hey,
i recently had problems to reach some of my host with ssh. as it turned
out, it was b/c sshd refused the connection due to a missing /run/sshd
directory.
the logfile entry:
Aug 28 00:10:08 mail sshd[151893]: fatal: Missing privilege separation
directory: /run/sshd
so i started digging, and to my surprise i found out that on the affected
servers sshd was configured to be invoked by ssh.socket (via ssh@.service
with the -i option), wheras on all other hosts sshd was running as a daemon
(via ssh.service whith the -D option).
so, my first question is: why?
all servers run debian 11 (bullseye), updated from debian 10 (buster), and
i cannot remember changing this, i.e. enabling ssh.socket. why would i?
now that i know the problem, i have essentially three choices (assuming not
to change the invocation via ssh.socket):
1: create /run/sshd whenever it disappears
2: prevent /run/sshd from being deleted
3: make each ssh@.service session use its own directory
1: that's what i started with to monitor what was wrong, and to be able to
use ssh but this is not a solution rather than a mitigation.
2: i added a drop-in at /etc/systemd/system/ssh@.service.d/ with
'RuntimeDirectoryPreserve=yes', and it works,
3: first, i also added a drop in at /etc/systemd/system/ssh@.servide.d/
with 'RuntimeDirectory=sshd.%i', but it just added the new directory to the
already defined 'sshd', resulting again in the deletion of /run/sshd. so i
copied /usr/lib/systemd/system/ssh@.service to /etc/systemd/system/ and
changed 'RuntimeDirectory=sshd' to 'RuntimeDirectory=sshd.%i', and it
works.
is it safe to say, that this issue is a misconfiguration? should the
package maintainer be notified? or did i miss something?
greetings...