Bug#1063842: openssh-server: Binding to a static IPv6 address causes sshd to fail at bootup

Tue, 13 Feb 2024 05:15:14 -0800 

Package: openssh-server
Version: 1:9.2p1-2+deb12u2
Severity: important
Tags: ipv6
X-Debbugs-Cc: b...@rptbgd.firenzee.com

Dear Maintainer,

I configured SSH with a static IPv6 ListenAddress.
During bootup, SSH tries to start before the IPv6 address has been fully bound 
to the host (ie during duplicate address detection)
This results in SSH failing to start with "Cannot bind any address" and a 
return code of 255.
The systemd unit file for ssh contains "RestartPreventExitStatus=255" which 
causes it to give up when it encounters this error.
In a cloud environment this is a critical failure as it renders the host 
inaccessible.
The same thing occurs if the static IPv6 address is assigned a different way 
(eg via SLAAC or DHCPv6)
If you remove this line, systemd tries again and succeeds once the address has 
been bound to the host. I generally also add "StartSec=15s" to prevent it 
trying too frequently.
This manual change is not persistent, as it gets overwritten next time you 
update the package.

-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-10-cloud-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                    3.134
ii  debconf [debconf-2.0]      1.5.82
ii  init-system-helpers        1.65.2
ii  libaudit1                  1:3.0.9-1
ii  libc6                      2.36-9+deb12u4
ii  libcom-err2                1.47.0-2
ii  libcrypt1                  1:4.4.33-2
ii  libgssapi-krb5-2           1.20.1-2+deb12u1
ii  libkrb5-3                  1.20.1-2+deb12u1
ii  libpam-modules             1.5.2-6+deb12u1
ii  libpam-runtime             1.5.2-6+deb12u1
ii  libpam0g                   1.5.2-6+deb12u1
ii  libselinux1                3.4-1+b6
ii  libssl3                    3.0.11-1~deb12u2
ii  libsystemd0                252.22-1~deb12u1
ii  libwrap0                   7.6.q-32
ii  openssh-client             1:9.2p1-2+deb12u2
ii  openssh-sftp-server        1:9.2p1-2+deb12u2
ii  procps                     2:4.0.2-3
ii  runit-helper               2.15.2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  ucf                        3.0043+nmu1
ii  zlib1g                     1:1.2.13.dfsg-1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  252.22-1~deb12u1
pn  ncurses-term             <none>
pn  xauth                    <none>

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  openssh-server/permit-root-login: true
  openssh-server/password-authentication: false

Reply via email to