Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
Thanks for the info on making a persistent change, this is helpful as a workaround for now. I had previously tried to make it start after networking or networkmanager, without success. It seems it doesn’t wait for DAD. It would be better if SSHD didn’t give up in scenarios like this, and kept retrying to start. For hosts without physical access, a lack of SSHD can be a big problem. Firewall rules are not always desirable, as enabling the firewall (and especially conntrack) can incur a significant performance hit, or introduce other problems. Systems acting as routers, or being used for network scanning for example. There are also other reasons to bind to specific addresses, for instance if you want to run something else on the same port but a different address. In any case binding to a specific address is a documented feature of OpenSSH, so it should be usable.
Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
Hallo Colin Watson, 13.02.24 14:30 Colin Watson: > On Tue, Feb 13, 2024 at 01:13:17PM +, Bert wrote: > > I configured SSH with a static IPv6 ListenAddress. > > During bootup, SSH tries to start before the IPv6 address has been fully > > bound to the host (ie during duplicate address detection) This results in > > SSH failing to start with "Cannot bind any address" and a return code of > > 255. The systemd unit file for ssh contains > > "RestartPreventExitStatus=255" which causes it to give up when it > > encounters this error. In a cloud environment this is a critical failure > > as it renders the host inaccessible. The same thing occurs if the static > > IPv6 address is assigned a different way (eg via SLAAC or DHCPv6) If you > > remove this line, systemd tries again and succeeds once the address has > > been bound to the host. I generally also add "StartSec=15s" to prevent it > > trying too frequently. This manual change is not persistent, as it gets > > overwritten next time you update the package. > I suggest that in such unusual configurations you should use the After= > directive in the [Unit] section to ensure that ssh.service doesn't start > until the relevant other systemd unit has been started. You can do this > in a way that persists across upgrades using a drop-in unit; see "man > systemd.unit" or use "systemctl edit ssh.service". > > However, a simpler solution might well be to remove ListenAddress and > instead use firewall rules to restrict incoming SSH connections to only > the desired address(es), as is recommended in README.Debian. See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965132 In some cases sshd just must not listen on wildcard. Also consider the combination of another service listening on some IP addresses :22 and sshd on some other addresses :22 with the possibility that some of those IP addresses just will not come up for some reason and you want to access the host via already-up addresses to investigate/fix. Therefore a solution using IP_FREEBIND is preferable IMO. @Colin: what do you think about merging these two bugs and closing them by adding ssh@.socket? Grüße Timo signature.asc Description: This is a digitally signed message part.
Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
On Tue, Feb 13, 2024 at 01:13:17PM +, Bert wrote: > I configured SSH with a static IPv6 ListenAddress. > During bootup, SSH tries to start before the IPv6 address has been fully > bound to the host (ie during duplicate address detection) > This results in SSH failing to start with "Cannot bind any address" and a > return code of 255. > The systemd unit file for ssh contains "RestartPreventExitStatus=255" which > causes it to give up when it encounters this error. > In a cloud environment this is a critical failure as it renders the host > inaccessible. > The same thing occurs if the static IPv6 address is assigned a different way > (eg via SLAAC or DHCPv6) > If you remove this line, systemd tries again and succeeds once the address > has been bound to the host. I generally also add "StartSec=15s" to prevent it > trying too frequently. > This manual change is not persistent, as it gets overwritten next time you > update the package. I suggest that in such unusual configurations you should use the After= directive in the [Unit] section to ensure that ssh.service doesn't start until the relevant other systemd unit has been started. You can do this in a way that persists across upgrades using a drop-in unit; see "man systemd.unit" or use "systemctl edit ssh.service". However, a simpler solution might well be to remove ListenAddress and instead use firewall rules to restrict incoming SSH connections to only the desired address(es), as is recommended in README.Debian. -- Colin Watson (he/him) [cjwat...@debian.org]
Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup
Package: openssh-server Version: 1:9.2p1-2+deb12u2 Severity: important Tags: ipv6 X-Debbugs-Cc: b...@rptbgd.firenzee.com Dear Maintainer, I configured SSH with a static IPv6 ListenAddress. During bootup, SSH tries to start before the IPv6 address has been fully bound to the host (ie during duplicate address detection) This results in SSH failing to start with "Cannot bind any address" and a return code of 255. The systemd unit file for ssh contains "RestartPreventExitStatus=255" which causes it to give up when it encounters this error. In a cloud environment this is a critical failure as it renders the host inaccessible. The same thing occurs if the static IPv6 address is assigned a different way (eg via SLAAC or DHCPv6) If you remove this line, systemd tries again and succeeds once the address has been bound to the host. I generally also add "StartSec=15s" to prevent it trying too frequently. This manual change is not persistent, as it gets overwritten next time you update the package. -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-10-cloud-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-server depends on: ii adduser3.134 ii debconf [debconf-2.0] 1.5.82 ii init-system-helpers1.65.2 ii libaudit1 1:3.0.9-1 ii libc6 2.36-9+deb12u4 ii libcom-err21.47.0-2 ii libcrypt1 1:4.4.33-2 ii libgssapi-krb5-2 1.20.1-2+deb12u1 ii libkrb5-3 1.20.1-2+deb12u1 ii libpam-modules 1.5.2-6+deb12u1 ii libpam-runtime 1.5.2-6+deb12u1 ii libpam0g 1.5.2-6+deb12u1 ii libselinux13.4-1+b6 ii libssl33.0.11-1~deb12u2 ii libsystemd0252.22-1~deb12u1 ii libwrap0 7.6.q-32 ii openssh-client 1:9.2p1-2+deb12u2 ii openssh-sftp-server1:9.2p1-2+deb12u2 ii procps 2:4.0.2-3 ii runit-helper 2.15.2 ii sysvinit-utils [lsb-base] 3.06-4 ii ucf3.0043+nmu1 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages openssh-server recommends: ii libpam-systemd [logind] 252.22-1~deb12u1 pn ncurses-term pn xauth Versions of packages openssh-server suggests: pn molly-guard pn monkeysphere pn ssh-askpass pn ufw -- debconf information: openssh-server/permit-root-login: true openssh-server/password-authentication: false