[Bug 1674330] [NEW] Please consider dropping /etc/network/if-up.d/openssh-server
Perry E. Metzger
perry at piermont.com
Sat Mar 25 12:41:10 UTC 2017
On Sat, 25 Mar 2017 09:57:26 -0000 Colin Watson
<cjwatson at canonical.com> wrote:
> On Mon, Mar 20, 2017 at 05:14:07PM -0000, Perry E. Metzger wrote:
> > And it isn't a "hack", this is exactly what ifup/down scripts are
> > for.
>
> They're useful for giving sysadmins the flexibility to do this sort
> of thing locally without too much work, but doing service restarts
> on if-{up,down} is an awfully big hammer that's generally better
> handled some other way if possible.
So why don't you get a laptop and try it out? Using a virtual machine
will not tell you what the behavior is if the network address is
forcibly changed on the machine, and there are other confounding
circumstances here like loss of network carrier when you change
location etc. (It may be possible to conduct a principled experiment
with virtual machines but it will not be particularly easy.)
You will have to make sure that the daemon continues to permit remote
logins on every new address it acquires.
> Not being the maintainer and not using Ubuntu any more, you might be
> unaware of how much work this hack has been to maintain over the
> years.
Many things are unpleasant to maintain but provide necessary
functionality. Again, what you should do is conduct an actual test.
Perry
--
Perry E. Metzger perry at piermont.com
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1674330
Title:
Please consider dropping /etc/network/if-up.d/openssh-server
Status in openssh package in Ubuntu:
New
Bug description:
The /etc/network/if-up.d/openssh-server hack was introduced ten years ago [1] as a response to bug
103436. At least from today's perspective this isn't justified:
I can't seem to be able to actually reproduce that issue: I can start
a VM with no network interfaces, remove the above hack, then start
sshd, then bring up an ethernet interface, and I can connect to ssh
via ethernet just fine. Also, e. g. Fedora has no counterpart of this
hack, and these days a lot of people would complain if that would
cause problems, as hotpluggable/roaming network devices are
everywhere.
The hack introduces a race: you run into connection errors after
bringing up a new interface as sshd stops listening briefly while
being reloaded. That's the reason why I looked at it, as this
regularly happens in upstream's cockpit integration tests.
Also, /etc/network/if-up.d/ isn't being run when using
networkd/netplan, i. e. in more recent Ubuntnu cloud instances. So far
this doesn't seem to have caused any issues.
I asked the original reporter of bug 103436 for some details, and to
check whether that hack is still necessary. There is actually a
proposed patch upstream [2] to use IP_FREEBIND, which is the modern
solution to listening to all "future" interfaces as well. But at least
for the majority of cases it seems to work fine without that even.
So I wonder if it's time to bury that hack?
[1] https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/commit/?id=ba6b55ed6
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=2512
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1674330/+subscriptions
More information about the foundations-bugs
mailing list