diff options
author | Colin Watson <cjwatson@debian.org> | 2018-10-21 10:36:27 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-10-21 10:38:28 +0100 |
commit | 02b3fee8901679a5e058f66691067675208a4ae5 (patch) | |
tree | 4285b09ce6cfd3226b1890972666015cb4aa030d /debian/README.Debian | |
parent | 2df9bff12640a33749f0f20ae806b6efac327116 (diff) |
Remove /etc/network/if-up.d/openssh-server
It causes more problems than it solves.
Add an "if-up hook removed" section to README.Debian documenting the
corner case that may need configuration adjustments.
Thanks, Christian Ehrhardt, Andreas Hasenack, and David Britton.
Closes: #789532
LP: #1037738, #1674330, #1718227
Diffstat (limited to 'debian/README.Debian')
-rw-r--r-- | debian/README.Debian | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian index 58a5741b0..48f42c4e8 100644 --- a/debian/README.Debian +++ b/debian/README.Debian | |||
@@ -249,6 +249,27 @@ options related to it are now deprecated and should be removed from | |||
249 | The Protocol option is also no longer needed, although it is silently | 249 | The Protocol option is also no longer needed, although it is silently |
250 | ignored rather than deprecated. | 250 | ignored rather than deprecated. |
251 | 251 | ||
252 | if-up hook removed | ||
253 | ------------------ | ||
254 | |||
255 | openssh-server previously shipped an if-up hook that restarted sshd when a | ||
256 | network interface came up. This generally caused more problems than it | ||
257 | solved: for instance, it means that sshd stops listening briefly while being | ||
258 | restarted, which can cause problems in some environments, particularly | ||
259 | automated tests. | ||
260 | |||
261 | The only known situation where the if-up hook was useful was when | ||
262 | sshd_config was changed to add ListenAddress entries for particular IP | ||
263 | addresses, overriding the default of listening on all addresses, and the | ||
264 | system is one that often roams between networks. In such a situation, it is | ||
265 | better to remove ListenAddress entries from sshd_config (restoring it to the | ||
266 | default behaviour) and instead use firewall rules to restrict incoming SSH | ||
267 | connections to only the desired interfaces or addresses. | ||
268 | |||
269 | For further discussion, see: | ||
270 | |||
271 | https://bugs.launchpad.net/bugs/1674330 | ||
272 | |||
252 | -- | 273 | -- |
253 | Matthew Vernon <matthew@debian.org> | 274 | Matthew Vernon <matthew@debian.org> |
254 | Colin Watson <cjwatson@debian.org> | 275 | Colin Watson <cjwatson@debian.org> |