1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
From 3b17dcc797febf6d8ebf0474a4fa835b14a6ec11 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
Unlike inetd socket activation, with systemd socket activation the
supervisor passes the listened-on socket to the child process and lets
the child process handle the accept(). This lets us do delayed start
of the sshd daemon without becoming incompatible with config options
like ClientAliveCountMax.
Last-Update: 2022-09-01
Patch-Name: systemd-socket-activation.patch
---
sshd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 75 insertions(+), 14 deletions(-)
diff --git a/sshd.c b/sshd.c
index b981e7758..565e17b16 100644
--- a/sshd.c
+++ b/sshd.c
@@ -140,10 +140,16 @@ int deny_severity;
#endif /* LIBWRAP */
/* Re-exec fds */
-#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
-#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
-#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4)
+#ifdef HAVE_SYSTEMD
+#define SYSTEMD_OFFSET sd_listen_fds(0)
+#else
+#define SYSTEMD_OFFSET 0
+#endif
+
+#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1 + SYSTEMD_OFFSET)
+#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2 + SYSTEMD_OFFSET)
+#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3 + SYSTEMD_OFFSET)
+#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4 + SYSTEMD_OFFSET)
extern char *__progname;
@@ -1020,6 +1026,48 @@ server_accept_inetd(int *sock_in, int *sock_out)
debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
}
+#ifdef HAVE_SYSTEMD
+/*
+ * Configure our socket fds that were passed from systemd
+ */
+static void
+setup_systemd_socket(int listen_sock)
+{
+ int ret;
+ struct sockaddr_storage addr;
+ socklen_t len = sizeof(addr);
+ char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+
+ if (getsockname(listen_sock, (struct sockaddr *)&addr, &len) != 0)
+ return;
+
+ if (((struct sockaddr *)&addr)->sa_family != AF_INET
+ && ((struct sockaddr *)&addr)->sa_family != AF_INET6)
+ return;
+ if (num_listen_socks >= MAX_LISTEN_SOCKS)
+ fatal("Too many listen sockets. "
+ "Enlarge MAX_LISTEN_SOCKS");
+ if ((ret = getnameinfo((struct sockaddr *)&addr, len, ntop,
+ sizeof(ntop), strport, sizeof(strport),
+ NI_NUMERICHOST|NI_NUMERICSERV)) != 0) {
+ error("getnameinfo failed: %.100s",
+ ssh_gai_strerror(ret));
+ return;
+ }
+ if (set_nonblock(listen_sock) == -1) {
+ close(listen_sock);
+ return;
+ }
+ /* Socket options */
+ set_reuseaddr(listen_sock);
+
+ listen_socks[num_listen_socks] = listen_sock;
+ num_listen_socks++;
+
+ logit("Server listening on %s port %s.", ntop, strport);
+}
+#endif
+
/*
* Listen for TCP connections
*/
@@ -1099,22 +1147,35 @@ static void
server_listen(void)
{
u_int i;
+#ifdef HAVE_SYSTEMD
+ int systemd_socket_count;
+#endif
/* Initialise per-source limit tracking. */
srclimit_init(options.max_startups, options.per_source_max_startups,
options.per_source_masklen_ipv4, options.per_source_masklen_ipv6);
- for (i = 0; i < options.num_listen_addrs; i++) {
- listen_on_addrs(&options.listen_addrs[i]);
- freeaddrinfo(options.listen_addrs[i].addrs);
- free(options.listen_addrs[i].rdomain);
- memset(&options.listen_addrs[i], 0,
- sizeof(options.listen_addrs[i]));
+#ifdef HAVE_SYSTEMD
+ systemd_socket_count = sd_listen_fds(0);
+ if (systemd_socket_count > 0)
+ {
+ int i;
+ for (i = 0; i < systemd_socket_count; i++)
+ setup_systemd_socket(SD_LISTEN_FDS_START + i);
+ } else
+#endif
+ {
+ for (i = 0; i < options.num_listen_addrs; i++) {
+ listen_on_addrs(&options.listen_addrs[i]);
+ freeaddrinfo(options.listen_addrs[i].addrs);
+ free(options.listen_addrs[i].rdomain);
+ memset(&options.listen_addrs[i], 0,
+ sizeof(options.listen_addrs[i]));
+ }
+ free(options.listen_addrs);
+ options.listen_addrs = NULL;
+ options.num_listen_addrs = 0;
}
- free(options.listen_addrs);
- options.listen_addrs = NULL;
- options.num_listen_addrs = 0;
-
if (!num_listen_socks)
fatal("Cannot bind any address.");
}
|