[Bug 2512] New: Use IP_FREEBIND if available for sshd listening socket
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Dec 9 01:04:36 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2512
Bug ID: 2512
Summary: Use IP_FREEBIND if available for sshd listening socket
Product: Portable OpenSSH
Version: 7.1p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 2763
--> https://bugzilla.mindrot.org/attachment.cgi?id=2763&action=edit
proposed patch
I had the feeling that this issue was discussed here or on mailing
list, but I can't find it anywhere, so opening new bug.
# Background
Systemd starts sshd server quite early during boot sequence, which
means in some setups, address of network interface might not be
available yet. This causes sshd to fail (if there is only one default
ListenAddress option) and start is tired again later, when the address
is ready to use.
# Problem
When there is defined multiple ListenAddress (local and non-local or
yet non-existent) in sshd_config, the initial startup does fail only on
non-local address, but the overall start is successful. This results in
sshd listening only on localhost address which is usually not much
useful.
# Solution
This can be solved by setting listening socket option IP_FREEBIND,
which allows bind to even non-existing or non-local addresses and as
described in [1]. This feature is available in Linux since 2.4
There is still available workaround with system-wide boolean
/proc/sys/net/ipv4/ip_nonlocal_bind, but having this set up fine
grained per-socket seems like more reasonable.
# Downside
Only downside I can think of is that users will not see the
configuration errors, if they mistype IP address in configuration file.
This can be solved by allowing this only based on some other option or
environment variable (not part of attached patch). Patch was tested on
RHEL 7.0.
[1] http://linux.die.net/man/7/ip
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list