bugzilla-daemon at mindrot.org
2023-Jan-20 22:46 UTC
[Bug 3526] New: Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 Bug ID: 3526 Summary: Config option AddressFamily has no effect? Product: Portable OpenSSH Version: 9.0p1 Hardware: amd64 OS: Mac OS X Status: NEW Severity: trivial Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: nix-muell at gmx.net Using both OpenSSH_7.9p1 or OpenSSH_9.0p1 installed via Homebrew on MacOS X 10.14 (Mojave) I'm trying to connect to a host that has A and AAAA DNS records, where the AAAA is wrong (not under my control). When connecting, IPv6 is tried, then after a timeout is reached, IP4 connects just fine. Using the `ssh -4 host` argument, the connection uses v4 right away, as expected. So, being lazy, I decided to set `AddressFamily inet` in my .ssh/config. To my surprise, this has no effect. SSH tries a v6 connection, then falls back to v4, as if the option were not set. It is, though. Verifying with `ssh -G host`, i get the expected `addressfamily inet` line. The output is no bit different than the one i get from `ssh -4 -G host` Am I expecting or doing something wrong? Hesitating to file a bug, stumbled upon unexpected but technically not wrong behaviour a few times lately. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-10 03:28 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- I'm not able to replicate this unfortunately. Please attach the debug output from a session failing to do the right thing (ssh -vvv ...) -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-11 01:25 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 --- Comment #2 from nix-muell at gmx.net --- Created attachment 3669 --> https://bugzilla.mindrot.org/attachment.cgi?id=3669&action=edit conffile + verbose output reduced the config to only the most relevant stuff -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-11 01:32 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 --- Comment #3 from nix-muell at gmx.net --- Huh, found it. Because of canonicalization, the hostname is resolved before its canonical form is parsed in the config. This lookup must be cached and not resolve both A and AAAA records for later decision which of both to use. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Feb-11 03:31 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 --- Comment #4 from nix-muell at gmx.net --- Just checked, the lookup is for both (A and AAAA) records. Anyways, the IP4/IP6 decision is made too early. AddressFamily is not used like -G output suggests. Change "Host lazy.actual-domain.redacted" to "Host lazy lazy.actual-domain.redacted", does the trick for now. It's still a bug, though. I can picture myself wanting to force v4/v6 upon a whole CanonicalDomain and not create a Host matching for each host :) This makes me think about -W and things like LocalForward or ProxyCommand. This will be a *mess* once my company finally decides to go IPv6. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 23:27 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 --- Comment #5 from Damien Miller <djm at mindrot.org> --- Created attachment 3741 --> https://bugzilla.mindrot.org/attachment.cgi?id=3741&action=edit filter addresses by AddressFamily at connect time Please give this patch a try -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-11 23:27 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3628 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3628 [Bug 3628] tracking bug for openssh-9.6 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-15 22:32 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 --- Comment #6 from nix-muell at gmx.net --- (In reply to Damien Miller from comment #5)> Created attachment 3741 [details] > filter addresses by AddressFamily at connect time > > Please give this patch a tryThis made ssh skip any address (connect only if an address family has been specified). It works exactly as expected, though, when I changed `options.address_family != -1` to `options.address_family != 0` Tested on macOS and Debian 12. Looking at the code in ssh.c and readconf.c, I too expected -1 to be correct and certainly do not understand what's going on there. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-15 23:46 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 --- Comment #7 from Damien Miller <djm at mindrot.org> --- could you try replacing the -1 with AF_UNSPEC? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-16 22:22 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 nix-muell at gmx.net changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3741|0 |1 is obsolete| | --- Comment #8 from nix-muell at gmx.net --- Created attachment 3746 --> https://bugzilla.mindrot.org/attachment.cgi?id=3746&action=edit filter addresses by AddressFamily at connect time (In reply to Damien Miller from comment #7)> could you try replacing the -1 with AF_UNSPEC?Yep, that flies. Another improvement: If no address matches the configured address family, the error message would just "failure". Making it `errno = EAFNOSUPPORT;` (instead of errno = 0) results in a nice(r) "Address family not supported by protocol family". Not quite the "Could not resolve hostname" that would result from non-canonicalized hosts, but better than just plain "failure". I also think this new if block should be inserted right after the first one. That would spare otherwise wasted getnameinfo lookups. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-16 22:28 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 --- Comment #9 from nix-muell at gmx.net ---> Making it `errno = EAFNOSUPPORT;` (instead of errno = 0) results in > a nice(r) "Address family not supported by protocol family".Then again, that might be misleading. And platform dependant? Not quite sure here. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-17 02:23 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 --- Comment #10 from Damien Miller <djm at mindrot.org> --- It was after the getnameinfo() block because we need that to do the name->address conversion -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Nov-15 22:29 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net Attachment #3746| |ok?(dtucker at dtucker.net) Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Nov-15 22:57 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3746|ok?(dtucker at dtucker.net) |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Nov-15 23:14 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #11 from Damien Miller <djm at mindrot.org> --- this has been applied and will be in openssh-9.6, due in late December -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Nov-19 01:09 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 nix-muell at gmx.net changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3746|0 |1 is obsolete| | Resolution|FIXED |--- Status|RESOLVED |REOPENED Assignee|unassigned-bugs at mindrot.org |nix-muell at gmx.net --- Comment #12 from nix-muell at gmx.net --- Created attachment 3761 --> https://bugzilla.mindrot.org/attachment.cgi?id=3761&action=edit filter addresses by AddressFamily at connect time Whoa, wait a sec. As Damien pointed out, my patch was clearly faulty. I am absolutely not a dev, fairly new to FOSS contributions, and as a non native english speaker am still a bit concerned about the risk that `errno = EAFNOSUPPORT` (Address family not supported by protocol family) might be misleading and/or platform dependent. I thought I could find some time to learn enough C to work out something smarter. That did so far not work out a bit. Sorry for stalling this so long. This patch restores Damien's correct position of the new code while keeping EAFNOSUPPORT with a slightly more specific debug2 output. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Nov-20 02:50 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|REOPENED |RESOLVED --- Comment #13 from Damien Miller <djm at mindrot.org> --- I've just committed the EAFNOSUPPORT change. Thanks -- You are receiving this mail because: You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Nov-22 12:13 UTC
[Bug 3526] Config option AddressFamily has no effect?
https://bugzilla.mindrot.org/show_bug.cgi?id=3526 renmingshuai <rmsh1216 at 163.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rmsh1216 at 163.com --- Comment #14 from renmingshuai <rmsh1216 at 163.com> --- The bz number in the git message of this patch should be 3526 instead of 5326. https://anongit.mindrot.org/openssh.git/commit/?id=26f3f3bbc69196d908cad6558c8c7dc5beb8d74a -- You are receiving this mail because: You are watching someone on the CC list of the bug.
Apparently Analagous Threads
- [Bug 3531] New: Ssh will not exit when it receives SIGTERM before calling poll in client_wait_until_can_do_something until some events happen.
- [Bug 898] support for AddressFamily in sshd_config
- [Bug 3656] New: How to fix row hammer attacks?
- [Bug 3693] New: Is SFTP local command execution implemented based on an RFC protocol?
- [Bug 3628] New: tracking bug for openssh-9.6