mNo edit summary |
mNo edit summary |
||
| Line 122: | Line 122: | ||
== How To Test == | == How To Test == | ||
Enable sshd.socket | # Enable sshd.socket | ||
Upgrade | # Upgrade | ||
Check remote access over sshd | # Check remote access over sshd | ||
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. | <!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. | ||
Revision as of 10:46, 20 September 2023
Dropping sshd.socket file
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
The sshd.socket behavior may cause the remote DoS and require a manual intervention to make server accepting the ssh connections back. sshd.service doesn't have these downsides
Owner
- Name: Dmitry Belyavskiy
- Email: dbelyavs@redhat.com
Current status
- Targeted release: Fedora Linux 40
- Last updated: 2023-09-20
- devel thread
- Fedora Discussion thread
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
A while ago, a dropping the sshd.socket from the openssh package was suggested in BZ#2025716 as there are several shortcomings with this approach that could lead to situations where users would loose access to a system while under DoS or memory pressure.
This change was implemented in rawhide & f39 and discussed on the devel list in a thread.
This change was reverted in f39 according to the FESCO decision.
Feedback
The change as implemented does not include a migration path for existing users of the sshd.socket unit to the sshd.service unit. We need some migration path, also suitable for OSTree
This means that systems updating from 38 to 39 and relying on sshd.socket for openssh access to the system will end up unreachable via SSH.
This is notably important for Fedora CoreOS where we will automatically update systems to the next Fedora version shortly after the release: https://github.com/coreos/fedora-coreos-tracker/issues/1558
We think this change needs to get more visibility and should go through the change process and be evaluated for inclusion in Fedora 40.
See also the mentioned before thread.
Benefit to Fedora
This change will prevent remote DoS in the case the sshd.socket is acivated.
Scope
- Proposal owners: the migration scriptlet is the best solution.
- Other developers: check the dependencies on sshd.socket
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Community Initiatives: N/A
Upgrade/compatibility impact
The worst case the remote access to the system will be lost of sshd.socket is enabled and the system is not switched to using sshd.service before upgrade
How To Test
- Enable sshd.socket
- Upgrade
- Check remote access over sshd
User Experience
See "Benefit for Fedora"
Dependencies
Contingency Plan
Reverting the change
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)
Release Notes
The change should be mentioned in the Release Notes.