Hallo Colin Watson,

13.02.24 14:30 Colin Watson:
> On Tue, Feb 13, 2024 at 01:13:17PM +0000, Bert wrote:
> > I configured SSH with a static IPv6 ListenAddress.
> > During bootup, SSH tries to start before the IPv6 address has been fully
> > bound to the host (ie during duplicate address detection) This results in
> > SSH failing to start with "Cannot bind any address" and a return code of
> > 255. The systemd unit file for ssh contains
> > "RestartPreventExitStatus=255" which causes it to give up when it
> > encounters this error. In a cloud environment this is a critical failure
> > as it renders the host inaccessible. The same thing occurs if the static
> > IPv6 address is assigned a different way (eg via SLAAC or DHCPv6) If you
> > remove this line, systemd tries again and succeeds once the address has
> > been bound to the host. I generally also add "StartSec=15s" to prevent it
> > trying too frequently. This manual change is not persistent, as it gets
> > overwritten next time you update the package.
> I suggest that in such unusual configurations you should use the After=
> directive in the [Unit] section to ensure that ssh.service doesn't start
> until the relevant other systemd unit has been started.  You can do this
> in a way that persists across upgrades using a drop-in unit; see "man
> systemd.unit" or use "systemctl edit ssh.service".
> However, a simpler solution might well be to remove ListenAddress and
> instead use firewall rules to restrict incoming SSH connections to only
> the desired address(es), as is recommended in README.Debian.

See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965132

In some cases sshd just must not listen on wildcard.
Also consider the combination of another service listening on some IP 
addresses :22 and sshd on some other addresses :22 with the possibility that 
some of those IP addresses just will not come up for some reason and you want 
to access the host via already-up addresses to investigate/fix.

Therefore a solution using IP_FREEBIND is preferable IMO.

@Colin: what do you think about merging these two bugs and closing them by 
adding ssh@.socket?


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to