F40 Change Proposal: Drop SSHD Socket (Self Contained)

Wiki Link

Announce Link

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

:link: Summary[edit]

The sshd.socket behavior may cause the remote DoS and require a manual intervention to make server accepting the ssh connections back. sshd.service doesn’t have these downsides

:link: Owner[edit]

:link: Detailed Description

A while ago, a dropping the sshd.socket from the openssh package was suggested in BZ#2025716 as there are several shortcomings with this approach that could lead to situations where users would loose access to a system while under DoS or memory pressure.

This change was implemented in rawhide & f39 and discussed on the devel list in a thread.

This change was reverted in f39 according to the FESCO decision.

:link: Feedback

The change as implemented does not include a migration path for existing users of the sshd.socket unit to the sshd.service unit. We need some migration path, also suitable for OSTree

This means that systems updating from 38 to 39 and relying on sshd.socket for openssh access to the system will end up unreachable via SSH.

This is notably important for Fedora CoreOS where we will automatically update systems to the next Fedora version shortly after the release: sshd.socket going away in Fedora 40 · Issue #1558 · coreos/fedora-coreos-tracker · GitHub

We think this change needs to get more visibility and should go through the change process and be evaluated for inclusion in Fedora 40.

See also the mentioned before thread.

:link: Benefit to Fedora

This change will prevent remote DoS in the case the sshd.socket is acivated.

:link: Scope

  • Proposal owners: the migration scriptlet is the best solution.

  • Other developers: check the dependencies on sshd.socket

  • Release engineering: #Releng issue number

  • Policies and guidelines: N/A (not needed for this Change)

  • Trademark approval: N/A (not needed for this Change)

  • Alignment with Community Initiatives: N/A

:link: Upgrade/compatibility impact

The worst case the remote access to the system will be lost of sshd.socket is enabled and the system is not switched to using sshd.service before upgrade

:link: How To Test

Enable sshd.socket Upgrade Check remote access over sshd

:link: User Experience

See “Benefit for Fedora”

:link: Dependencies

:link: Contingency Plan

Reverting the change

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No

:link: Documentation

N/A (not a System Wide Change)

:link: Release Notes

The change should be mentioned in the Release Notes.

It seems that there is ongoing work in systemd upstream to fix this issue: core: add new "PollLimit" settings to .socket units by poettering · Pull Request #29159 · systemd/systemd · GitHub

This adds a new “PollLimit” pair of settings to .socket units, very similar to existing “TriggerLimit” logic

I am not sure if timing will be right for this to make it to F40 but it seemed worth pointing out. (Lennart sent this to fedora-devel this morning so may have been missed)

If I understand correctly and this change can make it to F40 it would avoid the migration issue entirely.

core: add new "PollLimit" settings to .socket units by poettering · Pull Request #29159 · systemd/systemd · GitHub has been merged in systemd upstream and should address the main concerns I had raised in https://bugzilla.redhat.com/show_bug.cgi?id=2025716#c0.

I don’t think we should do this change anymore.

I think, by process, Dmitry can cancel the proposal immediately if he agrees. Otherwise we’d have to have FESCo vote it down…

1 Like

This change proposal has now been submitted to FESCo with ticket #3098 for voting.

To find out more, please visit our Changes Policy documentation.

For history: This change was rejected by FESCO and withdrawn.

1 Like