Dear openssh developers and users, I'm new to the list, and my apologies if this question has been asked before. I've tried to look for answers and haven't succeeded, which is why I'm asking. Here's the situation: I'm connect to a dual-stacked host with A and AAAA records. The IPv6 connectivity to the host is broken. When connecting to the host directly from my client system, the TCP connect to the IPv6 address times out after 75s, which is the TCP default timeout. After that, SSH proceeds to connect to the IPv4 address successfully. This causes a rather large delay. I can control this by setting "ConnectTimeout" to something lower, like 30s. So far, so good. However, when I'm not on a trusted network, I have to use a proxy to connect to that same dual-stacked host. I can do the proxy in one of the following ways: 1. ssh -tt proxyhost ssh -tt host 2. ProxyCommand ssh proxyhost 'exec nc %h %p 2>/dev/null' 3. ProxyCommand ssh -W [%h]:%p proxyhost 4. ProxyJump proxyhost 5a. ssh -D localhost:1080 -N proxyhost 5b. ProxyCommand nc -x localhost %h %p I don't like method #1 at all, for obvious reasons. Method #2 works well, and in fact, has the side effect of making the connection faster, since "nc" times out the TCP connection to the IPv6 address in just 10s, and falls back to the IPv4 address. But the disadvantage is that "nc" is required on the proxy, and I can't always ensure that. Methods #3 and #4 are essentially the same, and have the main advantage of not requiring any extra utilities on the proxy server. But they have one disadvantage that I've not been able to solve. They don't offer me any way to control the TCP timeout, and so I get the OS default, which is too long. This long delay in connecting to the target messes up other things that run atop ssh, such as ansible. Method #5 requests SOCKS proxy via the sshd on the proxyhost, but like with methods #3 and #4, I am beleagured by the TCP connect timeout of the proxyhost. So my question is: is there any way I can influence the timeout that sshd on the proxy uses for making the TCP connection to the target when using methods #3, #4 or #5? Regards, Anand Buddhdev
What's wrong with just using "-4" for this host? -----Original Message----- From: openssh-unix-dev <openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org> On Behalf Of Anand Buddhdev Sent: Thursday, March 26, 2020 5:03 AM To: openssh-unix-dev at mindrot.org Subject: TCP connect timeout with proxy Dear openssh developers and users, I'm new to the list, and my apologies if this question has been asked before. I've tried to look for answers and haven't succeeded, which is why I'm asking. Here's the situation: I'm connect to a dual-stacked host with A and AAAA records. The IPv6 connectivity to the host is broken. When connecting to the host directly from my client system, the TCP connect to the IPv6 address times out after 75s, which is the TCP default timeout. After that, SSH proceeds to connect to the IPv4 address successfully. This causes a rather large delay. I can control this by setting "ConnectTimeout" to something lower, like 30s. So far, so good. However, when I'm not on a trusted network, I have to use a proxy to connect to that same dual-stacked host. I can do the proxy in one of the following ways: 1. ssh -tt proxyhost ssh -tt host 2. ProxyCommand ssh proxyhost 'exec nc %h %p 2>/dev/null' 3. ProxyCommand ssh -W [%h]:%p proxyhost 4. ProxyJump proxyhost 5a. ssh -D localhost:1080 -N proxyhost 5b. ProxyCommand nc -x localhost %h %p
Hi Scott, You've entirely missed my point. Yes, if I connect directly to a host, I can use '-4' to force IPv4. When connecting through a proxy, I can't easily control which address family to use, nor the TCP connect timeout. Sure, if I use netcat to proxy, I could supply a '-4' to it to force connecting over IPv4. But making that permanent is also a pain because I want to connect to IPv6-only hosts too. But none of these individual fixes are relevant. I would like a finely-tuned ssh config, with a proxy setup, whereby connecting to remote hosts doesn't take so long because of the default TCP timeout. My use case is connecting to several hosts with ansible using ssh as the transport. I can't adjust my ssh config for each host. If IPv6 is not working for a host at the time I'm connecting, I'd like the proxy to quickly fall back to IPv4. Later, if that host's IPv6 is working again, I'd like to be able to use it without hacks. Regards, Anand On 26/03/2020 16:02, Scott Neugroschl wrote:> What's wrong with just using "-4" for this host?
Anand Buddhdev wrote:> 3. ProxyCommand ssh -W [%h]:%p proxyhost > 4. ProxyJump proxyhost..> Methods #3 and #4 are essentially the same, and have the main advantage > of not requiring any extra utilities on the proxy server. But they have > one disadvantage that I've not been able to solve. They don't offer me > any way to control the TCP timeout, and so I get the OS default, which > is too long...> So my question is: is there any way I can influence the timeout that > sshd on the proxy uses for making the TCP connection to the target when > using methods #3, #4 or #5?#3 and #4 open a "direct-tcpip" channel within the SSH session. The open message doesn't support specifying a timeout, or any way to extend it with more/new parameters. You would have to extend the SSH protocol upstream and waiting for the extension to be supported by all your proxy hosts. Alterantively, if you control all proxy hosts and all clients then you can hack something. \o/ Maybe a variant of the "direct-tcpip" channel open message that takes an extra uint32 timeout, or you could steal a few bits from uint32 initial window size or uint32 maximum packet size to encode your desired timeout. (See RFC 4254 for full details of the channel open message.) //Peter
On 26/03/2020 22:40, Peter Stuge wrote: Hi Peter,> #3 and #4 open a "direct-tcpip" channel within the SSH session. > > The open message doesn't support specifying a timeout, or any way to > extend it with more/new parameters. > > You would have to extend the SSH protocol upstream and waiting for the > extension to be supported by all your proxy hosts.Right. Thank you for this. This is the answer that explains it. It doesn't provide a solution, but at least now I know. I am afraid I am not a programmer, and am unable to extend openssh in any way. If I could, I would. I can write code in python, but that's about it. C is beyond my ability. For now, I think my best option is to keep using netcat (nc) on the proxy to make the TCP connection. Fortunately, nc offers an option to control the TCP connect timeout, and also has a sane default of 10 seconds, so when one address family fails, it tries the other one quickly. Regards, Anand