services: openssh: Start as an inetd service.

* gnu/services/ssh.scm (openssh-shepherd-service): Use
'make-inetd-constructor' when it is defined.
(<openssh-configuration>)[max-connections]: New field.
* gnu/tests/ssh.scm (run-ssh-test)["sshd PID"]: Adjust to cope with
PID-FILE being #f.
* gnu/tests/ssh.scm (%test-openssh): Pass #f as the 'pid-file'
argument.
* doc/guix.texi (Networking Services): Document 'max-connections'.

doc/guix.texi

@@ -18962,6 +18962,12 @@ Name of the file where @command{sshd} writes its PID.
 @item @code{port-number} (default: @code{22})
 TCP port on which @command{sshd} listens for incoming connections.
 
+@item @code{max-connections} (default: @code{200})
+Hard limit on the maximum number of simultaneous client connections,
+enforced by the inetd-style Shepherd service (@pxref{Service De- and
+Constructors, @code{make-inetd-constructor},, shepherd, The GNU Shepherd
+Manual}).
+
 @item @code{permit-root-login} (default: @code{#f})
 This field determines whether and when to allow logins as root.  If
 @code{#f}, root logins are disallowed; if @code{#t}, they are allowed.

gnu/services/ssh.scm

@@ -292,6 +292,9 @@ The other options should be self-descriptive."
   ;; integer
   (port-number           openssh-configuration-port-number
                          (default 22))
+  ;; integer
+  (max-connections       openssh-configuration-max-connections
+                         (default 200))
   ;; Boolean | 'prohibit-password
   (permit-root-login     openssh-configuration-permit-root-login
                          (default #f))
@@ -515,6 +518,12 @@ of user-name/file-like tuples."
   (define pid-file
     (openssh-configuration-pid-file config))
 
+  (define port-number
+    (openssh-configuration-port-number config))
+
+  (define max-connections
+    (openssh-configuration-max-connections config))
+
   (define openssh-command
     #~(list (string-append #$(openssh-configuration-openssh config) "/sbin/sshd")
             "-D" "-f" #$(openssh-config-file config)))
@@ -523,9 +532,17 @@ of user-name/file-like tuples."
          (documentation "OpenSSH server.")
          (requirement '(syslogd loopback))
          (provision '(ssh-daemon ssh sshd))
-         (start #~(make-forkexec-constructor #$openssh-command
+         (start #~(if (defined? 'make-inetd-constructor)
-                                             #:pid-file #$pid-file))
+                      (make-inetd-constructor
-         (stop #~(make-kill-destructor))
+                       (append #$openssh-command '("-i"))
+                       (make-socket-address AF_INET INADDR_ANY
+                                            #$port-number)
+                       #:max-connections #$max-connections)
+                      (make-forkexec-constructor #$openssh-command
+                                                 #:pid-file #$pid-file)))
+         (stop #~(if (defined? 'make-inetd-destructor)
+                     (make-inetd-destructor)
+                     (make-kill-destructor)))
          (auto-start? (openssh-auto-start? config)))))
 
 (define (openssh-pam-services config)

gnu/tests/ssh.scm

@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016-2022 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;;
@@ -120,19 +120,21 @@ root with an empty password."
                marionette))
 
             ;; Check sshd's PID file.
-            (test-equal "sshd PID"
+            (test-assert "sshd PID"
-              (wait-for-file #$pid-file marionette)
+              (let ((pid (marionette-eval
-              (marionette-eval
+                          '(begin
-               '(begin
+                             (use-modules (gnu services herd)
-                  (use-modules (gnu services herd)
+                                          (srfi srfi-1))
-                               (srfi srfi-1))
 
-                  (live-service-running
+                             (live-service-running
-                   (find (lambda (live)
+                              (find (lambda (live)
-                           (memq 'ssh-daemon
+                                      (memq 'ssh-daemon
-                                 (live-service-provision live)))
+                                            (live-service-provision live)))
-                         (current-services))))
+                                    (current-services))))
-               marionette))
+                          marionette)))
+                (if #$pid-file
+                    (= pid (wait-for-file #$pid-file marionette))
+                    pid)))
 
             (test-assert "wait for port 22"
               (wait-for-tcp-port 22 marionette))
@@ -222,7 +224,7 @@ root with an empty password."
                                  (openssh-configuration
                                   (permit-root-login #t)
                                   (allow-empty-passwords? #t)))
-                        "/var/run/sshd.pid"
+                        #f                        ;inetd-style, no PID file
                         #:sftp? #t))))
 
 (define %test-dropbear