From 02b3fee8901679a5e058f66691067675208a4ae5 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 21 Oct 2018 10:36:27 +0100 Subject: Remove /etc/network/if-up.d/openssh-server It causes more problems than it solves. Add an "if-up hook removed" section to README.Debian documenting the corner case that may need configuration adjustments. Thanks, Christian Ehrhardt, Andreas Hasenack, and David Britton. Closes: #789532 LP: #1037738, #1674330, #1718227 --- debian/README.Debian | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'debian/README.Debian') diff --git a/debian/README.Debian b/debian/README.Debian index 58a5741b0..48f42c4e8 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -249,6 +249,27 @@ options related to it are now deprecated and should be removed from The Protocol option is also no longer needed, although it is silently ignored rather than deprecated. +if-up hook removed +------------------ + +openssh-server previously shipped an if-up hook that restarted sshd when a +network interface came up. This generally caused more problems than it +solved: for instance, it means that sshd stops listening briefly while being +restarted, which can cause problems in some environments, particularly +automated tests. + +The only known situation where the if-up hook was useful was when +sshd_config was changed to add ListenAddress entries for particular IP +addresses, overriding the default of listening on all addresses, and the +system is one that often roams between networks. In such a situation, it is +better to remove ListenAddress entries from sshd_config (restoring it to the +default behaviour) and instead use firewall rules to restrict incoming SSH +connections to only the desired interfaces or addresses. + +For further discussion, see: + + https://bugs.launchpad.net/bugs/1674330 + -- Matthew Vernon Colin Watson -- cgit v1.2.3