Hi: The openssh suite of commands have an option to specify address (e.g, ListenAddress for sshd) but I do not see support for bind-to-interface. The motivating use case for me is using openssh commands (sshd, ssh, scp, sftp) with the recent VRF capability added to the Linux kernel. The VRF design relies on the bind-to-interface option to select the correct routing tables. Before I started working on patches I wanted to get a sense of whether it would be accepted. Thanks, David
On Sun, 22 Nov 2015, David Ahern wrote:> Hi: > > The openssh suite of commands have an option to specify address (e.g, > ListenAddress for sshd) but I do not see support for bind-to-interface. > > The motivating use case for me is using openssh commands (sshd, ssh, scp, > sftp) with the recent VRF capability added to the Linux kernel. The VRF design > relies on the bind-to-interface option to select the correct routing tables. > Before I started working on patches I wanted to get a sense of whether it > would be accepted.What's wrong with the existing BindAddress option?
On 11/23/15 4:50 PM, Damien Miller wrote:> On Sun, 22 Nov 2015, David Ahern wrote: > >> Hi: >> >> The openssh suite of commands have an option to specify address (e.g, >> ListenAddress for sshd) but I do not see support for bind-to-interface. >> >> The motivating use case for me is using openssh commands (sshd, ssh, scp, >> sftp) with the recent VRF capability added to the Linux kernel. The VRF design >> relies on the bind-to-interface option to select the correct routing tables. >> Before I started working on patches I wanted to get a sense of whether it >> would be accepted. > > What's wrong with the existing BindAddress option? >For my use case the problem is that it is an address, not a device. The VRF implementation with Linux expects tasks to use the SO_BINDTODEVICE option to bind to the VRF-device. That triggers the use of a route table associated with the VRF domain which can encapsulate one or more network interfaces. Addresses are local to a VRF domain (e.g., 2 interfaces in 2 different VRFs can have the same IP address). i.e., to run ssh/scp/sftp/sshd in a VRF context requires the bind to device option.
On Sun, 22 Nov 2015, David Ahern wrote:> Hi: > > The openssh suite of commands have an option to specify address (e.g,? > ListenAddress for sshd) but I do not see support for bind-to-interface. > > The motivating use case for me is using openssh commands (sshd, ssh,? > scp, sftp) with the recent VRF capability added to the Linux kernel. The? > VRF design relies on the bind-to-interface option to select the correct? > routing tables. Before I started working on patches I wanted to get a? > sense of whether it would be accepted. > > Thanks, > DavidHi, I've opened an enhancement ticket on Bugzilla and attached a patch [1], a simple test shows that it's working as intended. Feedback is most welcome. Thanks! -- Kind regards, Luca Boccassi [1] https://bugzilla.mindrot.org/show_bug.cgi?id=2784