systemd-ssh-generator(8) — Linux manual page

SYSTEMD-SSH-GENERATOR(8)  systemd-ssh-generator  SYSTEMD-SSH-GENERATOR(8)

NAME         top

       systemd-ssh-generator - Generator for binding a socket-activated
       SSH server to local AF_VSOCK and AF_UNIX sockets

SYNOPSIS         top

       /usr/lib/systemd/system-generators/systemd-ssh-generator

DESCRIPTION         top

       systemd-ssh-generator binds a socket-activated SSH server to local
       AF_VSOCK and AF_UNIX sockets under certain conditions. It only has
       an effect if the sshd(8) binary is installed. Specifically, it
       does the following:

       •   If invoked in a VM with AF_VSOCK support, a socket-activated
           SSH per-connection service is bound to AF_VSOCK port 22.

       •   If invoked in a container environment with a writable
           directory /run/host/unix-export/ pre-mounted it binds SSH to
           an AF_UNIX socket /run/host/unix-export/ssh. The assumption is
           that this directory is bind mounted to the host side as well,
           and can be used to connect to the container from there. See
           Container Interface[1] for more information about this
           interface.

       •   A local AF_UNIX socket /run/ssh-unix-local/socket is also
           bound, unconditionally. This may be used for SSH communication
           from the host to itself, without involving networking, for
           example to traverse security boundaries safely and with secure
           authentication.

       •   Additional AF_UNIX and AF_VSOCK sockets are optionally bound,
           based on the systemd.ssh_listen= kernel command line option or
           the ssh.listen system credential (see below).

       See systemd-ssh-proxy(1) for details on how to connect to these
       sockets via the ssh client.

       The ssh.authorized_keys.root credential can be used to allow
       specific public keys to log in over SSH. See
       systemd.system-credentials(7) for more information.

       The generator will use a packaged [email protected] service template
       file if one exists, and otherwise generate a suitable service
       template file.

       systemd-ssh-generator implements systemd.generator(7).

KERNEL COMMAND LINE         top

       systemd-ssh-generator understands the following
       kernel-command-line(7) parameters:

       systemd.ssh_auto=
           This option takes an optional boolean argument, and defaults
           to yes. If enabled, the automatic binding to the AF_VSOCK and
           AF_UNIX sockets listed above is done. If disable, this is not
           done, except for those explicitly requested via
           systemd.ssh_listen= on the kernel command line or via the
           ssh.listen system credential.

           Added in version 256.

       systemd.ssh_listen=
           This option configures an additional socket to bind SSH to. It
           may be used multiple times to bind multiple sockets. The
           syntax should follow the one of ListenStream=, see
           systemd.socket(5) for details. This functionality supports all
           socket families systemd(1) supports, including AF_INET and
           AF_INET6.

           Added in version 256.

CREDENTIALS         top

       systemd-ssh-generator supports the system credentials logic. The
       following credentials are used when passed in:

       ssh.listen
           This credential should be a text file, with each line
           referencing one additional socket to bind SSH to. The syntax
           should follow the one of ListenStream=, see systemd.socket(5)
           for details. This functionality supports all socket families
           systemd supports, including AF_INET and AF_INET6.

           Added in version 256.

SEE ALSO         top

       systemd(1), kernel-command-line(7), systemd.system-credentials(7),
       vsock(7), unix(7), ssh(1), sshd(8)

NOTES         top

        1. Container Interface
           https://systemd.io/CONTAINER_INTERFACE

COLOPHON         top

       This page is part of the systemd (systemd system and service
       manager) project.  Information about the project can be found at
       ⟨http://www.freedesktop.org/wiki/Software/systemd⟩.  If you have a
       bug report for this manual page, see
       ⟨http://www.freedesktop.org/wiki/Software/systemd/#bugreports⟩.
       This page was obtained from the project's upstream Git repository
       ⟨https://github.com/systemd/systemd.git⟩ on 2025-08-11.  (At that
       time, the date of the most recent commit that was found in the
       repository was 2025-08-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

systemd 258~rc2                                  SYSTEMD-SSH-GENERATOR(8)

Pages that refer to this page: systemd-ssh-issue(1),  systemd-ssh-proxy(1),  kernel-command-line(7),  systemd.directives(7),  systemd.index(7),  systemd.system-credentials(7)

HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH.