Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup

To: Bert <bert@rptbgd.firenzee.com>, 1063842@bugs.debian.org, Colin Watson <cjwatson@debian.org>
Subject: Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
From: Timo Weingärtner <timo@tiwe.de>
Date: Fri, 16 Feb 2024 20:08:58 +0100
Message-id: <[🔎] 39999046.VLnWPJCV05@timo01.tiwe.de>
Reply-to: Timo Weingärtner <timo@tiwe.de>, 1063842@bugs.debian.org
In-reply-to: <[🔎] Zctu8ZgYe6tYWvB0@riva.ucam.org>
References: <[🔎] 170782999775.1212522.1173786507734228564.reportbug@provision.us-east-2.rpt.remotepentest.com> <[🔎] Zctu8ZgYe6tYWvB0@riva.ucam.org> <[🔎] 170782999775.1212522.1173786507734228564.reportbug@provision.us-east-2.rpt.remotepentest.com>

Hallo Colin Watson,

13.02.24 14:30 Colin Watson:
> On Tue, Feb 13, 2024 at 01:13:17PM +0000, Bert wrote:
> > I configured SSH with a static IPv6 ListenAddress.
> > During bootup, SSH tries to start before the IPv6 address has been fully
> > bound to the host (ie during duplicate address detection) This results in
> > SSH failing to start with "Cannot bind any address" and a return code of
> > 255. The systemd unit file for ssh contains
> > "RestartPreventExitStatus=255" which causes it to give up when it
> > encounters this error. In a cloud environment this is a critical failure
> > as it renders the host inaccessible. The same thing occurs if the static
> > IPv6 address is assigned a different way (eg via SLAAC or DHCPv6) If you
> > remove this line, systemd tries again and succeeds once the address has
> > been bound to the host. I generally also add "StartSec=15s" to prevent it
> > trying too frequently. This manual change is not persistent, as it gets
> > overwritten next time you update the package.
> I suggest that in such unusual configurations you should use the After=
> directive in the [Unit] section to ensure that ssh.service doesn't start
> until the relevant other systemd unit has been started.  You can do this
> in a way that persists across upgrades using a drop-in unit; see "man
> systemd.unit" or use "systemctl edit ssh.service".
> 
> However, a simpler solution might well be to remove ListenAddress and
> instead use firewall rules to restrict incoming SSH connections to only
> the desired address(es), as is recommended in README.Debian.

See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965132

In some cases sshd just must not listen on wildcard.
Also consider the combination of another service listening on some IP 
addresses :22 and sshd on some other addresses :22 with the possibility that 
some of those IP addresses just will not come up for some reason and you want 
to access the host via already-up addresses to investigate/fix.

Therefore a solution using IP_FREEBIND is preferable IMO.

@Colin: what do you think about merging these two bugs and closing them by 
adding ssh@.socket?


Grüße
Timo

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
  - From: Bert <bert@rptbgd.firenzee.com>
- Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
Next by Date: Bug#1064347: openssh-server: sshd crashes under heavy traffic
Previous by thread: Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
Next by thread: Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
Index(es):
- Date
- Thread