Make SSH daemon listen on a UNIX socket

[Kaidezee]

There doesn't seem to be an option for that in /etc/ssh/sshd_config (didn't find it in the man entry), so is there some (maybe other) way to make it listen on a UNIX socket (and also maybe prevent it from listening on a TCP port)? Also so that it sticks after reboot.

[gentoo_ram]

I don't think so. It isn't documented anyway. But you could have it listen only on the loopback interface. That would only allow access from the host itself which is what I guess you want the Unix socket for.

The only other way I could see SSH from a Unix socket is by configuring 'socat' to run in the background forwarding between a Unix socket and the loopback address.

[Hu]

OP: what problem are you trying to solve by restricting the sshd to listen on a local socket?

[Kaidezee]

what problem are you trying to solve by restricting the sshd to listen on a local socket?

None, really. I just wonder if this is possible or not.

[sam_]

AFAIK, openssh doesn't support this directly, but systemd has a workaround: https://mastodon.social/@pid_eins/112411218075942131.

Mod edit: Trailing period evicted from the above URL. — JRG

[Banana]

AFAIK, openssh doesn't support this directly, but systemd has a workaround: https://mastodon.social/@pid_eins/112411218075942131.

Isn't this just the socket activation which ends up in a running ssh service listening to the specified port?

[Zentoo]

what problem are you trying to solve by restricting the sshd to listen on a local socket?

None, really. I just wonder if this is possible or not.

AFAIK, openssh doesn't support this directly, but systemd has a workaround: https://mastodon.social/@pid_eins/112411218075942131.

Isn't this just the socket activation which ends up in a running ssh service listening to the specified port?

Yes it is. And it is not officially supported by openssh upstream as it brings several problems:
- socket activation by default permits to connect on all interfaces
- socket activation with restricted ip/port bind will act like a socat on a local port bind
- no centralised logs as each socket activation will run in a new instance
- socket activation is being susceptible to denial of service
- openssh have retired support of socket activation because of last point with the 8.0p1-3 version

So I think '''Listen 127.0.0.X''' is the way to go.

[floppymaster]

- openssh have retired support of socket activation because of last point with the 8.0p1-3 version

I think you may be quoting an AI search result: 8.0p1-3 is version number from Arch Linux, not Gentoo or upstream OpenSSH.

Arch removed sshd.socket from their openssh package.

https://bugs.archlinux.org/task/6224

Gentoo still provides it.

[Zentoo]

- openssh have retired support of socket activation because of last point with the 8.0p1-3 version

I think you may be quoting an AI search result: 8.0p1-3 is version number from Arch Linux, not Gentoo or upstream OpenSSH.

Arch removed sshd.socket from their openssh package.

https://bugs.archlinux.org/task/6224

Gentoo still provides it.

I don't quote AI that I do not use at all but I found part of these informations effectively on Arch wiki.
See: https://wiki.archlinux.org/title/OpenSS ... management

In fact Arch wiki is wrong on this point:

openssh 8.0p1-3 removed sshd.socket that used systemd's socket activation due to it being susceptible to denial of service.

I presume that it is Arch that have removed socket support from openssh and not openssh upstream.
Furthermore it seems that Gentoo still provides socket support if I refer to this file being installed:

Code: Select all

/lib/systemd/system/sshd.socket

I can't really check on my side if socket activation works on Gentoo as I'm not using systemd but openrc.