[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#832155: New ssh-session-cleanup.service kills ssh user session during upgrade

Am 23.07.2016 um 12:29 schrieb Colin Watson:
> On Sat, Jul 23, 2016 at 01:35:04AM +0200, Michael Biebl wrote:
>> the addition of ssh-session-cleanup.service in the latest upload [1] is
>> imho a bad idea. It's an aweful hack and besides, it also kills your SSH
>> sessions on upgrades (thus severity RC).
>> The proper fix is to use libpam-systemd. This will register a proper
>> session scope when users log in via SSH. Those session scopes are
>> ordered against systemd-user-sessions.service which itself has a proper
>> ordering against network.target. So those user session are stopped
>> before the network stack is shutdown.
>> Please drop ssh-session-cleanup.service again and simply add a
>> dependency on libpam-systemd. It's the correct solution for this
>> problem.
> While of course I have libpam-systemd installed on all my systems, I
> really don't want to depend on it; besides, the original report had
> people saying that they encountered occasional problems of sessions not
> being cleaned up even with PAM configured and libpam-systemd installed
> too.

I referenced in my other reply that the network.target ordering has just
been added recently (in v230). So it is possible that previously there
was still an issue on shutdown. This is fixed now.

Besides, there are many other reasons why you really want libpam-systemd
in combination with SSH.
You really want the user process be tracked as part of the user session,
so you can properly apply resource limits or safely kill user sessions.

  I think I'll add a Recommends on it, but I really want
> openssh-server to be usable on very minimal systems, including those
> using other init systems, without having to deal with dependency
> strangenesses.

Please disable the ssh-session-cleanup.service hack by default if you
don't want to remove it. Or better, ship it as an example file.
I really don't what such service file be installed (and active) by
default on every system. People might see it and think it's actually ok
to apply such hacks.

It doesn't help for the non-systemd case and people who opt to not
install recommends by default use a non-standard configuration, so it's
imho ok if those need to also apply additional configuration in case of
SSH. We should optimize for the common case.


Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: