[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#512209: Please don't touch sshd from interfaces-up

On Sun, Jan 18, 2009 at 05:59:18PM +0100, Peter Palfrader wrote:
> Package: openssh-server
> Version: 1:5.1p1-5
> | * Check that /var/run/sshd.pid exists and that the process ID listed there
> |   corresponds to sshd before running '/etc/init.d/ssh reload' from if-up
> |   script; SIGHUP is racy if called at boot before sshd has a chance to
> |   install its signal handler, but fortunately the pid file is written
> |   after that which lets us avoid the race (closes: #502444).
> | * While the above is a valuable sanity-check, it turns out that it doesn't
> |   really fix the bug (thanks to Kevin Price for testing), so for the
> |   meantime we'll just use '/etc/init.d/ssh restart', even though it is
> |   unfortunately heavyweight.
> Why restart it at all?  There's little point in the default
> configuration where sshd listens on INADDR_ANY.
> At least make it configurable and don't mess with it from interfaces by
> default.

Hmm. This was in response to:


... where somebody did appear to be having a genuine problem. I've CCed
him; Perry, perhaps you can elaborate, since your request and Peter's
directly conflict?

I vaguely remember some problem where INADDR_ANY meant "all the
interfaces that happen to be up at bind() time" rather than "all the
interfaces that are up whenever packets arrive". Am I hallucinating? I
can't find any proof of that now that I look for it, and I agree that it
ought not to be necessary; indeed, I can't reproduce the need for this
if-up script with current openssh-server.

Anyway, I'm happy to remove this (or at least move it to an examples
directory for people having problems). However, I'm conscious that I
have already pushed my luck for late changes in openssh for lenny since
the udebs it produces are built into some d-i initrds. Peter, is this
actually causing you a problem beyond inefficiency?

(It is, of course, configurable already due to being a conffile script
in /etc.)

Colin Watson                                       [cjwatson@debian.org]

Reply to: