Starfighter Starfighter

Interesting sshd behavior (and systemctl restart sshd)

Recently while reviewing feedback on RH124, we noticed a comment about a Note in Chapter 10 on how systemctl restart sshd behaves:

"The advantage of using systemctl reload sshd is that it tells sshd to re-read its configuration file rather than completely restarting the service. A systemctl restart sshd command would also apply the changes, but would also stop and start the service, breaking all active connections to that host."

The thing is, this is mostly true...but systemctl restart sshd does not actually break all active connections to the host like the Note claims, even though sshd is stopped and started.  How is this possible?

It turns out that when you establish a connection to sshd, it creates child processes to manage the connection, one running as root and one running as the user as whom you logged in.  When you run systemctl restart sshd, it only kills the main sshd process that is used to establish new connections. The two child processes are re-parented and keep running as direct children of PID 1 (systemd).  This whole mechanism is partially so what the Note describes does not happen ... so that the connections do not break!

However, you might notice that there's an interesting side-effect of this.  This is also true for systemctl stop sshd.  If there are active SSH connections to a host, and you run systemctl stop sshd to stop sshd, those connections stay active and those users stay logged in, because the child processes are not killed in this case.  This can be surprising behavior, but is mostly intended to make it harder to disrupt user work or accidentally lock yourself out of a remote system.  :)

If necessary, you can run killall sshd as root to terminate all processes named sshd on the system, which should break those connections.

2 Replies
Flight Engineer
Flight Engineer

I'd call this desired behavior, like you say, for a daemon that supports long-running user processes. Perhaps this should be filed as some sort of documentation bug?

0 Kudos
Starfighter Starfighter

I agree, it's definitely desired behavior.  :)

We just made an update for RHEL 8.2 to the RH124 course, and we decided to remove the affected Note box from chapter 10 entirely. 

The reason the author of this section originally included the Note was to reinforce why you might want to use systemctl reload rather than systemctl restart when applying changes to a configuration file.

It's not a key objective of this section to cover that topic, and including it makes the discussion more complicated than it needs to be. So, we removed the Note. 

For live/remote instructor-led courses, we did add a comment to the instructor notes that discusses the behavior of sshd to make sure instructors used to the older content are aware of this.

Join the discussion
You must log in to join this conversation.