[CentOS] sshd and problems with network vs NetworkManager

Fri May 12 10:22:52 UTC 2017
Gianluca Cecchi <gianluca.cecchi at gmail.com>

Hello,
I'm registering a strange new behavior after updating openssh on my CentOS
7.3 server.

Firt of all difference of systemd service configuration between
new openssh-server-6.6.1p1-35.el7_3.x86_64
and
old openssh-server-6.6.1p1-33.el7_3.x86_6

[root at c7service ~]# diff new_sshd.service old_sshd.service
8c8,9
< Type=notify
---
> Type=forking
> PIDFile=/var/run/sshd.pid
10c11
< ExecStart=/usr/sbin/sshd -D $OPTIONS
---
> ExecStart=/usr/sbin/sshd $OPTIONS
15d15
< RestartPreventExitStatus=255

It changed the Type and it was also added the RestartPreventExitStatus
directove.

The effects I'm noticing are:

1) If using NetworkManager and no ListenAddress entry in sshd_config
--> all ok (listen on ipv4 and ipv6)

2) If using NetworkManager and I put ListenAddress=ip in sshd_config
--> all ok

3) If NetworkManager disabled and using only network service and no
ListenAddress entry in sshd_config
--> ok (listen on ipv4 and ipv6)

4) If NetworkManager disabled and using only network service and I put
ListenAddress=ip in sshd_config

--> ko with 255 error and so no restart

5) If NetworkManager disabled and using only network service and I put
ListenAddress=0.0.0.0
--> ok

6) If NetworkManager disabled and using only network service and I put
ListenAddress=ip and comment out the RestartPreventExitStatus line
--> ko with 255 error and after 42s restart and ok of sshd

Can anyone replicate on an RH EL and report?
Do you think I can opena a bugzilla for this or NetworkManager is supposed
to be kept running as official support?

I have a server with two network interfaces where I want to enable sshd
only on the second and I'm blocked if I disable NetworkManager.
In the mean time I have commented out the service line related to restart n
case of 255 error...
I see here that actually 255 is the common exit code for many sshd errors
and some discussions about Type of sshd service:
https://bugzilla.redhat.com/show_bug.cgi?id=1398360

In changelog of rpm between old and new eleases I only see:

* Wed Mar 01 2017 Jakub Jelen <jjelen at redhat.com> - 6.6.1p1-35 + 0.9.3-9
- Do not send SD_NOTIFY from forked childern (#1381997)

* Fri Feb 24 2017 Jakub Jelen <jjelen at redhat.com> - 6.6.1p1-34 + 0.9.3-9
- Add SD_NOTIFY code to help systemd to track running service (#1381997)

Thanks in advance,
Gianluca