On Sat, Apr 30, 2016 at 10:23:35AM -0000, Colin Watson wrote:
> Per-connection sshd instances with systemd
> ------------------------------------------
> If you want to reconfigure systemd to listen on port 22 itself and launch an
> instance of sshd for each connection (inetd-style socket activation), then
> you can run:
> This may be appropriate in environments where minimal footprint is critical
> (e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
> MaxConnections cannot quite replace this as it cannot distinguish between
> authenticated and unauthenticated connections; see
> https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.
> The provided ssh.socket unit file sets ListenStream=22. If you need to have
> it listen on a different address or port, then you will need to do this by
> copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and
> modifying the ListenStream option. See systemd.socket(5) for details.
AIUI this should be fixable by patching openssh to use the systemd
socket-passing protocol (sd_listen_fds(3)) instead of relying on inetd-style
socket passing. In that case, openssh can apply whatever controls it wants
to the listen() socket.
On Sat, Apr 30, 2016 at 10:23:35AM -0000, Colin Watson wrote: ------- ------- ------- ------- -------
> Per-connection sshd instances with systemd
> -------
> If you want to reconfigure systemd to listen on port 22 itself and launch an
> instance of sshd for each connection (inetd-style socket activation), then
> you can run:
> systemctl stop ssh.service
> systemctl start ssh.socket
> To make this permanent:
> systemctl disable ssh.service
> systemctl enable ssh.socket
> This may be appropriate in environments where minimal footprint is critical /bugzilla. redhat. com/show_ bug.cgi? id=963268 for more discussion.
> (e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
> MaxConnections cannot quite replace this as it cannot distinguish between
> authenticated and unauthenticated connections; see
> https:/
> The provided ssh.socket unit file sets ListenStream=22. If you need to have system/ ssh.socket to /etc/systemd/ system/ ssh.socket and
> it listen on a different address or port, then you will need to do this by
> copying /lib/systemd/
> modifying the ListenStream option. See systemd.socket(5) for details.
AIUI this should be fixable by patching openssh to use the systemd
socket-passing protocol (sd_listen_fds(3)) instead of relying on inetd-style
socket passing. In that case, openssh can apply whatever controls it wants
to the listen() socket.