openssh bugs - May 2020 - [Bug 3161] New: ssh -J <public IPv6> <LL IPv6%scopeID> doesn't work as expected

https://bugzilla.mindrot.org/show_bug.cgi?id=3161

            Bug ID: 3161
           Summary: ssh -J <public IPv6> <LL IPv6%scopeID>
doesn't work as
                    expected
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: 68k
                OS: Mac OS X
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: owen at delong.com

I'm unsure whether this is a bug in the client or server or both.

It appears that there is no syntax which will work for this scenario:

1. Original Client and "Jump" Host both have public IPv6 addresses.
2. Target host has only Link Local IPv6 address on same link as Jump
Host.

In principal, I believe the following incantation (or some similar
form) should work (assuming Jump Host with address 2001:db8:f3f4::2ae0
and target host with address fe80::2001:db8:3 on common link interface
enp0s31f6 (interface ID on jump host):

ssh -J '[2001:db8:f3f4::2ae0]' '[fe80::2001:db8:3%enp0s31f6]'

However, this results in the following:
% ssh -J '[2001:db8:f3f4::2ae0]' '[fe80::2001:db8:3]'
                                              2020/05/06 22:41:51
Bad stdio forwarding specification '[[fe80::2001:db8:3%enp0s31f6]]:22'
ssh_exchange_identification: Connection closed by remote host

Jump host is Fedora 31 with the following SSH Packages installed:
sshpass-1.06-8.fc31.x86_64
qemu-block-ssh-4.1.1-1.fc31.x86_64
libssh-0.9.3-1.fc31.x86_64
apache-sshd-2.2.0-2.fc31.noarch
libssh-config-0.9.3-1.fc31.noarch
jsch-agent-proxy-sshagent-0.0.8-11.fc31.noarch
jsch-agent-proxy-trilead-ssh2-0.0.8-11.fc31.noarch
openssh-clients-8.1p1-1.fc31.x86_64
libssh2-1.9.0-3.fc31.x86_64
trilead-ssh2-217-13.jenkins8.fc31.noarch
openssh-8.1p1-1.fc31.x86_64
openssh-server-8.1p1-1.fc31.x86_64

Target host (and origin host) is iMac running OSX Mojave 10.14.6
OpenSSH_8.1p1, OpenSSL 1.1.1d FIPS  10 Sep 2019
(client and server report same version string)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3161

Owen DeLong <owen at delong.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|Mac OS X                    |Linux
           Priority|P5                          |P3
           Severity|enhancement                 |normal
           Hardware|68k                         |ix86

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3161

--- Comment #1 from Owen DeLong <owen at delong.com> ---
For purposes of complete information, yes, the following sequence does
work as expected:
ssh '[2001:db8:f3f4::2ae0]' # ssh to jump host
ssh 'fe80::2001:db8:3%enp0s31f6' # executed on jump host

However, it is worth noting that the parser does not handle the
following correctly:
ssh '[fe80::2001:db8:3%enp0s31f6]'
and reports:
ssh: Could not resolve hostname [fe80::2001:db8:3%enp0s31f6]: Name or
service not known


It appears that there's a bug in the IPv6 address parser being used
which does not handle addresses contained in brackets that also have
zone ids specified (e.g. %enp0s31f6).

However, for jump, the following doesn't work either:
kiev:owen (170) ~ % ssh -J '[2001:db8:f3f4::2ae0]'
'fe80::2001:db8:3%enp0s31f6'                                           
                       2020/05/06 22:53:36
channel 0: open failed: connect failed: open failed
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host


I have anonymized all fo the addresses in this report by using example
prefix in place of actual addresses. Any inconsistencies in the
addresses are typographical errors during manual editing for
anonymization. The anonymized addresses are properly:
Jump Host (Fedora 31): 2001:db8:f3f4::2ae0
Link Local of iMac: fe80::2001:db8:3
GUA of iMac (not mentioned, likely not relevant) 2001:db8:f3f4::3

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3161

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
you shouldn't enclose the addresses in square braces, OpenSSH only
accepts bare addresses.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3161

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing for lack of followup

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3161

--- Comment #4 from Owen DeLong <owen at delong.com> ---
Apologies, did not see the previous notification.

If I use no square brackets:
delong-dhcp162:owen (115) ~ % ssh -J '2001:db8::200:2'
'fe80::a:b:c:d%enp5s0'       2023/10/11 11:51:20

I get:
Invalid -J argument

With square brackets around the first argument:
delong-dhcp162:owen (116) ~ % ssh -J '[2001:db8::200:2]'
'fe80::a:b:c:d%enp5s0'     2023/10/11 11:51:28

I get:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

With square brackets around both:
delong-dhcp162:owen (117) ~ % ssh -J '[2001:db8::200:2]'
'[fe80::a:b:c:d%enp5s0]'   2023/10/11 11:52:36

I get:
Bad stdio forwarding specification '[[fe80::a:b:c:d%enp5s0]]:22'
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535


If there's a syntax that works, please let me know what it is and
resolve this again. Otherwise, I think something needs to change in the
code to handle this scenario.

I will note that this:
delong-dhcp162:owen (118) ~ % ssh -J '[2001:db8::200:2]'
'2001:db8::400:7'                    2023/10/11 11:53:43

does work as expected, even if I provide a scope identifier. However,
it does not seem to be able to make it work with a link local address
even though if I first log into the jump host and then ssh to the
remote host as in:
owen.delong.com:owen /home4/owen (102) % ssh
'fe80::d455:e16c:edfc:2f1d%enp5s0'

It works just fine.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3161

Owen DeLong <owen at delong.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|WORKSFORME                  |---

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.