Mailing List Archive: [PATCH] Add an option for RFC5014 IPv6 source address preference

[PATCH] Add an option for RFC5014 IPv6 source address preference

Apr 10, 2021, 7:04 AM

Post #1 of 7 (622 views)

For hosts with multiple types of IPv6 addresses, this allows to prefer
one type over others, without explicitly hardcoding the address through
BindAddress.

A typical configuration where this is useful is a host using IPv6
privacy extensions (i.e. short-lived random "temporary" addresses) and a
static "public" address. To provide privacy, it would default to the
temporary addresses for outbound connections. But since temporary
addresses have a limited lifetime, this would break long-running
connections. Therefore one might want to configure the SSH client to
prefer the public address.

Currently only Linux seems to support this.

Inspired by a patch posted by Maciej ?enczykowski at
https://bugzilla.redhat.com/show_bug.cgi?id=512032
---
configure.ac | 4 +++
defines.h | 13 ++++++++
openbsd-compat/port-net.c | 30 ++++++++++++++++++
openbsd-compat/port-net.h | 2 ++
readconf.c | 67 ++++++++++++++++++++++++++++++++++++++-
readconf.h | 2 ++
ssh.1 | 1 +
ssh_config.5 | 20 ++++++++++++
sshconnect.c | 4 +++
9 files changed, 142 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index 1c2757ca..7de46ba8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -860,6 +860,10 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
])
AC_CHECK_HEADERS([linux/seccomp.h linux/filter.h linux/audit.h], [],
[], [#include <linux/types.h>])
+ AC_CHECK_DECLS([IPV6_ADDR_PREFERENCES],
+ AC_DEFINE([SYS_IPV6_ADDR_PREF_LINUX], [1],
+ [IPv6 address preferences on Linux]), [],
+ [#include <linux/ipv6.h>])
# Obtain MIPS ABI
case "$host" in
mips*)
diff --git a/defines.h b/defines.h
index d6a1d014..1bda872d 100644
--- a/defines.h
+++ b/defines.h
@@ -901,4 +901,17 @@ struct winsize {
#ifdef VARIABLE_LENGTH_ARRAYS
# define USE_SNTRUP761X25519 1
#endif
+
+/* RFC5014 IPv6 source address selection flags.
+ * They do not have standard values or a header
+ * so we define our own values and convert to the
+ * platform-specific ones on use.
+ */
+#define SSH_IPV6_PREFER_SRC_HOME (1 << 0)
+#define SSH_IPV6_PREFER_SRC_COA (1 << 1)
+#define SSH_IPV6_PREFER_SRC_TMP (1 << 2)
+#define SSH_IPV6_PREFER_SRC_PUBLIC (1 << 3)
+#define SSH_IPV6_PREFER_SRC_CGA (1 << 4)
+#define SSH_IPV6_PREFER_SRC_NONCGA (1 << 5)
+
#endif /* _DEFINES_H */
diff --git a/openbsd-compat/port-net.c b/openbsd-compat/port-net.c
index 198e73f0..cbb937a7 100644
--- a/openbsd-compat/port-net.c
+++ b/openbsd-compat/port-net.c
@@ -46,6 +46,10 @@
#include <linux/if.h>
#endif

+#ifdef SYS_IPV6_ADDR_PREF_LINUX
+#include <linux/ipv6.h>
+#endif
+
#if defined(SYS_RDOMAIN_LINUX)
char *
sys_get_rdomain(int fd)
@@ -376,3 +380,29 @@ sys_tun_outfilter(struct ssh *ssh, struct Channel *c,
return (buf);
}
#endif /* SSH_TUN_FILTER */
+
+void sys_set_ipv6_addrpref(int sock, int addr_pref)
+{
+#ifdef SYS_IPV6_ADDR_PREF_LINUX
+ int val = 0, err;
+
+ if (addr_pref & SSH_IPV6_PREFER_SRC_HOME)
+ val |= IPV6_PREFER_SRC_HOME;
+ if (addr_pref & SSH_IPV6_PREFER_SRC_COA)
+ val |= IPV6_PREFER_SRC_COA;
+ if (addr_pref & SSH_IPV6_PREFER_SRC_TMP)
+ val |= IPV6_PREFER_SRC_TMP;
+ if (addr_pref & SSH_IPV6_PREFER_SRC_PUBLIC)
+ val |= IPV6_PREFER_SRC_PUBLIC;
+ if (addr_pref & SSH_IPV6_PREFER_SRC_CGA)
+ val |= IPV6_PREFER_SRC_CGA;
+ if (addr_pref & SSH_IPV6_PREFER_SRC_NONCGA)
+ val |= IPV6_PREFER_SRC_NONCGA;
+
+ if (setsockopt(sock, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES,
+ &val, sizeof(val)) == -1) {
+ error("setsockopt %d, IPV6_ADDR_PREFERENCES %d: %.100s",
+ sock, val, strerror(errno));
+ }
+#endif
+}
diff --git a/openbsd-compat/port-net.h b/openbsd-compat/port-net.h
index 3a0d1104..040e2120 100644
--- a/openbsd-compat/port-net.h
+++ b/openbsd-compat/port-net.h
@@ -45,4 +45,6 @@ int sys_valid_rdomain(const char *name);
void sys_set_process_rdomain(const char *name);
#endif

