[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#55335: openssh-service no longer listens on IPv6
From: |
Ludovic Courtès |
Subject: |
bug#55335: openssh-service no longer listens on IPv6 |
Date: |
Sat, 14 May 2022 16:16:42 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Christopher Baines <mail@cbaines.net> skribis:
> Prior to the switch to the openssh service using inetd, you could connect over
> IPv4 or IPv6. With inetd, you can only connect over IPv4, meaning for machines
> with just IPv6 connectivity, you can't connect.
>
> Switching to listing via IPv6 should support IPv4 connections, as Linux is
> capable of translating IPv4 connections to IPv6. I think there's a risk that
> switching to this approach will affect some uses of the openssh
> service. Therefore, this commit makes this a configuration option, which is #f
> by default.
>
> In the future, once it's easy to do so via Guile and the shepherd, it would be
> good if two sockets were used, one for IPv4 and one for IPv6. That's not easy
> at the moment, as the IPv6 socket conflicts with the IPv4 one, due to the
> translation behaviour described above.
Yes, I was going to suggest turning the ‘address’ argument of
‘make-inetd-constructor’ into ‘addresses’ (plural), with backward
compatibility. For sshd, we’d do:
(make-inetd-constructor
(append #$openssh-command '("-i"))
(list (make-socket-address AF_INET INADDR_ANY #$port-number)
(make-socket-address AF_INET6 INADDR_ANY #$port-number)))
It’s not that simple, due to the v6-to-v4 translation you mention:
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (define v4 (make-socket-address AF_INET INADDR_ANY 5555))
scheme@(guile-user)> (define v6 (make-socket-address AF_INET6 INADDR_ANY 5555))
scheme@(guile-user)> (define s4 (socket AF_INET SOCK_STREAM 0))
scheme@(guile-user)> (define s6 (socket AF_INET6 SOCK_STREAM 0))
scheme@(guile-user)> (bind s4 v4)
scheme@(guile-user)> (bind s6 v6)
ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure bind: Address already in use
Entering a new prompt. Type `,bt' for a backtrace or `,q' to continue.
--8<---------------cut here---------------end--------------->8---
… but it can be made to work:
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (define s4 (socket AF_INET SOCK_STREAM 0))
scheme@(guile-user)> (define s6 (socket AF_INET6 SOCK_STREAM 0))
scheme@(guile-user)> (define IPPROTO_IPV6 41)
scheme@(guile-user)> (define IPV6_V6ONLY 26)
scheme@(guile-user)> (setsockopt s6 IPPROTO_IPV6 IPV6_V6ONLY 1)
scheme@(guile-user)> (bind s4 v4)
scheme@(guile-user)> (bind s6 v6)
--8<---------------cut here---------------end--------------->8---
So ‘make-inetd-constructor’ would interpret v6 addresses as v6-only,
with the understanding that the caller has to explicitly pass all the
relevant addresses.
Thoughts?
We could release Shepherd shortly with the fixes that have accumulated.
The service in Guix would be able to use it, but only if PID 1 is recent
enough.
Thanks,
Ludo’.
- bug#55335: openssh-service no longer listens on IPv6, Christopher Baines, 2022/05/09
- bug#55335: openssh-service no longer listens on IPv6, Christopher Baines, 2022/05/13
- bug#55335: [PATCH] services: Allow shepherd to listen for IPv6 connections to openssh., Christopher Baines, 2022/05/13
- bug#55335: [PATCH] services: Allow shepherd to listen for IPv6 connections to openssh., Jack Hill, 2022/05/13
- bug#55335: openssh-service no longer listens on IPv6,
Ludovic Courtès <=
- bug#55335: [PATCH Shepherd 0/3] Endpoints for inetd services + IPv6-only endpoints, Ludovic Courtès, 2022/05/18
- bug#55335: [PATCH Shepherd 2/3] tests: Update inetd tests to pass a list of endpoints., Ludovic Courtès, 2022/05/18
- bug#55335: [PATCH Shepherd 1/3] service: 'make-inetd-constructor' accepts a list of endpoints., Ludovic Courtès, 2022/05/18
- bug#55335: [PATCH Shepherd 3/3] Interpret AF_INET6 endpoints as IPv6-only., Ludovic Courtès, 2022/05/18
- bug#55335: openssh-service no longer listens on IPv6, Ludovic Courtès, 2022/05/18
- bug#55335: openssh-service no longer listens on IPv6, Ludovic Courtès, 2022/05/22
- bug#55335: openssh-service no longer listens on IPv6, Jack Hill, 2022/05/22
- bug#55335: openssh-service no longer listens on IPv6, Ludovic Courtès, 2022/05/23
- bug#55335: openssh-service no longer listens on IPv6, Simon Streit, 2022/05/23
bug#55335: openssh-service no longer listens on IPv6, Ludovic Courtès, 2022/05/14