Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
On Tue, Feb 13, 2024 at 01:13:17PM +0000, Bert wrote:
> I configured SSH with a static IPv6 ListenAddress.
> During bootup, SSH tries to start before the IPv6 address has been fully bound to the host (ie during duplicate address detection)
> This results in SSH failing to start with "Cannot bind any address" and a return code of 255.
> The systemd unit file for ssh contains "RestartPreventExitStatus=255" which causes it to give up when it encounters this error.
> In a cloud environment this is a critical failure as it renders the host inaccessible.
> The same thing occurs if the static IPv6 address is assigned a different way (eg via SLAAC or DHCPv6)
> If you remove this line, systemd tries again and succeeds once the address has been bound to the host. I generally also add "StartSec=15s" to prevent it trying too frequently.
> This manual change is not persistent, as it gets overwritten next time you update the package.
I suggest that in such unusual configurations you should use the After=
directive in the [Unit] section to ensure that ssh.service doesn't start
until the relevant other systemd unit has been started. You can do this
in a way that persists across upgrades using a drop-in unit; see "man
systemd.unit" or use "systemctl edit ssh.service".
However, a simpler solution might well be to remove ListenAddress and
instead use firewall rules to restrict incoming SSH connections to only
the desired address(es), as is recommended in README.Debian.
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: