Bug 1961785

Summary: RFE: socket activation for sshd
Product: [Fedora] Fedora Reporter: Zbigniew JÄ™drzejewski-Szmek <zbyszek>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: crypto-team, dbelyavs, dwalsh, jjelen, lkundrak, mattias.ellert, plautrba, tm
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---Flags: fedora-admin-xmlrpc: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-03 09:39:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Zbigniew Jędrzejewski-Szmek 2021-05-18 17:20:41 UTC 
Description of problem:
Please add support for socket activation in sshd, in the sense of of a listening
socket managed by systemd which is then passed to a long-running service on first
connection.

For many (most?) machines, sshd is used only occasionally. This includes both physical
hardware e.g. developer laptops, but also VMs/containers, where one might connect sometimes
for debugging, but not very often. It is good to have the possibility to connect, but always
starting sshd wastes some ram and cpu cycles at startup.

I expect we would want to have a permanently-activated sshd only on real multi-user
servers, or on worker nodes which accept many ssh connections. For a majority of
installations, socket activated sshd would be more appropriate.

We currently have sshd.socket with Accept=yes which starts per-connection instances
of sshd. Sshd is better at managing multiple connections than systemd, e.g. logs it much
better and handles failing connections better.

As a second-order feature, if socket activation is implemented, sshd could automatically
deactivate itself after a few minutes of idleness. Because systemd woudl still hold
the socket, there is no window where the socket is not listening and connections
would fail.

We have added socket activation to almost all services over the years, sshd is one
of the notable exceptions.
Comment 1 Fedora Admin user for bugzilla script actions 2021-05-19 00:03:57 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 2 Jakub Jelen 2021-05-19 08:31:09 UTC 
This started with

> 3. sshd.socket is stupid.

from bug #1851478. Given the attention systemd integration receives from the OpenSSH upstream, solution might be dropping the socket activation altogether as really nobody wants that.

I do not think we want another downstream patch in openssh just to have different socket activation for systemd (unless somebody is willing to write that patch upstream.