UGFja2FnZTogb3BlbnNzaC1zZXJ2ZXIKVmVyc2lvbjogMTo5LjlwMi0yClNldmVyaXR5OiBub3Jt YWwKWC1EZWJidWdzLUNjOiBtYXJ0aW4tZXJpYy5yYWNpbmVAaWtpLmZpCgpUaGUgc3lzdGVtZCB1 bml0IGN1cnJlbnQgbGF1bmNoZXM6CgpBZnRlcj1uZXR3b3JrLnRhcmdldCByZW1vdGUtZnMudGFy Z2V0IG5zcy1sb29rdXAudGFyZ2V0CgpUaGlzIGRvZXNuJ3QgZ3VhcmFudGVlIHRoYXQgd2UgaGF2 ZSBhY3F1aXJlZCBhbiBJUCBhZGRyZXNzIChzZWU6IGh0dHBzOi8vd3d3LmZyZWVkZXNrdG9wLm9y Zy93aWtpL1NvZnR3YXJlL3N5c3RlbWQvTmV0d29ya1RhcmdldC8pLiAKCkJlY2F1c2Ugb2YgdGhp cywgYmluZGluZyB0byBhbiBhZGRyZXNzIHVzaW5nIGUuZy4gJ0xpc3RlbkFkZHJlc3MgMTkyLjE2 OC4xLjEyJyB3aWxsIG1ha2Ugc3NoZCBmYWlsIHRvIGxhdW5jaCBpZiB0aGUgaW50ZXJmYWNlIGhh c24ndCBhY3F1aXJlZCBhbiBJUCB5ZXQuCgpuZXR3b3JrLW9ubGluZS50YXJnZXQgc2hvdWxkIHBy b2JhYmx5IGJlIGFkZGVkIHRvIHRoZSBhYm92ZSB0byBwb3NpdGl2ZWx5IGVuc3VyZSB0aGF0IHdl J3ZlIGFjcXVpcmVkIGFuIElQIGJlZm9yZSBzc2hkIGxhdW5jaGVzLgoKQmVzdCBSZWdhcmRzLApN YXJ0aW4tw4lyaWMKCi0tIFN5c3RlbSBJbmZvcm1hdGlvbjoKRGViaWFuIFJlbGVhc2U6IHRyaXhp ZS9zaWQKICBBUFQgcHJlZmVycyB0ZXN0aW5nLWRlYnVnCiAgQVBUIHBvbGljeTogKDUwMCwgJ3Rl c3RpbmctZGVidWcnKSwgKDUwMCwgJ3N0YWJsZS11cGRhdGVzJyksICg1MDAsICdzdGFibGUtc2Vj dXJpdHknKSwgKDUwMCwgJ3N0YWJsZS1kZWJ1ZycpLCAoNTAwLCAndGVzdGluZycpLCAoNTAwLCAn c3RhYmxlJykKQXJjaGl0ZWN0dXJlOiBhbWQ2NCAoeDg2XzY0KQoKS2VybmVsOiBMaW51eCA2LjEy LjIyLWFtZDY0IChTTVAgdy84IENQVSB0aHJlYWRzOyBQUkVFTVBUKQpMb2NhbGU6IExBTkc9Zmlf RkkuVVRGLTgsIExDX0NUWVBFPWZpX0ZJLlVURi04IChjaGFybWFwPVVURi04KSwgTEFOR1VBR0U9 Zmk6ZW4KU2hlbGw6IC9iaW4vc2ggbGlua2VkIHRvIC91c3IvYmluL2Rhc2gKSW5pdDogc3lzdGVt ZCAodmlhIC9ydW4vc3lzdGVtZC9zeXN0ZW0pCkxTTTogQXBwQXJtb3I6IGVuYWJsZWQKClZlcnNp b25zIG9mIHBhY2thZ2VzIG9wZW5zc2gtc2VydmVyIGRlcGVuZHMgb246CmlpICBhZGR1c2VyICAg ICAgICAgICAgICAgICAgICAzLjE1MAppaSAgZGViY29uZiBbZGViY29uZi0yLjBdICAgICAgMS41 LjkxCmlpICBpbml0LXN5c3RlbS1oZWxwZXJzICAgICAgICAxLjY4CmlpICBsaWJhdWRpdDEgICAg ICAgICAgICAgICAgICAxOjQuMC4yLTIrYjIKaWkgIGxpYmM2ICAgICAgICAgICAgICAgICAgICAg IDIuNDEtNwppaSAgbGliY29tLWVycjIgICAgICAgICAgICAgICAgMS40Ny4yLTErYjEKaWkgIGxp YmNyeXB0MSAgICAgICAgICAgICAgICAgIDE6NC40LjM4LTEKaWkgIGxpYmdzc2FwaS1rcmI1LTIg ICAgICAgICAgIDEuMjEuMy01CmlpICBsaWJrcmI1LTMgICAgICAgICAgICAgICAgICAxLjIxLjMt NQppaSAgbGlicGFtLW1vZHVsZXMgICAgICAgICAgICAgMS43LjAtMwppaSAgbGlicGFtLXJ1bnRp bWUgICAgICAgICAgICAgMS43LjAtMwppaSAgbGlicGFtMGcgICAgICAgICAgICAgICAgICAgMS43 LjAtMwppaSAgbGlic2VsaW51eDEgICAgICAgICAgICAgICAgMy44LjEtMQppaSAgbGlic3NsM3Q2 NCAgICAgICAgICAgICAgICAgMy41LjAtMQppaSAgbGlid3JhcDAgICAgICAgICAgICAgICAgICAg Ny42LnEtMzYKaWkgIG9wZW5zc2gtY2xpZW50ICAgICAgICAgICAgIDE6OS45cDItMgppaSAgb3Bl bnNzaC1zZnRwLXNlcnZlciAgICAgICAgMTo5LjlwMi0yCmlpICBwcm9jcHMgICAgICAgICAgICAg ICAgICAgICAyOjQuMC40LTcKaWkgIHJ1bml0LWhlbHBlciAgICAgICAgICAgICAgIDIuMTYuNApp aSAgc3lzdmluaXQtdXRpbHMgW2xzYi1iYXNlXSAgMy4xNC00CmlpICB1Y2YgICAgICAgICAgICAg ICAgICAgICAgICAzLjAwNTEKaWkgIHpsaWIxZyAgICAgICAgICAgICAgICAgICAgIDE6MS4zLmRm c2crcmVhbGx5MS4zLjEtMStiMQoKVmVyc2lvbnMgb2YgcGFja2FnZXMgb3BlbnNzaC1zZXJ2ZXIg cmVjb21tZW5kczoKaWkgIGxpYnBhbS1zeXN0ZW1kIFtsb2dpbmRdICAyNTcuNS0yCmlpICBuY3Vy c2VzLXRlcm0gICAgICAgICAgICAgNi41KzIwMjUwMjE2LTIKaWkgIHhhdXRoICAgICAgICAgICAg ICAgICAgICAxOjEuMS4yLTEuMQoKVmVyc2lvbnMgb2YgcGFja2FnZXMgb3BlbnNzaC1zZXJ2ZXIg c3VnZ2VzdHM6CnBuICBtb2xseS1ndWFyZCAgIDxub25lPgpwbiAgbW9ua2V5c3BoZXJlICA8bm9u ZT4KcG4gIHNzaC1hc2twYXNzICAgPG5vbmU+CnBuICB1ZncgICAgICAgICAgIDxub25lPgoKLS0g ZGViY29uZiBpbmZvcm1hdGlvbiBleGNsdWRlZAo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Martin-Éric Racine <martin-eric.racine@iki.fi> [250421 14:42]:

