[Bug 1674330] [NEW] Please consider dropping /etc/network/if-up.d/openssh-server

Perry E. Metzger perry at piermont.com
Mon Mar 20 17:14:07 UTC 2017 

On Mon, 20 Mar 2017 13:26:35 -0000 Launchpad Bug Tracker
<1674330 at bugs.launchpad.net> wrote:
> You have been subscribed to a public bug by Martin Pitt (pitti):
> 
> The /etc/network/if-up.d/openssh-server hack was introduced ten
> years ago [1] as a response to bug 103436. At least from today's
> perspective this isn't justified:
> 
> I can't seem to be able to actually reproduce that issue: I can
> start a VM with no network interfaces, remove the above hack, then
> start sshd, then bring up an ethernet interface, and I can connect
> to ssh via ethernet just fine.

sshd has no internal support to open and close listening addresses on
its own, so I suspect you're wrong. Why don't you try the actual use
case, which is changing addresses rather than an initial open.

However, I haven't used ubuntu in at least eight years and have no
way to help you.

> Also, e. g. Fedora has no
> counterpart of this hack, and these days a lot of people would
> complain if that would cause problems,

How many people regularly ssh into their laptops on multiple
networks? I would guess very few.

> The hack introduces a race: you run into connection errors after
> bringing up a new interface as sshd stops listening briefly while
> being reloaded.

Well, yah, but when you change networks you're also not listening to
the network. This isn't a race, this is just expected behavior. Even
if sshd did this on its own this would happen.

And it isn't a "hack", this is exactly what ifup/down scripts are for.

Perry
-- 
Perry E. Metzger		perry at piermont.com

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1674330

Title:
  Please consider dropping /etc/network/if-up.d/openssh-server

Status in openssh package in Ubuntu:
  New

Bug description:
  The /etc/network/if-up.d/openssh-server hack was introduced ten years ago [1] as a response to bug 
  103436. At least from today's perspective this isn't justified:

  I can't seem to be able to actually reproduce that issue: I can start
  a VM with no network interfaces, remove the above hack, then start
  sshd, then bring up an ethernet interface, and I can connect to ssh
  via ethernet just fine. Also, e. g. Fedora has no counterpart of this
  hack, and these days a lot of people would complain if that would
  cause problems, as hotpluggable/roaming network devices are
  everywhere.

  The hack introduces a race: you run into connection errors after
  bringing up a new interface as sshd stops listening briefly while
  being reloaded. That's the reason why I looked at it, as this
  regularly happens in upstream's cockpit integration tests.

  Also, /etc/network/if-up.d/ isn't being run when using
  networkd/netplan, i. e. in more recent Ubuntnu cloud instances. So far
  this doesn't seem to have caused any issues.

  I asked the original reporter of bug 103436 for some details, and to
  check whether that hack is still necessary. There is actually a
  proposed patch upstream [2] to use IP_FREEBIND, which is the modern
  solution to listening to all "future" interfaces as well. But at least
  for the majority of cases it seems to work fine without that even.

  So I wonder if it's time to bury that hack?

  [1] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=ba6b55ed6
  [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2512

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1674330/+subscriptions

More information about the foundations-bugs mailing list