bug#55335: openssh-service no longer listens on IPv6

[Ludovic Courtès]

Hi,

Christopher Baines <mail@cbaines.net> skribis:

> Prior to the switch to the openssh service using inetd, you could connect over
> IPv4 or IPv6. With inetd, you can only connect over IPv4, meaning for machines
> with just IPv6 connectivity, you can't connect.
>
> Switching to listing via IPv6 should support IPv4 connections, as Linux is
> capable of translating IPv4 connections to IPv6. I think there's a risk that
> switching to this approach will affect some uses of the openssh
> service. Therefore, this commit makes this a configuration option, which is #f
> by default.
>
> In the future, once it's easy to do so via Guile and the shepherd, it would be
> good if two sockets were used, one for IPv4 and one for IPv6. That's not easy
> at the moment, as the IPv6 socket conflicts with the IPv4 one, due to the
> translation behaviour described above.

Yes, I was going to suggest turning the ‘address’ argument of
‘make-inetd-constructor’ into ‘addresses’ (plural), with backward
compatibility.  For sshd, we’d do:

         (make-inetd-constructor
          (append #$openssh-command '("-i"))
          (list (make-socket-address AF_INET INADDR_ANY #$port-number)
                (make-socket-address AF_INET6 INADDR_ANY #$port-number)))

It’s not that simple, due to the v6-to-v4 translation you mention:

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (define v4 (make-socket-address AF_INET INADDR_ANY 5555))
scheme@(guile-user)> (define v6 (make-socket-address AF_INET6 INADDR_ANY 5555))
scheme@(guile-user)> (define s4 (socket AF_INET SOCK_STREAM 0))
scheme@(guile-user)> (define s6 (socket AF_INET6 SOCK_STREAM 0))
scheme@(guile-user)> (bind s4 v4)
scheme@(guile-user)> (bind s6 v6)
ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure bind: Address already in use

Entering a new prompt.  Type `,bt' for a backtrace or `,q' to continue.
--8<---------------cut here---------------end--------------->8---

… but it can be made to work:

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (define s4 (socket AF_INET SOCK_STREAM 0))
scheme@(guile-user)> (define s6 (socket AF_INET6 SOCK_STREAM 0))
scheme@(guile-user)> (define IPPROTO_IPV6 41)
scheme@(guile-user)> (define IPV6_V6ONLY 26)
scheme@(guile-user)> (setsockopt s6 IPPROTO_IPV6 IPV6_V6ONLY 1)
scheme@(guile-user)> (bind s4 v4)
scheme@(guile-user)> (bind s6 v6)
--8<---------------cut here---------------end--------------->8---

So ‘make-inetd-constructor’ would interpret v6 addresses as v6-only,
with the understanding that the caller has to explicitly pass all the
relevant addresses.

Thoughts?

We could release Shepherd shortly with the fixes that have accumulated.
The service in Guix would be able to use it, but only if PID 1 is recent
enough.

Thanks,
Ludo’.