Implementing IP_FREEBIND in OpenSSH

Dmitry Belyavskiy dbelyavs at redhat.com
Wed Jul 28 17:46:54 AEST 2021


Dear Damien,

On Wed, Jul 28, 2021 at 1:19 AM Damien Miller <djm at mindrot.org> wrote:

> On Tue, 27 Jul 2021, Dmitry Belyavskiy wrote:
>
> Perhaps make ip_nonlocal_bind=2 allow root to bind non-locally without
> restriction. That might solve the problem for sshd and all other network
> daemons?
>

Yes. It's one of the currently recommended workarounds.

If SO_BINDANY does turn out to be cross platform without heavy caveats,
> then perhaps a flag on this existing Listen directive would be more
> acceptable, e.g. "Listen 111.222.33.44 bindany" - there is prior art
> for such flags in the existing "rdomain" one.
>

Yes, it's the reasonable syntax for this purpose. Many thanks for the clue!


-- 
Dmitry Belyavskiy


More information about the openssh-unix-dev mailing list