On Tue, Feb 13, 2024 at 01:13:17PM +0000, Bert wrote: > I configured SSH with a static IPv6 ListenAddress. > During bootup, SSH tries to start before the IPv6 address has been fully > bound to the host (ie during duplicate address detection) > This results in SSH failing to start with "Cannot bind any address" and a > return code of 255. > The systemd unit file for ssh contains "RestartPreventExitStatus=255" which > causes it to give up when it encounters this error. > In a cloud environment this is a critical failure as it renders the host > inaccessible. > The same thing occurs if the static IPv6 address is assigned a different way > (eg via SLAAC or DHCPv6) > If you remove this line, systemd tries again and succeeds once the address > has been bound to the host. I generally also add "StartSec=15s" to prevent it > trying too frequently. > This manual change is not persistent, as it gets overwritten next time you > update the package.
I suggest that in such unusual configurations you should use the After= directive in the [Unit] section to ensure that ssh.service doesn't start until the relevant other systemd unit has been started. You can do this in a way that persists across upgrades using a drop-in unit; see "man systemd.unit" or use "systemctl edit ssh.service". However, a simpler solution might well be to remove ListenAddress and instead use firewall rules to restrict incoming SSH connections to only the desired address(es), as is recommended in README.Debian. -- Colin Watson (he/him) [cjwat...@debian.org]
