Re: [OE-core] [PATCH] openssh: enable sshd.service by default

Thu, 18 Jul 2024 03:12:32 -0700 

Emil Kronborg via lists.openembedded.org <emil.kronborg=
protonmail....@lists.openembedded.org> escreveu (segunda, 18/03/2024 à(s)
18:55):

> On Fri, Mar 15, 2024 at 16:09 +0000, Ross Burton wrote:
> > On 7 Mar 2024, at 20:08, Emil Kronborg via lists.openembedded.org
> <emil.kronborg=protonmail....@lists.openembedded.org> wrote:
> > >
> > > Socket activation is prone to DoS (denial of service) because too many
> > > connections will permanently deactivate sshd.socket [1]. Also, since
> > > socket units do not allow setting Restart, accepting new connections
> can
> > > fail due to, for example, OOM (out of memory) [2]. Therefore, it seems
> > > more sensible to use sshd.service by default and let sshd.socket be an
> > > optional choice.
> >
> > Counter-argument: this is why it’s a PACKAGECONFIG, and socket
> activation has the advantage that it makes boots faster.  If DoS is a
> concern, then the distro can switch trivially to service activated.
> >
> > Ross
>
> Those are fair arguments. What do you think about the situation where
> sshd.socket becomes disabled, and you are unable to connect? I can see
> this being a problem for remote boards or boards that are not easily
> accessible. FWIW, socket activation is disabled by default on Arch Linux
> and Fedora. I don't have a box running Debian (or any other distros)
> right now to check those as well.
>

Gentoo also doesn't have the socket activation option installed.
I am in favor of merging this change.

With the new openssh 9.8p1 the systemd service notification doesn't
work with the "-i" so we can't use that also in socket mode.

Jose


>
> --
> Emil Kronborg
>
>
> 
>
>

-- 
Best regards,

José Quaresma

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#202200): 
https://lists.openembedded.org/g/openembedded-core/message/202200
Mute This Topic: https://lists.openembedded.org/mt/104795507/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to