Hello all, I would like to hear your opinions on what would be the best way of passing address family (hints) to proxy commands. Generally, proxy command is used to connect to proxy servers and the address family of the target host is up to the decision of the proxy command itself (regardless it is netcat, another ssh or something else). Currently, hints from commandline (-4, -6) are not used at all and not passed to proxy command similarly as any other hints from configuration files (unless the proxy command is ssh too and the proxy host has specific AddressFamily directive). My suggestion would be to provide a new replacement percent-token to inform the proxy-command about the preferred address family, but if you can think about better solution, I would be glad to hear it. This came up in the following bug [1], which is using sss_ssh_knownhostsproxy (taking care of known hosts validation if connecting to the server managed by IPA), but I believe this can be a real issue in other use cases. https://bugzilla.redhat.com/show_bug.cgi?id=1857104 Thanks, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
On Mon, 3 Aug 2020 at 22:09, Jakub Jelen <jjelen at redhat.com> wrote: [...]> My suggestion would be to provide a new replacement percent-token to > inform the proxy-command about the preferred address family, but if you > can think about better solution, I would be glad to hear it.I think adding a percent-token for AddressFamily would be a reasonable solution and can't think of a better one offhand. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Mon, 2020-08-03 at 23:00 +1000, Darren Tucker wrote:> On Mon, 3 Aug 2020 at 22:09, Jakub Jelen <jjelen at redhat.com> wrote: > [...] > > My suggestion would be to provide a new replacement percent-token > > to > > inform the proxy-command about the preferred address family, but if > > you > > can think about better solution, I would be glad to hear it. > > I think adding a percent-token for AddressFamily would be a > reasonable > solution and can't think of a better one offhand.Thank you for the fast reply. Looking into netcat, I would expect using directly -4 or -6 values as a replacement for %f (family) would be probably the easiest as most portable as it usually resembles to existing command-line switches for many other tools. I attached a simple patch to achieve this into the bugzilla and tested in debug mode that it resolves as expected: https://bugzilla.mindrot.org/show_bug.cgi?id=3199 Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.