On Fri 16 Sep 2022 at 09:17:10 (+0200), Michael wrote: > On Thursday, 15 September 2022 13:01:45 CEST, Greg Wooledge wrote: > > of course the first thing i did was to check if all the files from the > package were as they should be, and everything was fine! > > > It's supposed to be created as needed. There should be two lines in > > the unit file: > > > > unicorn:/lib/systemd/system$ grep RuntimeDirectory ssh@.service > > RuntimeDirectory=sshd > > RuntimeDirectoryMode=0755 > > unicorn:/lib/systemd/system$ grep RuntimeDirectory ssh.service > > RuntimeDirectory=sshd > > RuntimeDirectoryMode=0755 > > i never questioned that! my problem wasn't based on these lines are > missing or in some way altered. my problem resulted in these lines > being there as they are! ;) > > > That should cause the /run/sshd directory to be created when the service > > is started, and removed when it's stopped. > > you got it! :) > > having 'RuntimeDirectory=sshd' in ssh.service is totally fine! that > is, b/c sshd runs as a daemon, and each new connection is handled by > that exact daemon. so the /run/sshd directory stays there no matter > how many connections to the host exist or being terminated, etc. > > with ssh@.service it is completely different. for each connection > there is a dedicated sshd process being started, and each one of them > has the same /run/sshd directory assigned. and that's the problem if > you have more than one connection to a given host. as soon as the > first connection is terminated, the /run/sshd directory disappears, > and the other sshd's might run into problems.
The rationale for having ssh@.service appears to be laid out in https://bugzilla.redhat.com/show_bug.cgi?id=963268 and http://0pointer.de/blog/projects/inetd.html (not that I appreciate some of the points being made there). > but i still don't understand, why this scenario prevents me from > contacting a host with the formerly mentioned error message in the log > file... > > On Thu 15 Sep 2022 at 12:02:21 (+0200), Michael wrote: > > > so i started digging, and to my surprise i found out that on the > > > affected servers sshd was configured to be invoked by ssh.socket (via > > > ssh@.service with the -i option), wheras on all other hosts sshd was > > > running as a daemon (via ssh.service whith the -D option). > > > > > > so, my first question is: why? I don't think you've yet confirmed what's in your /etc/systemd tree on the different hosts. Mine all show: $ find /etc/systemd/ -name \*ssh\* -ls | squeeze-whitespace 1700765 0 lrwxrwxrwx 1 root root 31 Apr 16 20:31 /etc/systemd/system/sshd.service -> /lib/systemd/system/ssh.service 1700799 0 lrwxrwxrwx 1 root root 31 Apr 16 20:31 /etc/systemd/system/multi-user.target.wants/ssh.service -> /lib/systemd/system/ssh.service 1702117 0 lrwxrwxrwx 1 root root 42 Apr 16 20:56 /etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket -> /usr/lib/systemd/user/gpg-agent-ssh.socket $ with no trace of the @ version, below. $ diff -u /lib/systemd/system/ssh*service --- /lib/systemd/system/ssh.service 2022-07-01 17:37:41.000000000 -0500 +++ /lib/systemd/system/ssh@.service 2022-07-01 17:37:41.000000000 -0500 @@ -1,22 +1,11 @@ [Unit] -Description=OpenBSD Secure Shell server +Description=OpenBSD Secure Shell server per-connection daemon Documentation=man:sshd(8) man:sshd_config(5) -After=network.target auditd.service -ConditionPathExists=!/etc/ssh/sshd_not_to_be_run +After=auditd.service [Service] EnvironmentFile=-/etc/default/ssh -ExecStartPre=/usr/sbin/sshd -t -ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -ExecReload=/usr/sbin/sshd -t -ExecReload=/bin/kill -HUP $MAINPID -KillMode=process -Restart=on-failure -RestartPreventExitStatus=255 -Type=notify +ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS ← +StandardInput=socket ← RuntimeDirectory=sshd RuntimeDirectoryMode=0755 - -[Install] -WantedBy=multi-user.target -Alias=sshd.service $ Cheers, David.
