You are not logged in.

#1 2024-07-01 12:14:14

dimich
Member
From: Kharkiv, Ukraine
Registered: 2009-11-03
Posts: 265

systemd-ssh-proxy in systemd-256

I noticed systemd-256 installs /usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf and /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.con symlink.
Why do i need it? How systemd is related to ssh? How can i disable this feature?

Offline

#2 2024-07-01 13:15:32

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,999

Re: systemd-ssh-proxy in systemd-256

The recent infamous xz utils backdoor  may be why they did this .

https://www.freedesktop.org/software/sy … rator.html was also added iafter that incident .


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#3 2024-07-01 15:44:53

dimich
Member
From: Kharkiv, Ukraine
Registered: 2009-11-03
Posts: 265

Re: systemd-ssh-proxy in systemd-256

This ssh generator and proxy looks like something for VMs and for access sshd via sockets other than TCP.
I'm investigating another ssh issue (probably i'll create another topic if can't figure it out by myself) and curious if it may affect normal network ssh functionality. I'd prefer to disable this feature if i don't need it.
As i understand from systemd-generator manual, systemd-ssh-generator works on ssh server side and can be masked by creating /etc/systemd/system-generators/systemd-ssh-generator symlink to /dev/null manually. But systemd-ssh-proxy looks like related to ssh client, not a server.

Offline

#4 2024-07-01 22:19:34

seth
Member
Registered: 2012-09-03
Posts: 59,216

Re: systemd-ssh-proxy in systemd-256

https://bbs.archlinux.org/viewtopic.php … 7#p2178417 - does "systemd.ssh_auto=no" block it?

Offline

#5 2024-07-02 13:41:05

dimich
Member
From: Kharkiv, Ukraine
Registered: 2009-11-03
Posts: 265

Re: systemd-ssh-proxy in systemd-256

seth wrote:

https://bbs.archlinux.org/viewtopic.php … 7#p2178417 - does "systemd.ssh_auto=no" block it?

I added "systemd.ssh_auto=no" to the kernel cmdline just in case. I see no difference in systemd opened descriptors with the option and without it. Maybe it has no any effect unless i use systemd containers, i don't know how to check it.
And when i don't know what something is for, what it is doing (or waiting to do) in my system, i feel like it is bloating neutral

Regarding /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf, i tried to replace it with symlink to /dev/null. But after systemd re-install it is overwritten back to ../../../usr/lib/systemd/ssh_config.d/20-systemd-ssh-proxy.conf

Offline

#6 2024-07-03 10:32:33

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,999

Re: systemd-ssh-proxy in systemd-256

The systemd-ssh-generator changes how sshd can be started and enables starting sshd through socket activation .

Socket activation is on-demand and you are not asked whether its ok for the service to be activated.
Are you ok with sshd always being reachable on your sytem ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#7 2024-07-03 12:06:44

dimich
Member
From: Kharkiv, Ukraine
Registered: 2009-11-03
Posts: 265

Re: systemd-ssh-proxy in systemd-256

Lone_Wolf wrote:

Are you ok with sshd always being reachable on your sytem ?

I already have sshd.service enabled and sshd running permanently for remote access to the system. But i use it from the network, not from local VMs.

Offline

#8 2024-09-21 06:05:24

XoseM
Member
From: ⁂
Registered: 2013-08-17
Posts: 15
Website

Re: systemd-ssh-proxy in systemd-256

reached this topic searchig about this symlink

I've created a user systemd.service/timer to make a backup. If I manually run this borgmatic job (as user) then it runs fine, but the scheduled job fails because (I presume) this error:


