in Ubuntu:
  Triaged

Bug description:
  A criticism of the existing sshd socket activation implementation is
  that Port/ListenAddress options are migrated on a one-time basis at
  package upgrade time, and afterwards users get the surprising behavior
  that Port/ListenAddress settings added to sshd_config are ignored.

  A systemd generator could be used to change the ssh socket unit
  configuration on boot, and on each change of /etc/ssh/sshd_config.
  Sample implementation from Dimitri:

  ssh.socket:
  [Unit]
  Wants=sshd-config.path

  #
  # Note the below defaults are cleared and overriden by
  #    /lib/systemd/system-generators/sshd-generator
  # based on the sshd config from the sshd -T output
  #
  ListenStream=[::]:22
  ListenStream=0.0.0.0:22

  diff --git a/systemd/sshd-config.path b/systemd/sshd-config.path
  new file mode 100644
  index 000000000..cfa9674a3
  --- /dev/null
  +++ b/systemd/sshd-config.path
  @@ -0,0 +1,4 @@
  +[Unit]
  +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
  +[Path]
  +PathChanged=/etc/ssh/sshd_config
  diff --git a/systemd/sshd-config.service b/systemd/sshd-config.service
  new file mode 100644
  index 000000000..b009ea52c
  --- /dev/null
  +++ b/systemd/sshd-config.service
  @@ -0,0 +1,5 @@
  +[Unit]
  +Description=Regenerate ssh.socket.d/ssh-listen.conf drop-in
  +
  +[Service]
  +ExecStart=/bin/systemctl daemon-reload
  diff --git a/systemd/sshd-generator b/systemd/sshd-generator
  new file mode 100755
  index 000000000..72c6aac04
  --- /dev/null
  +++ b/systemd/sshd-generator
  @@ -0,0 +1,10 @@
  +#!/bin/sh
  +set -eu
  +mkdir -p /run/sshd
  +sshd -t
  +mkdir -p $1/ssh.socket.d
  +target="$1/ssh.socket.d/ssh-listen.conf"
  +echo '[Socket]' > $target
  +echo 'ListenStream=' >> $target
  +sshd -T | sed -n 's/^listenaddress /ListenStream=/p' >> $target
  +rmdir --ignore-fail-on-non-empty /run/sshd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1991592/+subscriptions