View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000472 | AlmaLinux-9 | openssh | public | 2024-07-16 18:01 | 2024-07-26 02:56 |
| Reporter | lordgurke | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | x86_64 | OS | AlmaLinux-9 | OS Version | AlmaLinux releas |
| Summary | 0000472: sshd.service fails to bind to specified IPv6 addresses on boot because it won't wait for network configuration to complete | ||||
| Description | When sshd is configured to listen on a specific IPv6 address, it won't be able to bind to that during boot when the network is configured with systemd-networkd. Message "error: Bind to port 22 on 2001:db8::2 failed: Cannot assign requested address" is logged, although the IP address is properly configured. Binding to specified IPv4 addresses works. This is caused by IPv6's DAD and the address being in a tentiative state for 1-2 seconds. When DAD is disabled via sysctl, the problem does not occur anymore. It seems to be caused by an error in sshd's unit file: It is specified that sshd shall be started after "network.target", but this should be "network-online.target" instead to wait for the network to be fully configured. Some other services (i.e. vsftpd or openvpn-server) are configured to use network-online.target and don't show this kind of problem. | ||||
| Steps To Reproduce | 1. Configure a static IPv6 address via systemd-networkd 2. Make sure DAD is enabled in sysctl (net.ipv6.conf.all.accept_dad=1, enabled by default) 3. Edit /etc/ssh/sshd_config to add/modify the line "ListenAddress 2001:db8::22". There should be no other "ListenAddress" directive enabled 4. Restart sshd.service and test if you can still login via IPv6 5. Reboot the system 6. Try to connect again via IPv6, this will fail with "Connection refused" 7. Check the journal for errors raised by sshd, you should find a line like this: > Jul 16 14:47:22 server systemd[1]: Started OpenSSH server daemon. > Jul 16 14:47:22 server sshd[2403]: error: Bind to port 22 on 2001:db8::2 failed: Cannot assign requested address. 8. Check the journal for messages from systemd-networkd-wait-online: > Jul 16 14:47:21 server systemd[1]: Starting Wait for Network to be Configured... > Jul 16 14:47:23 server systemd[1]: Finished Wait for Network to be Configured. The sshd service was started before the network setup was finished. 9. Restart the sshd service and try again to login - this time it should work 10. Optional: Disable DAD via sysctl configs and reboot again, this time sshd should be able to bind. | ||||
| Additional Information | This problem can be solved by swapping out the line > After=network.target ... for > After=network-online.target in the sshd unit file. | ||||
| Tags | No tags attached. | ||||
|
|
I've ever seen the very similar problem in xrdp. The change suggested by the reporter looks reasonable to me however I'm surprised that Fedora/RHEL doesn't set After=network-online.target yet. https://github.com/neutrinolabs/xrdp/pull/3086 |
