Hello, We have a following proposal to implement IP_FREEBIND in OpenSSH ========= There are multiple customer requests implementing for sshd the possibility to bind to the specific IP address which is not (yet) configured on any interface. Relevant RHEL/Fedora bug links: https://bugzilla.redhat.com/show_bug.cgi?id=1096081, https://bugzilla.redhat.com/show_bug.cgi?id=1936538 When there is defined multiple ListenAddress (local and non-local or yet non-existent) in sshd_config, the initial startup does fail only on non-local address, but the overall start is successful. This results in sshd listening only on localhost address which is usually not very useful. It may be useful for users to avoid startup failure and errors in the logs during openssh daemon startup when listening to a specific address. There was an upstream feature request https://bugzilla.mindrot.org/show_bug.cgi?id=2512 The downside is a lack of diagnostics in cases when the ListenAddress is specified with an error (e.g.typo). Implementing IP_FREEBIND and allowing sshd to bind and listen on an ip, even if networkmanager has not yet finished setting up the network. A basic implementation is rather simple, e.g https://bugzilla.mindrot.org/attachment.cgi?id=2763 To avoid the downside mentioned before, it can be avoided by providing either a separate configuration option (ListenAddressNonlocal) or some syntax sugar when specifying the IP address. The solution can be made more or less portable: BSD systems support similar functionality SO_BINDANY, which can make it more acceptable upstream. FreeBSD support different flag names with the same semantics in different versions: IP_FREEBIND, IP_NONLOCALOK for older versions, IP_BINDANY/IPV6_BINDANY. Using such options in FreeBSD and other BSD systems may require extra privileges. https://www.freebsd.org/cgi/man.cgi?query=nsd.conf&sektion=5&manpath=freebsd-release-ports https://github.com/wahern/cqueues/issues/66 Use requires root rights/special privilegies in FreeBSD. Linux allows this without capabilities (from https://github.com/microsoft/WSL/issues/460) Old versions of FreeBSD used IP_NONLOCALOK with the same semantics and limitation. See also https://lists.nlnetlabs.nl/pipermail/unbound-users/2017-November/004985.html patch for unbound desired to solve a similar problem. Windows and Solaris seem not to have the option with IP_FREEBIND semantics. ========= Is there any interest in this proposal? Many thanks in advance! -- Dmitry Belyavskiy _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