The systemd unit current launches:

After=network.target remote-fs.target nss-lookup.target

This doesn't guarantee that we have acquired an IP address (see: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/).

Because of this, binding to an address using e.g. 'ListenAddress 192.168.1.12' will make sshd fail to launch if the interface hasn't acquired an IP yet.

network-online.target should probably be added to the above to positively ensure that we've acquired an IP before sshd launches.

network-online.target makes no guarantees on addresses, or even the
specific address configured in sshd.conf.

If it helps in your local setup, I'd encourage you to use a local
override file.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Control: severity -1 wishlist

On Mon, Apr 21, 2025 at 02:49:14PM +0200, Chris Hofstaedtler wrote:

* Martin-Éric Racine <martin-eric.racine@iki.fi> [250421 14:42]:

The systemd unit current launches:

After=network.target remote-fs.target nss-lookup.target

This doesn't guarantee that we have acquired an IP address (see: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/).

Because of this, binding to an address using e.g. 'ListenAddress 192.168.1.12' will make sshd fail to launch if the interface hasn't acquired an IP yet.

network-online.target should probably be added to the above to positively ensure that we've acquired an IP before sshd launches.

network-online.target makes no guarantees on addresses, or even the
specific address configured in sshd.conf.

Yeah, I think the requested change would be counterproductive for other
users: a lot of people want sshd enabled as soon as possible, and most
people don't explicitly set ListenAddress.

