Patrik Ek
2024-May-08 10:29 UTC
Why do OpenSSH do a CNAME lookup when using IPv6 addresses?
When using later OpenSSH versions with IPv6 it appears as if OpenSSH tries to do a CNAME lookup on the address and then warns what the format is incorrect, user1 at XXXX[12:18][home/user1/Desktop]$ ssh -V OpenSSH_9.6p1, OpenSSL 3.1.5 30 Jan 2024 user1 at XXXX[12:18][home/user1/Desktop]$ /app/moshell/24.0f/moshell/commonjars/ssh.lin64 user at 2001:1:8100:a3::fe ignoring bad CNAME "2001:1:8100:a3::fe" for host "2001:1:8100:a3::fe": domain name "2001:1:8100:a3::fe" contains invalid characters ssh: connect to host 2001:1:8100:a3::fe port 22: Connection refused user1 at XXXX[12:18][home/user1/Desktop]$ Usernames, hostnames and IP addresses are replaced with other values. It is apparently able to establish a connection with the destination, even though port 22 is not in use. Does anyone know why OpenSSH treats valid IPv6 addresses as CNAMEs and tries to do a DNS lookup on these? Further, would it be possible for me to remove this behavior by configuration? BR Patrik
Martin Schröder
2024-May-08 10:49 UTC
Why do OpenSSH do a CNAME lookup when using IPv6 addresses?
Am Mi., 8. Mai 2024 um 12:39 Uhr schrieb Patrik Ek <ek.patrik at gmail.com>:> When using later OpenSSH versions with IPv6 it appears as if OpenSSH > tries to do a CNAME lookup on the address and then warns what the > format is incorrect,Hi, I can not reproduce with OpenSSH_9.7, LibreSSL 3.9.0 on OpenBSD 7.5. In the output of -vv I see debug2: resolve_canonicalize: hostname 2001:1:8100:a3::fe is address Best Martin
Darren Tucker
2024-May-08 12:17 UTC
Why do OpenSSH do a CNAME lookup when using IPv6 addresses?
On Wed, 8 May 2024 at 20:39, Patrik Ek <ek.patrik at gmail.com> wrote: [...]> user1 at XXXX[12:18][home/user1/Desktop]$ ssh -V > OpenSSH_9.6p1, OpenSSL 3.1.5 30 Jan 2024That's OpenSSH. What platform is it on? The behaviour of the resolver libraries might be a factor.> user1 at XXXX[12:18][home/user1/Desktop]$ > /app/moshell/24.0f/moshell/commonjars/ssh.lin64 > user at 2001:1:8100:a3::feThat is not the same binary you just showed the version of.> ignoring bad CNAME "2001:1:8100:a3::fe" for host "2001:1:8100:a3::fe": > domain name "2001:1:8100:a3::fe" contains invalid characters > ssh: connect to host 2001:1:8100:a3::fe port 22: Connection refused > user1 at XXXX[12:18][home/user1/Desktop]$ > > Usernames, hostnames and IP addresses are replaced with other values. > It is apparently able to establish a connection with the destination, > even though port 22 is not in use. Does anyone know why OpenSSH treats > valid IPv6 addresses as CNAMEs and tries to do a DNS lookup on these?Do you have CanonicalizePermittedCNAMEs or VerifyHostKeyDNS set in your config? Does it do the same thing if you load an empty config? ("ssh -F /dev/null ..."). Running with full debugging (ssh -vvv) might shed some light. Here's what it looks like on Fedora: $ ssh -vvv -F /dev/null user at 2001:1:8100:a3::fe OpenSSH_9.6p1, OpenSSL 3.0.9 30 May 2023 debug1: Reading configuration data /dev/null debug2: resolve_canonicalize: hostname 2001:1:8100:a3::fe is address debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/dtucker/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/dtucker/.ssh/known_hosts2' debug3: channel_clear_timeouts: clearing debug3: ssh_connect_direct: entering debug1: Connecting to 2001:1:8100:a3::fe [2001:1:8100:a3::fe] port 22. debug3: set_sock_tos: set socket 3 IPV6_TCLASS 0x48 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Jim Knoble
2024-May-08 14:56 UTC
Why do OpenSSH do a CNAME lookup when using IPv6 addresses?
> On May 8, 2024, at 03:36, Patrik Ek <ek.patrik at gmail.com> wrote: > > user1 at XXXX[12:18][home/user1/Desktop]$ ssh -V > OpenSSH_9.6p1, OpenSSL 3.1.5 30 Jan 2024It's not clear that this command...> user1 at XXXX[12:18][home/user1/Desktop]$ > /app/moshell/24.0f/moshell/commonjars/ssh.lin64 > user at 2001:1:8100:a3::fe... is the same as this one. Why do you not do: ssh user at 2001:1:8100:a3::fe ? Or: /app/moshell/.../ssh.lin64 -V ?