Bug 2036451

Summary: error: Bind to port 22 on 172.16.0.1 failed: Cannot assign requested address
Product: [Fedora] Fedora Reporter: Egbert S. <s.egbert>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 35CC: crypto-team, dbelyavs, dwalsh, jjelen, lkundrak, mattias.ellert, tm
Target Milestone: ---Flags: fedora-admin-xmlrpc: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-03 18:48:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Egbert S. 2022-01-01 21:18:10 UTC 
Description of problem:

OpenSSH daemon is struggling to define a network socket to each interface (but not all) with different port numbers.

Turned off 'SELinux', same problem persist.



Version-Release number of selected component (if applicable):

- OpenSSH v8.7p1
  - OpenSSL 1.1.11
  - FIPS 24 Aug 2021


How reproducible:

- 100% reproducible in Fedora 35 under SELinux.  All 4 sockets failed.

- Partially reproduciable under disabled SELinux: two sockets failed.

- Works normally in Debian 8 and Debian 9: All 4 sockets successfully opened.



Steps to Reproduce:

1.  Edit `/etc/ssh/sshd_config`
2.  Add/replace 'Port'  with `Port 922`
3.  Add/replace `ListenAddress` with following

```
Port 922
ListenAddress 127.0.0.1:922  # this one gets port 922
ListenAddress 172.28.130.3   # this one gets port 922
ListenAddress 10.10.0.1:22   # port 22
ListenAddress 172.16.0.1:22  # port 22
```

4. Add '922' to `ssh_port_t`

```
  semanage port --add -t ssh_port_t -r 's0' -p 922
```

5. Restart `sshd.service` unit file 



Actual results:

In `/var/log/messages`, the following error message occurred:

```
Jan  1 15:35:31 helium sshd[686]: error: Bind to port 22 on 172.16.0.1 failed: Cannot assign requested address.
Jan  1 15:35:31 helium sshd[686]: error: Bind to port 22 on 10.10.0.1 failed: Cannot assign requested address.

```


Expected results:

To be able to execute `lsof -i -n` for SSH and get the following output:

```
sshd     929   root    3u  IPv4  24195      0t0  TCP 172.28.130.3:922 (LISTEN)
sshd     929   root    4u  IPv4  24197      0t0  TCP 172.16.0.1:ssh (LISTEN)
sshd     929   root    5u  IPv4  24199      0t0  TCP 10.10.0.1:ssh (LISTEN)
sshd     929   root    6u  IPv4  24201      0t0  TCP 127.0.0.1:922 (LISTEN)
```


Additional info:

Had to BOOT to get into this strange SSH multi-socket state.  Repeated systemd restart of `sshd.service` often restores the problem.   Quite an urgent situation when the box is remote.

Disabling SELinux opens HALF of those ports, at 922/tcp, at boot-up time.

Something is blocking port 22 during bootup, because port 922/tcp socket got created at bootup and sshd daemon opened only those 922 ones.  A simple `systemctl restart sshd.service` allows 4 port to open.
Comment 1 Egbert S. 2022-01-01 21:26:31 UTC 
I often debug OpenSSH for in-house code reviews and put my hardening findings into https://github.com/egberts/easy-admin/490-net-ssh

But this variant of OpenSSH is my first time that I can no longer conduct a decent GDB session on sshd binary given the additional (but strange) constraints being put on by the removal of PAM, the additional `systemd` settings (no strace allowed), and this socket issue.

I'm open to suggestion on how to continue debugging this OpenSSH daemon.
Comment 2 Dmitry Belyavskiy 2022-01-03 10:54:32 UTC 
Isn't it a duplicate of bz#1936538?
Comment 3 Egbert S. 2022-01-03 18:48:32 UTC 
Now that I have reviewed this 'duplicate'; this BZ is a duplicate of bz#1936538.

*** This bug has been marked as a duplicate of bug 1936538 ***