openssh bugs - Sep 2022 - [Bug 3473] New: Option to use non-temporary IPv6 source addresses for sessions

https://bugzilla.mindrot.org/show_bug.cgi?id=3473

            Bug ID: 3473
           Summary: Option to use non-temporary IPv6 source addresses for
                    sessions
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla.mindrot.org at pobox.madduck.net

When IPv6-privacy addresses are in use, Linux generates new IPv6
addresses at regular intervals, and deprecates old ones. Those
deprecated addresses won't get used for new connections, but where they
are active in existing connections, they remain valid until the end of
their validity period. Once the validity lifetime expires, however, the
source address simply vanishes, and all TCP connections using this
address die. Arguably, this could be fixed at kernel-level, and those
addresses kept alive, but hear me out?

I can set `net.ipv6.conf.default.use_tempaddr=1`, and the IPv6 address
encoding my MAC address will be used for all outgoing connections ?
this would fix the problem ? but it would also mean that I become
instantly trackable across locations, because of my MAC address.

With SSH, I also don't generally care about privacy like I do with HTTP
& Co.. In fact, when I log in to remote systems, I *like* it when
reverse DNS works and `w` and `last` and what-have-you-command show
from whence folks are logged in.

I am not sure it's at all possible, but I surely wanted to file a
wishlist issue that SSH offer an option to choose a non-temporary,
non-privacy IPv4 for outgoing connections, as if
`net.ipv6.conf.default.use_tempaddr` was set to 1, not 2.

If it's any help, then here is the `ip addr` output for both types of
addresses:

```
    inet6 fc00:39:39:0:defb:48ff:fe15:304/64 scope global dynamic
mngtmpaddr noprefixroute 
       valid_lft 86345sec preferred_lft 14345sec
    inet6 fc00:39:39:0:574a:eeb:ba9c:f9a2/64 scope global temporary
dynamic 
       valid_lft 85878sec preferred_lft 9933sec
```

The first is static in that it encodes the MAC address. The second is
random. The `mngtmpaddr` is the flag you are after.

I.e.: can SSH be configured to prefer using `mngtmpaddr` source
addresses for outgoing connections over the temporary ones, even if the
system is configured to prefer the temporary ones?

Thanks for your consideration!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3473

--- Comment #1 from martin ? <bugzilla.mindrot.org at pobox.madduck.net>
---
I am aware of the `-b` option, and one could obviously write a wrapper
around `ssh` to determine the source address to use, and then pass it
on to `ssh`. However, not many stories exist where a wrapper around
`ssh` solved more problems than it would introduce new ones, so this is
best avoided.

The best solution would be to influence IPv6 source address selection
somehow, but I could not find glibc to export such functionality yet.
I'll take it up with them. ;)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3473

--- Comment #2 from martin ? <bugzilla.mindrot.org at pobox.madduck.net>
---
Mind me while I continue talking to myself ;)

The key lies in RFC 5014, I think, and with reference to the section 9
usage example, the following line should do the trick:

    preferences = IPV6_PREFER_SRC_CGA | IPV6_PREFER_SRC_HOME |
IPV6_PREFER_SRC_PUBLIC

However, at least my glibc include files' `struct addrinfo` do not
define a field `ai_eflags`, and a bit of browsing the Web doesn't
instill a lot of confidence that this functionality is supported by
glibc.

I'll have to do a bit more research before I dip my toes into the glibc
issue tracking waters about this?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3473

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Note that you can use a ProxyCommand to make outbound connections with
whatever address selection policy you want (and, if you use
ProxyUseFdpass, there's no overhead for using that connection).  See
OpenBSD's netcat
(https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/netcat.c?annotate=1.219,
function fdpass()) for an example of the latter.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.