[systemd-devel] Socket activated SSHD service showing up as a failure when the client connection fReply-To:
lennart at poettering.net
Thu Aug 14 15:33:16 PDT 2014
On Thu, 17.07.14 13:49, Roger Qiu (roger.qiu at polycademy.com) wrote:
> I've googled around and saw that 255 error code comes up a lot. But
> most resources talked about "ssh" not necessarily the "sshd". If we
> ignore 255 code, is it possible we're also ignoring some other real
> errors, and not just the client failing the connection? Basically I
> would like sshd to report an error, if it is indeed an error from
> the host's side, not the client's side.
In general I'd recommend to use ExecStart=-/usr/sbin/sshd...,
i.e. with the "-" between the = and the /. This tells systemd to
completely ignore the exit/failure status of the process.
The reason for this is that if an sshd instance fails it would stay
around in failed state. Since you use per-connection instances this
might be able to give an attacker the chance to create tons of failed
services, until systemd refuses.
I'd hence recommend to always ignore errors for services that are
instantiated in theoretic unbounded numbers. You'll still get them
reported in the logs, but I'd recommend not making them enter a service
into "failed" mode.
I hope that makes some sense,
Lennart Poettering, Red Hat
More information about the systemd-devel