On Fri, Dec 24, 2021 at 02:21:16PM +0100, Timo Weingärtner wrote:
> 24.12.21 12:22 Marc Haber:
> > So we agree here that it's mainly a documentation issue for ssh, so that
> > it should be recommended to actually mask ssh.service if socket
> > activation is used, right?
>
> For the bug on openssh: yes.
>
> Documentation could look like:
> If you decide to use socket activation consider masking ssh.service to avoid
> accidentally doing the wrong thing with "service ssh restart" or equivalent.
How does this patch look?
diff --git a/debian/README.Debian b/debian/README.Debian
index dbe6c2958..0851e38e3 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -193,9 +193,12 @@ you can run:
To make this permanent:
- systemctl disable ssh.service
+ systemctl mask ssh.service
systemctl enable ssh.socket
+("systemctl disable ssh.service" would also work, but masking avoids
+accidentally starting the service manually.)
+
This may be appropriate in environments where minimal footprint is critical
(e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
MaxConnections cannot quite replace this as it cannot distinguish between
--
Colin Watson (he/him) [cjwat...@debian.org]
