Implementing IP_FREEBIND in OpenSSH

Dmitry Belyavskiy dbelyavs at redhat.com
Mon Jul 26 18:12:55 AEST 2021 

Hello,

We have a following proposal to implement IP_FREEBIND in OpenSSH
=========
There are multiple customer requests implementing for sshd the possibility
to bind to the specific IP address which is not (yet) configured on any
interface. Relevant RHEL/Fedora bug links:
https://bugzilla.redhat.com/show_bug.cgi?id=1096081,
https://bugzilla.redhat.com/show_bug.cgi?id=1936538

When there is defined multiple ListenAddress (local and non-local or yet
non-existent) in sshd_config, the initial startup does fail only on
non-local address, but the overall start is successful. This results in
sshd listening only on localhost address which is usually not very useful.

It may be useful for users to avoid startup failure and errors in the logs
during openssh daemon startup when listening to a specific address.

There was an upstream feature request
https://bugzilla.mindrot.org/show_bug.cgi?id=2512

The downside is a lack of diagnostics in cases when the ListenAddress is
specified with an error (e.g.typo).

Implementing IP_FREEBIND and allowing sshd to bind and listen on an ip,
even if networkmanager has not yet finished setting up the network. A basic
implementation is rather simple, e.g
https://bugzilla.mindrot.org/attachment.cgi?id=2763

To avoid the downside mentioned before, it can be avoided by providing
either a separate configuration option (ListenAddressNonlocal) or some
syntax sugar when specifying the IP address.

The solution can be made more or less portable: BSD systems support similar
functionality SO_BINDANY, which can make it more acceptable upstream.
FreeBSD support different flag names with the same semantics in different
versions: IP_FREEBIND, IP_NONLOCALOK for older versions,
IP_BINDANY/IPV6_BINDANY. Using such options in FreeBSD and other BSD
systems may require extra privileges.

https://www.freebsd.org/cgi/man.cgi?query=nsd.conf&sektion=5&manpath=freebsd-release-ports

https://github.com/wahern/cqueues/issues/66

Use requires root rights/special privilegies in FreeBSD. Linux allows this
without capabilities

(from https://github.com/microsoft/WSL/issues/460)

Old versions of FreeBSD used IP_NONLOCALOK with the same semantics and
limitation.

See also
https://lists.nlnetlabs.nl/pipermail/unbound-users/2017-November/004985.html
patch for unbound desired to solve a similar problem.

Windows and Solaris seem not to have the option with IP_FREEBIND semantics.

=========
Is there any interest in this proposal?

Many thanks in advance!
-- 
Dmitry Belyavskiy

More information about the openssh-unix-dev mailing list