Bug 2025716

Summary:	Consider dropping sshd.socket unit
Product:	[Fedora] Fedora	Reporter:	Timothée Ravier <travier>
Component:	openssh	Assignee:	Timothée Ravier <travier>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	low	Docs Contact:
Priority:	low
Version:	rawhide	CC:	crypto-team, dbelyavs, dwalsh, jjelen, lkundrak, mattias.ellert, mzeuom, ppisar, tm
Target Milestone:	---	Keywords:	Reopened, Triaged
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	openssh-9.3p1-8.fc39	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-08-03 11:06:03 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Timothée Ravier 2021-11-22 19:38:12 UTC

Description of problem:

Using the sshd.socket unit might lead to DoS in some cases and unexpected setups where some configuration options are silently ignored.

It has been dropped from Arch Linux for those reasons and we should consider removing it from Fedora.

See:
- https://wiki.archlinux.org/title/OpenSSH#Daemon_management
- https://bugs.archlinux.org/task/62248
- https://github.com/systemd/systemd/issues/11553

Version-Release number of selected component (if applicable):

Latest openssh-server package

How reproducible:

Always

Steps to Reproduce:
1. Using the sshd.socket unit
2. Use a configuration option ignored in this setup or be a victim of a DoS attack

Actual results:

Can not login via ssh or able to login from unwanted networks.

Expected results:

Can login via ssh and access is correctly limited to selected networks.

Comment 1 Timothée Ravier 2021-11-23 17:46:51 UTC

See also:
- https://github.com/coreos/bugs/issues/966
- https://github.com/coreos/bugs/issues/2181

Comment 2 Ben Cotton 2022-02-08 21:22:33 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.

Comment 3 Dmitry Belyavskiy 2022-09-08 12:45:10 UTC

I'm sorry, I'm not going to fix this issue.

Comment 4 Timothée Ravier 2022-10-19 15:33:56 UTC

Is it that you don't think we should fix it or that you don't have the time? I can make a PR if you're good taking it.

Comment 5 Dmitry Belyavskiy 2022-10-20 09:03:33 UTC

It's I don't think we should fix it. I don't understand this part well so not sure it's of much use.

Comment 6 Jakub Jelen 2022-10-20 09:48:18 UTC

I would just drop it. It was created when everything had to use systemd and everything had to be activated by socket to avoid running daemons, but it was never fully integrated and never working as expected so dropping the sshd.socket would make a lot of things easier. I do not think it is widely used. We had also counter-proposal to improve it in #1961785, but nobody stepped up to implement that so I think it is time to let it go.

Please, open a PR with this change. We would be happy to review and merge it.

Comment 7 Timothée Ravier 2023-02-06 17:24:41 UTC

Re-opening so that I can use this bug for tracking.

Comment 8 Ben Cotton 2023-02-07 15:12:51 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 9 Fedora Update System 2023-08-03 09:24:27 UTC

FEDORA-2023-64f8335634 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-64f8335634

Comment 10 Fedora Update System 2023-08-03 11:06:03 UTC

FEDORA-2023-64f8335634 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Petr Pisar 2023-08-04 08:02:32 UTC

Did you know that recent openssh (9.3?) added MaxStartups with a default value having a similar DoS effect? The default settings causes random dropping of new connection if there are already 10 unauthenticated connections. I had to increase that option on my system, because 10 was impractically low when the system was under a moderate attack and denied me from accessing the host from my internal network.

Comment 12 Dmitry Belyavskiy 2023-08-04 08:23:25 UTC

Yes, I'm aware of MaxStartups though I think it was added earlier than in 9.3

Comment 13 Lennart Poettering 2023-08-07 09:48:35 UTC

huh, if you don't want the trigger limit, disable it. don't kill the socket unit. Already for compat with previous releases: people have the socket unit enabled.

See https://www.freedesktop.org/software/systemd/man/systemd.socket.html#TriggerLimitIntervalSec= for details.