Description of problem: Using the sshd.socket unit might lead to DoS in some cases and unexpected setups where some configuration options are silently ignored. It has been dropped from Arch Linux for those reasons and we should consider removing it from Fedora. See: - https://wiki.archlinux.org/title/OpenSSH#Daemon_management - https://bugs.archlinux.org/task/62248 - https://github.com/systemd/systemd/issues/11553 Version-Release number of selected component (if applicable): Latest openssh-server package How reproducible: Always Steps to Reproduce: 1. Using the sshd.socket unit 2. Use a configuration option ignored in this setup or be a victim of a DoS attack Actual results: Can not login via ssh or able to login from unwanted networks. Expected results: Can login via ssh and access is correctly limited to selected networks.
See also: - https://github.com/coreos/bugs/issues/966 - https://github.com/coreos/bugs/issues/2181
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36.
I'm sorry, I'm not going to fix this issue.
Is it that you don't think we should fix it or that you don't have the time? I can make a PR if you're good taking it.
It's I don't think we should fix it. I don't understand this part well so not sure it's of much use.
I would just drop it. It was created when everything had to use systemd and everything had to be activated by socket to avoid running daemons, but it was never fully integrated and never working as expected so dropping the sshd.socket would make a lot of things easier. I do not think it is widely used. We had also counter-proposal to improve it in #1961785, but nobody stepped up to implement that so I think it is time to let it go. Please, open a PR with this change. We would be happy to review and merge it.
Re-opening so that I can use this bug for tracking.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38.
FEDORA-2023-64f8335634 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-64f8335634
FEDORA-2023-64f8335634 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
Did you know that recent openssh (9.3?) added MaxStartups with a default value having a similar DoS effect? The default settings causes random dropping of new connection if there are already 10 unauthenticated connections. I had to increase that option on my system, because 10 was impractically low when the system was under a moderate attack and denied me from accessing the host from my internal network.
Yes, I'm aware of MaxStartups though I think it was added earlier than in 9.3
huh, if you don't want the trigger limit, disable it. don't kill the socket unit. Already for compat with previous releases: people have the socket unit enabled. See https://www.freedesktop.org/software/systemd/man/systemd.socket.html#TriggerLimitIntervalSec= for details.