[Bug 2512] New: Use IP_FREEBIND if available for sshd listening socket

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Dec 9 01:04:36 AEDT 2015 

https://bugzilla.mindrot.org/show_bug.cgi?id=2512

            Bug ID: 2512
           Summary: Use IP_FREEBIND if available for sshd listening socket
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Keywords: patch
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2763
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2763&action=edit
proposed patch

I had the feeling that this issue was discussed here or on mailing
list, but I can't find it anywhere, so opening new bug.

# Background
Systemd starts sshd server quite early during boot sequence, which
means in some setups, address of network interface might not be
available yet. This causes sshd to fail (if there is only one default
ListenAddress option) and start is tired again later, when the address
is ready to use.

# Problem
When there is defined multiple ListenAddress (local and non-local or
yet non-existent) in sshd_config, the initial startup does fail only on
non-local address, but the overall start is successful. This results in
sshd listening only on localhost address which is usually not much
useful.

# Solution
This can be solved by setting listening socket option IP_FREEBIND,
which allows bind to even non-existing or non-local addresses and as
described in [1]. This feature is available in Linux since 2.4

There is still available workaround with system-wide boolean
/proc/sys/net/ipv4/ip_nonlocal_bind, but having this set up fine
grained per-socket seems like more reasonable.

# Downside
Only downside I can think of is that users will not see the
configuration errors, if they mistype IP address in configuration file.
This can be solved by allowing this only based on some other option or
environment variable (not part of attached patch). Patch was tested on
RHEL 7.0.

[1] http://linux.die.net/man/7/ip

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list