Set 20 13:55:58 archsystem borgmatic[6290]: INFO Remote: Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

and can not connect to remote server because it can not authenticate using ssh credentials (I presume)

given

[user@archsystem ~ ]$ls -la /etc/ssh/sshd_config.d/20-systemd-userdb.conf 
lrwxrwxrwx 1 root root 61 Set 10 17:06 /etc/ssh/sshd_config.d/20-systemd-userdb.conf -> ../../../usr/lib/systemd/sshd_config.d/20-systemd-userdb.conf

and

[user@archsystem ~ ]$ls -la /usr/lib/systemd/sshd_config.d/20-systemd-userdb.conf 
-rw-r--r-- 1 root root 224 Set 10 17:06 /usr/lib/systemd/sshd_config.d/20-systemd-userdb.conf

EDIT TO ADD borgmatic's job info:

[user@archsystem ~ ]$ls -la .config/borgmatic.d/config.yaml
-rw------- 1 user user 1315 Ago 21 21:46 .config/borgmatic.d/config.yaml

this is "600" on /home/user/.config/borgmatic.d/config.yaml.  If I run "borgmatic -c /home/user/.config/borgmatic.d/config.yaml" as "user" the backup job reports no errors (and makes finishes the backup with success), but I presume this 600 is not correct, maybe I had created the file config working as root?


please any advice on how to safely¹ change settings?

This is service.config, copied/pasted (not so) from online sources, should I add any policy there to avoid the issue? thank you

[Unit]
Description=borgmatic backup job
Wants=network-online.target
After=network-online.target
#ConditionACPower=true

[Service]
Type=oneshot

LockPersonality=true
MemoryDenyWriteExecute=no
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
ProtectSystem=full

CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW

Nice=19
CPUSchedulingPolicy=batch
IOSchedulingClass=best-effort
IOSchedulingPriority=7
IOWeight=100

Restart=no
LogRateLimitIntervalSec=0

ExecStartPre=sleep 1m
ExecStart=systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" borgmatic --config /home/user/.config/borgmatic.d/config.yaml --syslog-verbosity 1

just «chown» user:root /usr/lib/systemd/sshd_config.d/20-systemd-userdb.conf?




¹ do not compromise any other security  policy or service on my arch

Last edited by XoseM (2024-09-21 06:15:28)

Offline

#9 2024-09-21 06:29:45

seth
Member
Registered: 2012-09-03
Posts: 59,216

Re: systemd-ssh-proxy in systemd-256

Bad owner or permissions on /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf

[user@archsystem ~ ]$ls -la /etc/ssh/sshd_config.d/20-systemd-userdb.conf

But https://github.com/borgbase/vorta/issues/732 the borg do not seem to appreciate of 644 and want 600 but that seems a very borg-specific issue/pecularity.

Offline

#10 2024-09-21 06:41:25

XoseM
Member
From: ⁂
Registered: 2013-08-17
Posts: 15
Website

Re: systemd-ssh-proxy in systemd-256

oh yes sorry, posted the wrong file "userdb" instead of "ssh-proxy"

20-systemd-ssh-proxy.conf has the same values though.


yes, I have a .ssh/config with several configurations for servers. It has already "600" value and "user user" ownership.


what bugs me is that "I" can manually run borgmatic job but "systemctl service" can not.


thank you for your comment wink

Last edited by XoseM (2024-09-21 06:47:27)

Offline

#11 2024-09-21 07:34:31

seth
Member
Registered: 2012-09-03
Posts: 59,216

Re: systemd-ssh-proxy in systemd-256

No, the plan was to 600 stuff in /etc/ssh/sshd_config.d/
However

This is service.config, copied/pasted (not so) from online sources

Do you run that as user or as system service?

Offline

#12 2024-09-21 12:35:12

XoseM
Member
From: ⁂
Registered: 2013-08-17
Posts: 15
Website

Re: systemd-ssh-proxy in systemd-256

as user

[user@arch ~ ]$ls -la .config/systemd/user/borgmatic.service 
-rw-r--r-- 1 user user 1012 Ago 23 14:32 .config/systemd/user/borgmatic.service

Last edited by XoseM (2024-09-21 12:38:11)

Offline

Board footer

Powered by FluxBB