There is on the linux mint 18.3 sshd (7.2p2) starts with two processes. But when I run service ssh stop
only child process stops and parent process is still run. So when I restart ssh service it can't bind 22 port and became unable to receive connections.
I read about privilege separation and I think it's good despite other linuxes (for example Ubuntu) creates only one process. But why does parent process not stop when child process is stopped? And how to make systemd stop both processes?
ssh.service
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target
Alias=sshd.service
multi-user.target
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
[Unit]
Description=Multi-User System
Documentation=man:systemd.special(7)
Requires=basic.target
Conflicts=rescue.service rescue.target
After=basic.target rescue.service rescue.target
AllowIsolate=yes
service ssh status
service ssh status
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Чт 2019-05-16 16:53:10 MSK; 6 days ago
Process: 4535 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 4538 (sshd)
Tasks: 2
Memory: 16.4M
CPU: 3.143s
CGroup: /system.slice/ssh.service
├─4538 /usr/sbin/sshd -D
└─4539 /usr/sbin/sshd -D
Systemd option "KillMode" has option "mixed":
If set to mixed, the SIGTERM signal (see below) is sent to the main process while the subsequent SIGKILL signal (see below) is sent to all remaining processes of the unit's control group
Besides "KillMode" has another option "control-group"
If set to control-group, all remaining processes in the control group of this unit will be killed on unit stop (for services: after the stop command is executed, as configured with ExecStop=)
So I just find which of them use oftener in all service files, it's "mixed" and I just replace "KillMode=process" to "KillMode=mixed".