Ubuntu Manpage: systemd-ssh-generator - Generator for binding a socket-activated SSH server to local

Provided by: systemd_256.5-2ubuntu3_amd64

NAME

       systemd-ssh-generator - Generator for binding a socket-activated SSH server to local
       AF_VSOCK and AF_UNIX sockets

SYNOPSIS

       /usr/lib/systemd/system-generators/systemd-ssh-generator

DESCRIPTION

systemd-ssh-generator binds a socket-activated SSH server to local AF_VSOCK and AF_UNIX
sockets under certain conditions. It only has an effect if the sshd(8) binary is
installed. Specifically, it does the following:

• If invoked in a VM with AF_VSOCK support, a socket-activated SSH per-connection
service is bound to AF_VSOCK port 22.

• If invoked in a container environment with a writable directory /run/host/unix-export/
pre-mounted it binds SSH to an AF_UNIX socket /run/host/unix-export/ssh. The
assumption is that this directory is bind mounted to the host side as well, and can be
used to connect to the container from there. See Container Interface[1] for more
information about this interface.

• A local AF_UNIX socket /run/ssh-unix-local/socket is also bound, unconditionally. This
may be used for SSH communication from the host to itself, without involving
networking, for example to traverse security boundaries safely and with secure
authentication.

• Additional AF_UNIX and AF_VSOCK sockets are optionally bound, based on the
systemd.ssh_listen= kernel command line option or the ssh.listen system credential
(see below).

See systemd-ssh-proxy(1) for details on how to connect to these sockets via the ssh
client.

The ssh.authorized_keys.root credential can be used to allow specific public keys to log
in over SSH. See systemd.systemd-credentials(7) for more information.

The generator will use a packaged sshd@.service service template file if one exists, and
otherwise generate a suitable service template file.

systemd-ssh-generator implements systemd.generator(7).

KERNEL COMMAND LINE

       systemd-ssh-generator understands the following kernel-command-line(7) parameters:

       systemd.ssh_auto=
           This option takes an optional boolean argument, and defaults to yes. If enabled, the
           automatic binding to the AF_VSOCK and AF_UNIX sockets listed above is done. If
           disable, this is not done, except for those explicitly requested via
           systemd.ssh_listen= on the kernel command line or via the ssh.listen system
           credential.

           Added in version 256.

       systemd.ssh_listen=
           This option configures an additional socket to bind SSH to. It may be used multiple
           times to bind multiple sockets. The syntax should follow the one of ListenStream=, see
           systemd.socket(5) for details. This functionality supports all socket families systemd
           supports, including AF_INET and AF_INET6.

           Added in version 256.

CREDENTIALS

       systemd-ssh-generator supports the system credentials logic. The following credentials are
       used when passed in:

       ssh.listen
           This credential should be a text file, with each line referencing one additional
           socket to bind SSH to. The syntax should follow the one of ListenStream=, see
           systemd.socket(5) for details. This functionality supports all socket families systemd
           supports, including AF_INET and AF_INET6.

           Added in version 256.

NOTES