[systemd-devel] Delaying (SSH) key generation until the urandom pool is initialized

Thomas Bächler thomas at archlinux.org
Wed Apr 30 03:56:58 PDT 2014


Am 30.04.2014 10:23, schrieb Tom Gundersen:
>> On 04/29/2014 09:30 PM, Tom Gundersen wrote:
>>
>>> You can easily start the sockets early, but make the daemon itself
>>> wait for the key generation to finish.
>>
>>
>> Thanks.  Can you provide an example?
> 
> I guess the last three files here would have the right dependencies:
> https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/openssh
> 
>> (I don't want to change the daemon code.)
> 
> Your service needs to be socket activateable, which the default ssh
> daemon is not, but the per-instance version is.

These files run sshd in inetd mode. This means that for each connection,
a new sshd instance is created that will handle the connection.

This is usually bad, but not in openssh's case, When sshd runs as a
daemon and you connect to it, it will fork a new instance and reexec
itself, the same happens when instantiating it from systemd.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140430/e1ab3ec1/attachment-0001.sig>


More information about the systemd-devel mailing list