Unix socket support for sshd

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 5 03:25:36 AEDT 2016


On Thu 2016-02-04 10:57:21 -0500, Ron Frederick wrote:
>> On Feb 4, 2016, at 7:46 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>> fwiw, i think this is a good idea, but i wouldn't implement it as an
>> explicit ListenAddress option: i'd rather have sshd be able to listen on
>> an inherited file descriptor.  This would allow generic socket
>> activation, regardless of socket type.
>
> Can’t this already be done with “sshd -i”, by passing in the socket
> via stdin/stdout? A simple wrapper which listened on the UNIX domain
> socket could fork & exec “sshd -i” as new UNIX domain socket
> connections arrived, similar to inetd.

I've done this before (and even had ssh running over the serial console
with it), but forking and exec'ing a new sshd instance for each
connection is rather different from having a running sshd that can make
overall decisions about the state of the machine (e.g. MaxStartups in
sshd_config(5)), and it also requires a bunch of initial setup work each
time a connection comes in.

socket activation handed off to a single running master daemon addresses
both of these legit engineering concerns better than an inetd-spawned
"sshd -i" would.

        --dkg


More information about the openssh-unix-dev mailing list