== Summary == The sshd.socket behavior may cause the remote DoS and require a manual intervention to make the server accepting the ssh connections back. sshd.service doesn't have these downsides == Owner == * Name: [[User:Dbelyavs| Dmitry Belyavskiy]] * Email: dbelyavs@xxxxxxxxxx == Detailed Description == A while ago, a dropping the sshd.socket from the openssh package was suggested in [https://bugzilla.redhat.com/show_bug.cgi?id=2025716 BZ#2025716] as there are several shortcomings with this approach that could lead to situations where users would lose access to a system while under DoS or memory pressure. This change was implemented in rawhide & f39 and discussed on the devel list in a [https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/O6V7ZH3BMCWOREDWXOIAPUG7PGMWIBVR/#BQPRQLXPBKPQL7KR62GUR5H7EEAS2CUN thread]. This change was reverted in f39 according to the [https://pagure.io/fesco/issue/3062 FESCO decision]. == Feedback == The change as implemented does not include a migration path for existing users of the sshd.socket unit to the sshd.service unit. We need some migration path, also suitable for OSTree This means that systems updating from 38 to 39 and relying on sshd.socket for openssh access to the system will end up unreachable via SSH. This is notably important for Fedora CoreOS where we will automatically update systems to the next Fedora version shortly after the release: https://github.com/coreos/fedora-coreos-tracker/issues/1558 We think this change needs to get more visibility and should go through the change process and be evaluated for inclusion in Fedora 40. See also the mentioned before [https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/O6V7ZH3BMCWOREDWXOIAPUG7PGMWIBVR/#BQPRQLXPBKPQL7KR62GUR5H7EEAS2CUN thread]. == Benefit to Fedora == This change will prevent remote DoS in the case the sshd.socket is activated. == Scope == * Proposal owners: the migration scriptlet is the best solution. * Other developers: check the dependencies on sshd.socket * Release engineering: [https://pagure.io/releng/issues #Releng issue number] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Community Initiatives: N/A == Upgrade/compatibility impact == The worst case the remote access to the system will be lost of sshd.socket is enabled and the system is not switched to using sshd.service before upgrade == How To Test == Enable sshd.socket Upgrade Check remote access over sshd == User Experience == See "Benefit for Fedora" == Dependencies == == Contingency Plan == Reverting the change * Contingency mechanism: N/A (not a System Wide Change) * Contingency deadline: N/A (not a System Wide Change) * Blocks release? N/A (not a System Wide Change) == Documentation == N/A (not a System Wide Change) == Release Notes == The change should be mentioned in the Release Notes. -- Aoife Moloney Product Owner Community Platform Engineering Team Red Hat EMEA Communications House Cork Road Waterford _______________________________________________ devel-announce mailing list -- devel-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
