oss-sec mailing list archives

Systemd vsock sshd

From: wish42offcl98 () posteo org
Date: Tue, 30 Dec 2025 07:23:12 +0000

I have searched for that - instead of blacklisting the vsock module, Idid myself two measures:

- systemctl mask --now sshd-unix-local.socket
to kill and mask the sshd unix socket created by that generator,
- systemctl mask sshd-vsock.socket

to mask the sshd vsock created by that generator (use --now if thesocket has started or use systemctl stop... ).


Though, vsock untested but I found that source mentioning that socket.
https://linux-audit.com/system-administration/commands/systemd-analyze/
Masking the sockets should stop them from starting again.

The vsock kernel module should not be blacklisted if some hypervisorfeatures are required:

https://libvirt.org/ssh-proxy.html
https://wiki.qemu.org/Features/VirtioVsock

Greetings
Alex


On 12/29/25 05:11, Jacob Bachmeyer wrote:

On 12/27/25 21:46, Greg Dahlman wrote:

[...]

  **Systemd v256 change** - When the *openssh-server* package is
  installed on a VM with vsock support, systemd now automatically
  starts an *sshd* instance that listens on the **af_vsock** socket in
  the **global network namespace** without any manual configuration.

Obvious question: what manual configuration is required to kill thatlistener?



-- Jacob

Current thread:

Re: Systemd vsock sshd, (continued)
- - - Re: Systemd vsock sshd Greg Dahlman (Dec 28)
- Re: Systemd vsock sshd Jacob Bachmeyer (Dec 28)
  - Re: Systemd vsock sshd Benjamin McMahon (Dec 29)
    - Re: Systemd vsock sshd Greg Dahlman (Dec 29)
    - Re: Systemd vsock sshd Pat Gunn (Dec 29)
    - Re: Systemd vsock sshd Greg Dahlman (Dec 29)
    - Re: Systemd vsock sshd Jacob Bachmeyer (Dec 30)
    - Re: Systemd vsock sshd Demi Marie Obenour (Dec 30)
    - Re: Systemd vsock sshd Pat Gunn (Dec 31)
  - Re: Systemd vsock sshd Greg Dahlman (Dec 29)
- Systemd vsock sshd wish42offcl98 (Dec 30)
  - Re: Systemd vsock sshd Greg Dahlman (Dec 30)