The sshd.socket behavior may cause the remote DoS and require a manual intervention to make server accepting the ssh connections back. sshd.service doesn't have these downsides
Owners, do not implement this work until the FESCo vote has explicitly ended. The Fedora Program Manager will create a tracking bug in Bugzilla for this Change, which is your indication to proceed. See the FESCo ticket policy and the Changes policy for more information.
REMINDER: This ticket is for FESCo members to vote on the proposal. Further discussion should happen in the devel list thread linked above.
please fix title: "Change" misspelled
+1
This means that systems updating from 38 to 39 and relying on sshd.socket for openssh access to the system will end up unreachable via SSH.
This is in the "Feedback" section, but not addressed in the proposal other than "will require manual intervention" (whatever that means if you no longer have access to your machine). I don't think that is a good solution.
Additionally - hasn't systemd upstream implemented some rate limiting feature for socket activation recently? I would rather have the sshd.socket use that instead of turning it off and potentially lock users out of their systems.
For now, -1 to prevent auto-approval.
Metadata Update from @ngompa: - Issue tagged with: meeting
-1 for the same reason.
-1 as well.
I don't think "manual intervention" on upgrade is acceptable and I think this change is a knee-jerk reaction to a problem that it's not clear anyone actually has.
This will be discussed today at 17:00 UTC in #fedora-meeting-2.
Context in: - https://pagure.io/fesco/issue/3062 - https://github.com/coreos/fedora-coreos-tracker/issues/1558
I agree with @sgallagh's assessment here. -1 from me
This was discussed in today's meeting: AGREED: REJECTED (0, 0, -5)
I have a proposal for a different approach: socket-activation with Accept=no, i.e. having a single instance of sshd activated on demand. I'll reach out with some details privately.
Metadata Update from @zbyszek: - Issue close_status updated to: Rejected - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.