openssh: allow early ssh connections

By using DefaultDependencies=no the system can accept ssh connections
earlier. This makes it possible to debug problems during startup.

This means that tmpfiles.d cannot be used to create the privilege
separation directory. So create it as RuntimeDirectory instead.

As a side effect, this 'fixes' problems with nfsroot: tmpfiles.d refuses to
create /run/sshd if / is not owned by root. This is not checked for
RuntimeDirectory= so creating /run/sshd works here.

Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

2 files changed, 4 insertions, 2 deletions

diff --git a/projectroot/usr/lib/systemd/system/sshd@.service b/projectroot/usr/lib/systemd/system/sshd@.service
index a96f28680..3814e9f7b 100644
--- a/projectroot/usr/lib/systemd/system/sshd@.service
+++ b/projectroot/usr/lib/systemd/system/sshd@.service
@@ -1,8 +1,11 @@
 [Unit]
 Description=SSH Per-Connection Server
-After=syslog.target
+DefaultDependencies=no
 
 [Service]
 ExecStart=/usr/sbin/sshd -i
 SuccessExitStatus=0 255
 StandardInput=socket
+RuntimeDirectory=sshd
+RuntimeDirectoryPreserve=yes
+RuntimeDirectoryMode=0700
diff --git a/projectroot/usr/lib/tmpfiles.d/ssh.conf b/projectroot/usr/lib/tmpfiles.d/ssh.conf
deleted file mode 100644
index cc208db9f..000000000
--- a/projectroot/usr/lib/tmpfiles.d/ssh.conf
+++ /dev/null
@@ -1 +0,0 @@
-d /run/sshd 0700 root root -