Mailing List Archive

Passing address family to proxy command
Hello all,
I would like to hear your opinions on what would be the best way of
passing address family (hints) to proxy commands.

Generally, proxy command is used to connect to proxy servers and the
address family of the target host is up to the decision of the proxy
command itself (regardless it is netcat, another ssh or something
else).

Currently, hints from commandline (-4, -6) are not used at all and not
passed to proxy command similarly as any other hints from configuration
files (unless the proxy command is ssh too and the proxy host has
specific AddressFamily directive).

My suggestion would be to provide a new replacement percent-token to
inform the proxy-command about the preferred address family, but if you
can think about better solution, I would be glad to hear it.

This came up in the following bug [1], which is using
sss_ssh_knownhostsproxy (taking care of known hosts validation if
connecting to the server managed by IPA), but I believe this can be a
real issue in other use cases.

https://bugzilla.redhat.com/show_bug.cgi?id=1857104

Thanks,
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Passing address family to proxy command [ In reply to ]
On Mon, 3 Aug 2020 at 22:09, Jakub Jelen <jjelen@redhat.com> wrote:
[...]
> My suggestion would be to provide a new replacement percent-token to
> inform the proxy-command about the preferred address family, but if you
> can think about better solution, I would be glad to hear it.

I think adding a percent-token for AddressFamily would be a reasonable
solution and can't think of a better one offhand.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Passing address family to proxy command [ In reply to ]
On Mon, 2020-08-03 at 23:00 +1000, Darren Tucker wrote:
> On Mon, 3 Aug 2020 at 22:09, Jakub Jelen <jjelen@redhat.com> wrote:
> [...]
> > My suggestion would be to provide a new replacement percent-token
> > to
> > inform the proxy-command about the preferred address family, but if
> > you
> > can think about better solution, I would be glad to hear it.
>
> I think adding a percent-token for AddressFamily would be a
> reasonable
> solution and can't think of a better one offhand.

Thank you for the fast reply.

Looking into netcat, I would expect using directly -4 or -6 values as a
replacement for %f (family) would be probably the easiest as most
portable as it usually resembles to existing command-line switches for
many other tools.

I attached a simple patch to achieve this into the bugzilla and tested
in debug mode that it resolves as expected:

https://bugzilla.mindrot.org/show_bug.cgi?id=3199

Regards,
--
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev