RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1936538 - [RFE] sshd should use IP_FREEBIND
Summary: [RFE] sshd should use IP_FREEBIND
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssh
Version: 8.4
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: Dmitry Belyavskiy
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 1096081 2001221 2036451 2079827 2131524 (view as bug list)
Depends On:
Blocks: network-online.target
TreeView+ depends on / blocked
 
Reported: 2021-03-08 17:38 UTC by Andrea Perotti
Modified: 2024-12-20 19:44 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-02-01 13:37:53 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 6955521 0 None None None 2022-04-28 13:10:47 UTC

Description Andrea Perotti 2021-03-08 17:38:10 UTC 
1. What is the nature and description of the request?  

sshd do not use the IP_FREEBIND socket option, that allows application to bind on IP address, which is not (yet) configured on any interface. 

2. Why would you need this? (List the business requirements here)

To avoid startup failure and errors in the logs during openssh daemon startup when listening to a specific address.

3. How would you like to achieve this? (List the functional requirements here)  

Implementing ip_freebind and allowing sshd to bind and listen on an ip, even if networkmanager has not yet finished setting up the network

4. For each functional requirement listed, specify how you can test to confirm the requirement is successfully implemented.   

Have networks configured via dhcpd and delay the configuration of the nics.

5. Do you have any specific timeline dependencies ?  

asap

6. Would you be able to assist in testing this functionality if implemented?

Sure
Comment 15 Dmitry Belyavskiy 2021-09-04 16:51:03 UTC 
*** Bug 2001221 has been marked as a duplicate of this bug. ***
Comment 16 Dmitry Belyavskiy 2021-11-12 16:19:50 UTC 
*** Bug 1096081 has been marked as a duplicate of this bug. ***
Comment 17 Thorsten Scherf 2021-11-19 08:59:07 UTC 
Dmitry, based on https://marc.info/?l=openssh-unix-dev&m=162745909408274&w=2, what are we going to do with this request?
Comment 19 Egbert S. 2021-12-12 19:37:37 UTC 
Some real world use-case examples:

Port 22 open on the internal netdev interfaces and Port 2222 on the external netdev interfaces.

Many router-based Redhat will be impacted by this inability to set multiple SSH port numbers.

Example `sshd_config`

```
Port 2222
ListenAddress 172.28.140.1:22
ListenAddress 172.28.200.1:22
ListenAddress 0.0.0.0
```


Running CentOS 8.4, OpenSSH v8.0.
Comment 20 Egbert S. 2022-01-03 18:48:32 UTC 
*** Bug 2036451 has been marked as a duplicate of this bug. ***
Comment 21 Egbert S. 2022-01-03 19:02:15 UTC 
I found a workaround to this issue from a comment in another duplicate BZ#2001221 :
~~~~~~~~~~~~~~~~

Adding 'After=network-online.target' as a dependency under the sshd.service unit file helps to start sshd without fail.

But any future updates of openssh-server will override these changes. Need a permanent solution.
Comment 22 Jakub Jelen 2022-01-04 14:51:27 UTC 
(In reply to Egbert S. from comment #21)
> I found a workaround to this issue from a comment in another duplicate
> BZ#2001221 :
> ~~~~~~~~~~~~~~~~
> 
> Adding 'After=network-online.target' as a dependency under the sshd.service
> unit file helps to start sshd without fail.
> 
> But any future updates of openssh-server will override these changes. Need a
> permanent solution.

You should not modify the service file under the /usr/lib, but create a service file in /etc/systemd/system/sshd.service with this content (or use drop-in directory /etc/systemd/system/sshd.service.d/) to provide local modifications. And reload systemd to apply the changes.
Comment 23 Egbert S. 2022-01-08 21:47:34 UTC 
we can do this workaround by executing:

    systemctl edit sshd.service

and inserting the following:

    [Unit]
    After=network-online.target

which will put our tiny fixes in and hopefully survive through any clobbering by its future package upgrade.
Comment 24 Dmitry Belyavskiy 2022-02-01 13:37:53 UTC 
I tend to close this bug as WONTFIX. There is a feasible workaround and a proper fix will require a bit more efforts than we can apply.
Comment 25 Dmitry Belyavskiy 2022-04-28 10:32:45 UTC 
*** Bug 2079827 has been marked as a duplicate of this bug. ***
Comment 26 Dmitry Belyavskiy 2022-10-06 15:57:41 UTC 
*** Bug 2131524 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.