Search code examples
sshsystemdrhel

What is the use of systemd user instance for ssh logins

When you login using SSH, pam_systemd module automatically launches a systemd --user instance when the user logs in for the first time. We can mask the [email protected] to deactivate this. Even when we deactivate the [email protected], there is no noticeable impact.

Is there a impact when we mask the service ?

Solution

  • disable and mask are different things.

    • disable means the [Install] section of a unit is ignored. This typically means WantedBy=multi-user.target will be ignored, preventing the unit from starting on boot.
    • mask means the unit cannot be activated. That includes when another unit Wants= it, or even if you try to start it manually. masking will certainly prevent [email protected] from starting.

    When you sudo systemctl mask [email protected], you are disabling the --user bus of systemd. unmask and start the unit, then see systemctl --user status to see what will be unavailable.

    On my desktop with a desktop environment, this looks something like:

    $ systemctl --user status
● desktop
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Sun 2022-02-13 13:09:28 CET; 3 days ago
   CGroup: /user.slice/user-1000.slice/[email protected]
           ├─app.slice
           │ ├─at-spi-dbus-bus.service
           │ ├─dbus.service
           │ ├─dconf.service
           │ ├─dunst.service
           │ ├─gvfs-afc-volume-monitor.service
           │ ├─gvfs-daemon.service
           │ ├─gvfs-goa-volume-monitor.service
           │ ├─gvfs-gphoto2-volume-monitor.service
           │ ├─gvfs-metadata.service
           │ ├─gvfs-mtp-volume-monitor.service
           │ ├─gvfs-udisks2-volume-monitor.service
           │ ├─vnc.service
           │ ├─xdg-desktop-portal-gnome.service
           │ ├─xdg-desktop-portal-gtk.service
           │ └─xdg-permission-store.service
           ├─background.slice
           │ ├─plasma-kglobalaccel.service
           │ └─tracker-miner-fs-3.service
           ├─init.scope
           └─session.slice
             ├─pipewire-media-session.service
             ├─pipewire.service
             ├─pulseaudio.service
             ├─xdg-desktop-portal.service
             └─xdg-document-portal.service

    On a headless server with no desktop environment, this includes effectively nothing.

    $ systemctl --user status
● server
    State: running
     Jobs: 0 queued
   Failed: 0 units
    Since: Wed 2022-02-16 13:29:30 CET; 3s ago
   CGroup: /user.slice/user-1000.slice/[email protected]
           └─init.scope
             ├─581 /lib/systemd/systemd --user
             └─583 (sd-pam)

    If I were to systemctl mask [email protected]:

    • On my desktop, many of these things are installed by my desktop environment. I'll notice things like desktop-integrated authentication agents and notifications will stop working. My VNC service will not be available, my USB sticks will not auto-mount, my keyrings will be unavailable, etc.
    • On my server, I won't notice anything at all (not even a performance gain, as all processes listed are just idling.

    In both cases, I'll loose the ability to define user-bus units if I need them. user units can be useful for things like:

    • Running backup scripts
    • Mounting user-owned file-systems
    • Running scripts in response to changes in files/directories

    Edit: I almost forgot about some mounts. systemd create $XDG_RUNTIME_DIR when a user logs in. If you mask [email protected], that runtime user directory will not be created on login. Anything that depends on it may have a problem.

    See systemctl --user list-units for more units that get loaded on the user bus.