Emil Kronborg via lists.openembedded.org <emil.kronborg= protonmail....@lists.openembedded.org> escreveu (segunda, 18/03/2024 à(s) 18:55):
> On Fri, Mar 15, 2024 at 16:09 +0000, Ross Burton wrote: > > On 7 Mar 2024, at 20:08, Emil Kronborg via lists.openembedded.org > <emil.kronborg=protonmail....@lists.openembedded.org> wrote: > > > > > > Socket activation is prone to DoS (denial of service) because too many > > > connections will permanently deactivate sshd.socket [1]. Also, since > > > socket units do not allow setting Restart, accepting new connections > can > > > fail due to, for example, OOM (out of memory) [2]. Therefore, it seems > > > more sensible to use sshd.service by default and let sshd.socket be an > > > optional choice. > > > > Counter-argument: this is why it’s a PACKAGECONFIG, and socket > activation has the advantage that it makes boots faster. If DoS is a > concern, then the distro can switch trivially to service activated. > > > > Ross > > Those are fair arguments. What do you think about the situation where > sshd.socket becomes disabled, and you are unable to connect? I can see > this being a problem for remote boards or boards that are not easily > accessible. FWIW, socket activation is disabled by default on Arch Linux > and Fedora. I don't have a box running Debian (or any other distros) > right now to check those as well. > Gentoo also doesn't have the socket activation option installed. I am in favor of merging this change. With the new openssh 9.8p1 the systemd service notification doesn't work with the "-i" so we can't use that also in socket mode. Jose > > -- > Emil Kronborg > > > > > -- Best regards, José Quaresma
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202200): https://lists.openembedded.org/g/openembedded-core/message/202200 Mute This Topic: https://lists.openembedded.org/mt/104795507/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-