If it helps in your local setup, I'd encourage you to use a local
override file.

I'd be happy to add additional advice about this to README.Debian if
somebody else writes it. But ideally it'd be more fine-grained than
just whacking in a dependency on network-online.target; perhaps we can
advise people how to configure their system so that ssh.service waits
for a particular interface to come up.

Thanks,

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

* Colin Watson <cjwatson@debian.org> [250421 19:09]:

Yeah, I think the requested change would be counterproductive for
other users: a lot of people want sshd enabled as soon as possible,
and most people don't explicitly set ListenAddress.

+1

If it helps in your local setup, I'd encourage you to use a local
override file.

I'd be happy to add additional advice about this to README.Debian if
somebody else writes it. But ideally it'd be more fine-grained than
just whacking in a dependency on network-online.target; perhaps we can
advise people how to configure their system so that ssh.service waits
for a particular interface to come up.

Another way might be to set IP_FREEBIND, possibly with an sshd
config option.

Personally I just enable the ip_nonlocal_bind sysctl on machines
where I intend to bind services (not just sshd) to specific IP
addresses.

Chris

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Apr 21, 2025 at 07:16:46PM +0200, Chris Hofstaedtler wrote:

* Colin Watson <cjwatson@debian.org> [250421 19:09]:

I'd be happy to add additional advice about this to README.Debian if >>somebody else writes it. But ideally it'd be more fine-grained than
just whacking in a dependency on network-online.target; perhaps we
can advise people how to configure their system so that ssh.service
waits for a particular interface to come up.

Another way might be to set IP_FREEBIND, possibly with an sshd config
option.

FWIW upstream WONTFIXed a request for that (at least until it has more widespread OS support), and suggested the affected people just locally
add a dependency on network-online.target: https://bugzilla.mindrot.org/show_bug.cgi?id=2512

--
Colin Watson (he/him) [cjwatson@debian.org]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: 1103773@bugs.debian.org

Hallo Martin-Éric Racine,

21.04.25 14:38 Martin-Éric Racine:

Package: openssh-server
Version: 1:9.9p2-2
Severity: normal
X-Debbugs-Cc: martin-eric.racine@iki.fi

The systemd unit current launches:

After=network.target remote-fs.target nss-lookup.target

This doesn't guarantee that we have acquired an IP address (see: https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/).

Because of this, binding to an address using e.g. 'ListenAddress 192.168.1.12' will make sshd fail to launch if the interface hasn't
acquired an IP yet.

network-online.target should probably be added to the above to positively ensure that we've acquired an IP before sshd launches.

You might want to look at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965132

If your problem is not something else needing to bind the same port, firewalling might be another solution.


Grüße
Timo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE87+TxUS8xnavTxo5VO6rSJSm4+0FAmgGi1sACgkQVO6rSJSm 4+3E1w//ZIhzFCM4Ey00uTIsjwVDICEUFQRF1QSlt63pUq5+H8USGGsKjTSWx3Y/ ccjDLBWl6/ehb+C0KIh2jkdog/yQ5uRf0aqChBsF7s/UAXSZ13xFgRaRhsk4CRuM vOCbv0OAaS8bC7CoYd+E3Gck0hjWeJHwwdj66oDatpYvJb8ICsxwiVAs+ny/iZmd Tmdf+n/jxMI8NkbI1BAh3ot8PLYh7DGuwd6WecVOHJ7awEDl0SPxxr0SCgd7lQw5 fa1+WK8Ius+sJkP52WBmkZn+dEKzG2/Dt9ER1q84dZlDH/z/O5r2GrN2PplE49FB kPPX5qRzsBJWs9H+gsyCKbYOOY3GNsRZ17WQYBHuX7J8HA+rCp7WhxySC/p7ZqiH cbQtKFq38J7X78cYHCeFh3RaZ2dtUmOT5IEtZiiujwM5V7kgVkfSH3mpdxwLHAnn ZCPobNSIgr9nS0BfPfslOwT7X9FaY7M2YbebEL0O0R/3NzeZ16H/NM/peGBY14cj inNYAPFmYYxOpDyx1OVl/WxsLmvqsM7m0mPZUzyi0etFMurh8NVTnt+dJo+MX6sJ 2YIr1Ilw3/7uAgzJI/7DM83yGZXgCENtOolyd2dsjQa+8s4GB56NgC7/KLObGWD9 VWzWSjYAJ8XgljUz5keN8YnjG3aEEFXzgag70nUNb/+6q6bfDV8=
=k/yT
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)