I'm sorry, I don't get.
Configures a limit on how often this socket unit may be activated
within a specific time interval. The TriggerLimitIntervalSec= may be
used to configure the length of the time interval in the usual time
units "us", "ms", "s", "min", "h", … and
defaults to 2s (See
systemd.time(7) for details on the various time units understood). The
TriggerLimitBurst= setting takes a positive integer value and
specifies the number of permitted activations per time interval, and
defaults to 200 for Accept=yes sockets (thus by default permitting 200
activations per 2s), and 20 otherwise (20 activations per 2s). Set
either to 0 to disable any form of trigger rate limiting. If the limit
is hit, the socket unit is placed into a failure mode, and will not be
connectible anymore until restarted. Note that this limit is enforced
before the service activation is enqueued.
But this behavior (the last sentence) exactly matches the DoS
described here: https://bugs.archlinux.org/task/62248
Too many connections to an sshd server, configured using socket
activation can cause the socket to be disabled permanently
("sshd.socket: Trigger limit hit, refusing further activation.").
On Mon, Aug 7, 2023 at 11:48 AM Lennart Poettering <mzerqung(a)0pointer.de> wrote:
On Do, 03.08.23 11:29, Dmitry Belyavskiy (dbelyavs(a)redhat.com) wrote:
> Dear colleagues,
> I've pushed a fresh build of OpenSSH to rawhide.
> We decided to drop the sshd.socket unit from rawhide. We don't think
> it's worth going through the changes process, but would like to
> provide a heads-up.
Hmm, why drop it? For many setups, it makes not sense to continously
run sshd, so socket activation should be fine.
I don't understand the reasoning behind this change. You claim a
DoS. Which DoS is that supposed to be? That we enforce a trigger time
limit on socket units by default? If you don't want this, turn it off,
that's what TriggerLimitIntervalSec=/TriggerLimitBurst= is for, see
The discussion makes this sound as if there was a bug in systemd or
so, but there really isn't, it's literally a safety feature you ran
into. It might not make sense to have the trigger rate limit in place
for all usecases, ssh might be one where it is not advisable, but then
the right approach is to just turn that part off, as documented, via
the aforementioned options.
See for details:
I don't care too much whether you make ssh socket-activated by default
or not. But at least the option should exist, already for compat with
Lennart Poettering, Berlin
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue