openssh bugs - Jan 2023 - [Bug 3526] New: Config option AddressFamily has no effect?

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

            Bug ID: 3526
           Summary: Config option AddressFamily has no effect?
           Product: Portable OpenSSH
           Version: 9.0p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: nix-muell at gmx.net

Using both OpenSSH_7.9p1 or OpenSSH_9.0p1 installed via Homebrew on
MacOS X 10.14 (Mojave)

I'm trying to connect to a host that has A and AAAA DNS records, where
the AAAA is wrong (not under my control).
When connecting, IPv6 is tried, then after a timeout is reached, IP4
connects just fine. Using the `ssh -4 host` argument, the connection
uses v4 right away, as expected.

So, being lazy, I decided to set `AddressFamily inet` in my
.ssh/config. To my surprise, this has no effect. SSH tries a v6
connection, then falls back to v4, as if the option were not set. It
is, though.
Verifying with `ssh -G host`, i get the expected `addressfamily inet`
line. The output is no bit different than the one i get from `ssh -4 -G
host`

Am I expecting or doing something wrong? Hesitating to file a bug,
stumbled upon unexpected but technically not wrong behaviour a few
times lately.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I'm not able to replicate this unfortunately. Please attach the debug
output from a session failing to do the right thing (ssh -vvv ...)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

--- Comment #2 from nix-muell at gmx.net ---
Created attachment 3669
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3669&action=edit
conffile + verbose output

reduced the config to only the most relevant stuff

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

--- Comment #3 from nix-muell at gmx.net ---
Huh, found it. Because of canonicalization, the hostname is resolved
before its canonical form is parsed in the config. This lookup must be
cached and not resolve both A and AAAA records for later decision which
of both to use.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

--- Comment #4 from nix-muell at gmx.net ---
Just checked, the lookup is for both (A and AAAA) records. Anyways, the
IP4/IP6 decision is made too early. AddressFamily is not used like -G
output suggests.

Change "Host lazy.actual-domain.redacted" to "Host lazy
lazy.actual-domain.redacted", does the trick for now. It's still a bug,
though. 
I can picture myself wanting to force v4/v6 upon a whole
CanonicalDomain and not create a Host matching for each host :)

This makes me think about -W and things like LocalForward or
ProxyCommand. This will be a *mess* once my company finally decides to
go IPv6.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 3741
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3741&action=edit
filter addresses by AddressFamily at connect time

Please give this patch a try

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3628


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3628
[Bug 3628] tracking bug for openssh-9.6
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

--- Comment #6 from nix-muell at gmx.net ---
(In reply to Damien Miller from comment #5)
> Created attachment 3741 [details]
> filter addresses by AddressFamily at connect time
> 
> Please give this patch a try
This made ssh skip any address (connect only if an address family has
been specified).
It works exactly as expected, though, when I changed
`options.address_family != -1` to
`options.address_family != 0`
Tested on macOS and Debian 12.

Looking at the code in ssh.c and readconf.c, I too expected -1 to be
correct and certainly do not understand what's going on there.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
could you try replacing the -1 with AF_UNSPEC?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

nix-muell at gmx.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3741|0                           |1
        is obsolete|                            |

--- Comment #8 from nix-muell at gmx.net ---
Created attachment 3746
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3746&action=edit
filter addresses by AddressFamily at connect time

(In reply to Damien Miller from comment #7)
> could you try replacing the -1 with AF_UNSPEC?
Yep, that flies.

Another improvement: If no address matches the configured address
family, the error message would just "failure".
Making it `errno = EAFNOSUPPORT;` (instead of errno = 0) results in a
nice(r) "Address family not supported by protocol family".
Not quite the "Could not resolve hostname" that would result from
non-canonicalized hosts, but better than just plain "failure".

I also think this new if block should be inserted right after the first
one. That would spare otherwise wasted getnameinfo lookups.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

--- Comment #9 from nix-muell at gmx.net ---
> Making it `errno = EAFNOSUPPORT;` (instead of errno = 0) results in
> a nice(r) "Address family not supported by protocol family".
Then again, that might be misleading. And platform dependant? Not quite
sure here.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

--- Comment #10 from Damien Miller <djm at mindrot.org> ---
It was after the getnameinfo() block because we need that to do the
name->address conversion

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
   Attachment #3746|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3746|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #11 from Damien Miller <djm at mindrot.org> ---
this has been applied and will be in openssh-9.6, due in late December

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

nix-muell at gmx.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3746|0                           |1
        is obsolete|                            |
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED
           Assignee|unassigned-bugs at mindrot.org |nix-muell at gmx.net

--- Comment #12 from nix-muell at gmx.net ---
Created attachment 3761
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3761&action=edit
filter addresses by AddressFamily at connect time

Whoa, wait a sec. As Damien pointed out, my patch was clearly faulty.

I am absolutely not a dev, fairly new to FOSS contributions, and as a
non native english speaker am still a bit concerned about the risk that
`errno = EAFNOSUPPORT` (Address family not supported by protocol
family) might be misleading and/or platform dependent. 
I thought I could find some time to learn enough C to work out
something smarter. That did so far not work out a bit. Sorry for
stalling this so long.

This patch restores Damien's correct position of the new code while
keeping EAFNOSUPPORT with a slightly more specific debug2 output.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|REOPENED                    |RESOLVED

--- Comment #13 from Damien Miller <djm at mindrot.org> ---
I've just committed the EAFNOSUPPORT change. Thanks

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3526

renmingshuai <rmsh1216 at 163.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rmsh1216 at 163.com

--- Comment #14 from renmingshuai <rmsh1216 at 163.com> ---
The bz number in the git message of this patch should be 3526 instead
of 5326.
https://anongit.mindrot.org/openssh.git/commit/?id=26f3f3bbc69196d908cad6558c8c7dc5beb8d74a

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.