Bug#923508: systemd not restarting sshd on Debian 9 Stretch i386 due to RestartPreventExitStatus=255 in sshd.service file

[Andrew Roberts]

Michael,

thanks for your detailed reply.

A few things I would like to clarify.

1) I'm not wanting to edit the sshd.service file

As you say this will be overwritten, hence my comment that this was NOT 
a solution.

2) I was trying to use the sshd.service.d/override.conf file instead

However this does not seem to be working. The systemctl edit option was 
editing this override file successfully, but it didn't seem to take effect.

I was not aware that you had to reset any option before setting it 
again. I have seen this in relation to ExecStart=

but I guess that applies as you can set multiple ExecStart options, and 
thus need to clear it first.

It seems to have been the case that other options have not needed to be 
cleared in the override file before resetting, at least in

my experience. Having an option set to both True and False for instance 
does not make a lot of sense.

In any case I was resetting RestartPreventExitStatus to empty as I did 
not want any value assigned to it (as if it had never been set)

Perhaps this is the issue, that as RestartPreventExitStatus is single 
valued, you CANNOT reset it to nothing, only to another value? If so 
that's a problem as there is no way of (safely) clearing the setting of 
RestartPreventExitStatus.

Is there a way of setting systemd to dump out the config it is using for 
a specific service, after the override file has been applied?

3) With regard to sshd

I don't really have a problem with what sshd is doing with 
RestartPreventExitStatus, provided I can override it. Although because 
the return value of 255 is not specific to issue it was added to 
address, then it may cause problems for others.

As for using a non-default config, I have no apologies about that, as I 
don't consider the default anything like secure. Deciding on listening 
on a specific interface only, and using public key authentication is 
prudent.

4) Networking

Certainly the networking configuration was not broken. Although I have 
discovered that is machine unlike the other debian boxes I have 
(installed from earlier releases and upgraded) is using NetworkManager, 
which I have now removed, as it does not play well on headless machines.

Without NetworkManager the machine will start sshd with the default 
config (RestartPreventExitStatus=255) as the interface is started 
earlier, and the need to restart sshd is removed. But given 
NetworkManager is the default these days, that would seem to make 
removing it 'not a default config'.

This does not negate the need to be able to override 
RestartPreventExitStatus, or at least have the ability to do so.