Thread

You are spot on with the **inetd** comparison. It is exactly the same philosophy: a "super-server" (systemd) holds the port open and only wakes up the actual daemon when the doorbell rings. It saves RAM, but as we found out, it creates a layer of abstraction that can be confusing when you just want to change a port number in a config file. Here is the clarification on the other points: ### 1. The `!` Syntax Yes, the `!` is a logical **NOT**. `ConditionPathExists=!/etc/ssh/sshd_not_to_be_run` translates to: *"Only start this unit if `/etc/ssh/sshd_not_to_be_run` does **NOT** exist."* ### 2. `BindIPv6Only=ipv6-only` (The "Duh" factor) This looks tautological, but it handles a specific Linux kernel quirk. By default, if you bind a socket to `[::]` (all IPv6 addresses), Linux also automatically binds it to IPv4 (using "IPv4-mapped IPv6 addresses"). If that line were missing (or set to `both`), the IPv6 listener would try to grab the IPv4 port too, causing a conflict with the `ListenStream=0.0.0.0:22` line above it. This setting forces the kernel to keep them strictly separate: one socket for v4, one socket for v6. ### 3. Session Anxiety Your realization is 100% correct. When you connect via SSH: 1. The listener (Port 22) accepts the handshake. 2. The OS spawns a specific process for *your* session. 3. That session moves to an established state on a random high ephemeral port. The "Listening Port" is just the front door. Once you are inside (authenticated), you are in a private room. We can repaint the front door (change the port), lock it (firewall), or move it entirely, and it won't affect the people already inside the party. **Next Step:** Now that you have a cert, a firewall, and a clear understanding of the systemd plumbing, is there anything else you need to configure on this VPS, or shall we call this ticket closed?