On Tue, 27 Jul 2021, Dmitry Belyavskiy wrote: > > > > Couldn't you achieve the same result without modification to sshd > > by using the ip_nonlocal_bind flag in the Linux kernel? > > > > Yes, it is a possible workaround, but this flag is system-level one, so it > doesn't provide any granularity. Perhaps make ip_nonlocal_bind=2 allow root to bind non-locally without restriction. That might solve the problem for sshd and all other network daemons? Otherwise, I don't want to add another configuration directive for a niche, platform-specific feature when the same effect could be achieved though existing configuration (systemd dependencies, socket activation, wildcard bind plus packet filtering, etc). If SO_BINDANY does turn out to be cross platform without heavy caveats, then perhaps a flag on this existing Listen directive would be more acceptable, e.g. "Listen 111.222.33.44 bindany" - there is prior art for such flags in the existing "rdomain" one. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
