On Fri, 2014-10-10 at 11:52 +0200, Tom Hutter wrote: > Therefore I added a service, to solve this under the current Debian > Wheezy version I am running. Hmm I'm a bit torn apart between thinking that this is either an ugly hack or a clean solution ^^ > ExecStart=/bin/true At least this seems a hack ;-) Let me see, on the one hand I think there should be one ssh.service file which should be able to handle everything (isn't systemd so powerful?! )... on the other hand I like the idea of having a service for the user sessions, which should ideally allow to stop them (which is, AFAICS, however not achieved by your version). Let's perhaps collect what we want: a) if sshd crashes or when it is restarted/reloaded (or when the network is restarted), we do not want ssh sessions to terminate, right? Of course this has the problem, that long running user sessions (or consider something like ssh control channel multiplexing) are typically *never* killed - which can be quite of a security problem. Imagine a flaw found in ssh, which also affects running connections - even when the main daemon would be restarted after package upgrade,.. the user session processes would be still vulnerable. But let's say that this should be the job of a tool like needrestart[0] b) we want a way to actually stop user sessions... not only for this particular bug (i.e. on shutdown), but as a locally logged in sysadmin I'd also like to say "okay... away with sshd and it's users". Maybe the way to go would be the following: - only restart/reload actions keep the user sessions a live - stop however kills them as well AFAICS, this should solve (a) and (b), the only difference to now would be, that we need to educate our users/admins, that "systemctl stop ssh" really means "all ssh stops" and not just "the main ssh daemon stops but old connections remain". Actually I feel that would be much cleaner thins the action is called "stop" and not "stop-but-there-are-exceptions" and one should be able to expect stop to really stop it (on the other hand though, one could argue the same for restart/reload). Cheers, Chris. [0] Note that needrestart currently also suffers this problem: it only tracks the daemons, not the running sessions.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature