diff --git a/templates/sshd.service.j2 b/templates/sshd.service.j2 index a969ebb..b229bd9 100644 --- a/templates/sshd.service.j2 +++ b/templates/sshd.service.j2 @@ -1,7 +1,9 @@ [Unit] Description=OpenBSD Secure Shell server +Documentation=man:sshd(8) man:sshd_config(5) [Service] +Type=notify ExecStartPre={{ sshd_binary }} -t ExecStart={{ sshd_binary }} -D -f {{ sshd_config_file }} ExecReload={{ sshd_binary }} -t @@ -9,9 +11,8 @@ ExecReload=/bin/kill -HUP $MAINPID KillMode=process Restart=on-failure RestartPreventExitStatus=255 -Type=notify -RuntimeDirectory={{ sshd_binary | basename }} -RuntimeDirectoryMode=0755 +RuntimeDirectory={{ __sshd_runtime_directory }} +RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }} [Install] WantedBy=multi-user.target diff --git a/templates/sshd.socket.j2 b/templates/sshd.socket.j2 index add4731..30d424f 100644 --- a/templates/sshd.socket.j2 +++ b/templates/sshd.socket.j2 @@ -1,7 +1,8 @@ [Unit] Description=OpenBSD Secure Shell server socket +Documentation=man:sshd(8) man:sshd_config(5) Before={{ sshd_service }}.service -Conflicts={{sshd_service }}.service +Conflicts={{ sshd_service }}.service [Socket] ListenStream=22 diff --git a/templates/sshd@.service.j2 b/templates/sshd@.service.j2 index d76fdde..f5a6ce6 100644 --- a/templates/sshd@.service.j2 +++ b/templates/sshd@.service.j2 @@ -1,9 +1,10 @@ [Unit] Description=OpenBSD Secure Shell server per-connection daemon +Documentation=man:sshd(8) man:sshd_config(5) After=auditd.service [Service] ExecStart=-{{ sshd_binary }} -i -f {{ sshd_config_file }} StandardInput=socket -RuntimeDirectory={{ sshd_binary }} -RuntimeDirectoryMode=0755 +RuntimeDirectory={{ __sshd_runtime_directory }} +RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }} diff --git a/vars/main.yml b/vars/main.yml index b9ceb08..2f71aa8 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -31,6 +31,9 @@ __sshd_os_supported: no __sshd_sysconfig_supports_crypto_policy: false __sshd_sysconfig_supports_use_strong_rng: false +# The runtime directory is used by systemd to provide termoporary directory for the service +# This is used as a RuntimeDirectory= option in the service file and it needs to exist +# before running sshd for example in the validate mode. __sshd_runtime_directory: ~ __sshd_runtime_directory_mode: "0755"