Hallo Colin Watson, 13.02.24 14:30 Colin Watson: > On Tue, Feb 13, 2024 at 01:13:17PM +0000, Bert wrote: > > I configured SSH with a static IPv6 ListenAddress. > > During bootup, SSH tries to start before the IPv6 address has been fully > > bound to the host (ie during duplicate address detection) This results in > > SSH failing to start with "Cannot bind any address" and a return code of > > 255. The systemd unit file for ssh contains > > "RestartPreventExitStatus=255" which causes it to give up when it > > encounters this error. In a cloud environment this is a critical failure > > as it renders the host inaccessible. The same thing occurs if the static > > IPv6 address is assigned a different way (eg via SLAAC or DHCPv6) If you > > remove this line, systemd tries again and succeeds once the address has > > been bound to the host. I generally also add "StartSec=15s" to prevent it > > trying too frequently. This manual change is not persistent, as it gets > > overwritten next time you update the package. > I suggest that in such unusual configurations you should use the After= > directive in the [Unit] section to ensure that ssh.service doesn't start > until the relevant other systemd unit has been started. You can do this > in a way that persists across upgrades using a drop-in unit; see "man > systemd.unit" or use "systemctl edit ssh.service". > > However, a simpler solution might well be to remove ListenAddress and > instead use firewall rules to restrict incoming SSH connections to only > the desired address(es), as is recommended in README.Debian.
See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965132 In some cases sshd just must not listen on wildcard. Also consider the combination of another service listening on some IP addresses :22 and sshd on some other addresses :22 with the possibility that some of those IP addresses just will not come up for some reason and you want to access the host via already-up addresses to investigate/fix. Therefore a solution using IP_FREEBIND is preferable IMO. @Colin: what do you think about merging these two bugs and closing them by adding ssh@.socket? Grüße Timo
signature.asc
Description: This is a digitally signed message part.