Ubuntu
sssd package

sss_ssh_knownhostsproxy doesn't allow forcing IPv4

Bug #1687482 reported by Bryce Larson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

Whenever I use the -4 flag on ssh, it still uses the ipv6 address from dns instead of forcing ipv4 like it says it is supposed to do in the man page.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Without a sophisticated ipv6 setup I tried the most trivial.

# ssh ip6-localhost
The authenticity of host 'ip6-localhost (::1)' can't be established.
[...]
root@zesty-test:~# ssh -4 ip6-localhost
The authenticity of host 'ip6-localhost (127.0.0.1)' can't be established.

As you can see the -4 successfully avoided to use the ipv6 address.

What version/release are you running on, any details on your setup that might help to understand?
If you could use apport-collect that would add not all (not your setup details), but most other info needed.

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Bryce Larson (bryceml) wrote :

I'm running xenial. After I saw your comment I tried it on zesty and have yet to run into this bug on zesty. I haven't tried in the same environment yet though, I can try that later this week as well as get an apport-collect done.

As you can see below, the last login reports an ipv6 address. I verified it is using ipv6 using iftop as well. I also tried your trivial case and the same thing happened.

We are running freeipa, I don't know if that would have an effect or not.

If it's fixed in zesty, is there any way to get the same fix into xenial?

bryceml@ratpoison:~$ ssh -4 sake
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Tue May 2 08:50:11 2017 from 2620:10f:3007:a068:1a66:daff:fe1f:a85
bryceml@sake:~$ logout
Connection to sake closed.
bryceml@ratpoison:~$ ssh -4 sake
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Tue May 2 08:50:27 2017 from 2620:10f:3007:a068:1a66:daff:fe1f:a85
bryceml@sake:~$ host sake
sake.cs.byu.edu has address 192.168.168.107
sake.cs.byu.edu has IPv6 address 2620:10f:3007:a068:1a66:daff:fe1f:d96f
bryceml@sake:~$

bryceml@ratpoison:~$ ssh -4 ip6-localhost
The authenticity of host 'ip6-localhost (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:nhU3sXqrZoF3zNUxlWAfuLebsMSFhRuycFFWHlL2RRY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ip6-localhost' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Tue May 2 08:43:46 2017 from 2620:10f:3007:a080:1a66:daff:fe1f:1057
bryceml@ratpoison:~$ logout
Connection to ip6-localhost closed.
bryceml@ratpoison:~$ ssh -4 ip6-localhost
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Tue May 2 08:57:16 2017 from ::1
bryceml@ratpoison:~$

Revision history for this message
Colin Watson (cjwatson) wrote : Re: [Bug 1687482] Re: -4 flag doesn't work

I'd suggest using "ssh -v" rather than relying on the "Last login:"
output. For instance:

  $ ssh -v -Snone riva : 2>&1 | grep 'Connecting to'
  debug1: Connecting to riva.pelham.vpn.ucam.org [2001:8b0:bff2:eb14:6a05:caff:fe12:71bf] port 22.
  $ ssh -4v -Snone riva : 2>&1 | grep 'Connecting to'
  debug1: Connecting to riva.pelham.vpn.ucam.org [172.20.153.17] port 22.

The client in this case is on xenial, so I know that "ssh -4" is not
fundamentally broken on xenial. You might also like to check that
there's nothing relevant in your ~/.ssh/config that might be overriding
the normal logic.

Revision history for this message
Bryce Larson (bryceml) wrote : Re: -4 flag doesn't work

I've figured out that it is caused by this line in /etc/ssh/ssh_config

ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

This was put there by the freeipa installer (ipa-client-install), so I guess this is a freeipa or sssd bug.

Revision history for this message
Bryce Larson (bryceml) wrote :

Although it could still be a bug in ssh if ssh doesn't do ProxyCommand correctly.

Revision history for this message
Colin Watson (cjwatson) wrote :

Thanks for investigating. At minimum, I think sss_ssh_knownhostsproxy is going to need to provide a -4 flag for it to be possible to make that work correctly. After that, it might be necessary to either mangle the configured ProxyCommand by hand or to somehow extend the ProxyCommand mechanism to support passing through information about the state of the -4 flag.

(In the short term, it might in fact be less effort to fix whatever IPv6 breakage requires using -4 in the first place ...)

affects: openssh (Ubuntu) → sssd (Ubuntu)
Changed in sssd (Ubuntu):
status: Incomplete → Triaged
summary: - -4 flag doesn't work
+ sss_ssh_knownhostsproxy doesn't allow forcing IPv4
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.