+void sys_set_ipv6_addrpref(int sock, int addr_pref);
+
#endif
diff --git a/readconf.c b/readconf.c
index 0f27652b..888ab811 100644
--- a/readconf.c
+++ b/readconf.c
@@ -173,7 +173,7 @@ typedef enum {
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
oFingerprintHash, oUpdateHostkeys, oHostbasedAcceptedAlgorithms,
oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump,
- oSecurityKeyProvider, oKnownHostsCommand,
+ oSecurityKeyProvider, oKnownHostsCommand, oIPv6AddressPreference,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;

@@ -316,6 +316,7 @@ static struct {
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
+ { "ipv6addresspreference", oIPv6AddressPreference },

{ NULL, oBadOption }
};
@@ -2050,6 +2051,46 @@ parse_pubkey_algos:
*charptr = xstrdup(arg);
break;

+ case oIPv6AddressPreference:
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0') {
+ error("%.200s line %d: Missing argument.",
+ filename, linenum);
+ return -1;
+ }
+
+ value = options->ipv6_address_preference;
+ if (value == -1)
+ value = 0;
+
+ if (strcmp(arg, "home") == 0) {
+ value |= SSH_IPV6_PREFER_SRC_HOME;
+ value &= ~SSH_IPV6_PREFER_SRC_COA;
+ } else if (strcmp(arg, "coa") == 0) {
+ value |= SSH_IPV6_PREFER_SRC_COA;
+ value &= ~SSH_IPV6_PREFER_SRC_HOME;
+ } else if (strcmp(arg, "tmp") == 0) {
+ value |= SSH_IPV6_PREFER_SRC_TMP;
+ value &= ~SSH_IPV6_PREFER_SRC_PUBLIC;
+ } else if (strcmp(arg, "public") == 0) {
+ value |= SSH_IPV6_PREFER_SRC_PUBLIC;
+ value &= ~SSH_IPV6_PREFER_SRC_TMP;
+ } else if (strcmp(arg, "cga") == 0) {
+ value |= SSH_IPV6_PREFER_SRC_CGA ;
+ value &= ~SSH_IPV6_PREFER_SRC_NONCGA;
+ } else if (strcmp(arg, "noncga") == 0) {
+ value |= SSH_IPV6_PREFER_SRC_NONCGA;
+ value &= ~SSH_IPV6_PREFER_SRC_CGA;
+ } else if (strcmp(arg, "none") == 0) {
+ value = 0;
+ } else {
+ error("%.200s line %d: Bad argument.", filename, linenum);
+ return -1;
+ }
+
+ options->ipv6_address_preference = value;
+ break;
+
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
@@ -2275,6 +2316,7 @@ initialize_options(Options * options)
options->hostbased_accepted_algos = NULL;
options->pubkey_accepted_algos = NULL;
options->known_hosts_command = NULL;
+ options->ipv6_address_preference = -1;
}

/*
@@ -2460,6 +2502,8 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->ipv6_address_preference == -1)
+ options->ipv6_address_preference = SSH_IPV6_PREFER_SRC_PUBLIC;
#ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
@@ -3280,4 +3324,25 @@ dump_client_config(Options *o, const char *host)
o->jump_port <= 0 ? "" : ":",
o->jump_port <= 0 ? "" : buf);
}
+
+ /* oIPv6AddressPreference */
+ printf("ipv6addresspreference ");
+ if (o->ipv6_address_preference == 0) {
+ printf("none");
+ } else {
+ i = o->ipv6_address_preference;
+ if (i & SSH_IPV6_PREFER_SRC_HOME)
+ printf("home ");
+ if (i & SSH_IPV6_PREFER_SRC_COA)
+ printf("coa ");
+ if (i & SSH_IPV6_PREFER_SRC_TMP)
+ printf("tmp ");
+ if (i & SSH_IPV6_PREFER_SRC_PUBLIC)
+ printf("public ");
+ if (i & SSH_IPV6_PREFER_SRC_CGA)
+ printf("cga ");
+ if (i & SSH_IPV6_PREFER_SRC_NONCGA)
+ printf("noncga ");
+ }
+ printf("\n");
}
diff --git a/readconf.h b/readconf.h
index 2fba866e..da4834c2 100644
--- a/readconf.h
+++ b/readconf.h
@@ -175,6 +175,8 @@ typedef struct {

char *known_hosts_command;

+ int ipv6_address_preference;
+
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
} Options;

diff --git a/ssh.1 b/ssh.1
index 0a01767e..230f0e1f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -517,6 +517,7 @@ For full details of the options listed below, and their possible values, see
.It IdentitiesOnly
.It IdentityAgent
.It IdentityFile
+.It IPv6AddressPreference
.It IPQoS
.It KbdInteractiveAuthentication
.It KbdInteractiveDevices
diff --git a/ssh_config.5 b/ssh_config.5
index 37a55e23..c0cea3ca 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1078,6 +1078,26 @@ for interactive sessions and
.Cm cs1
(Lower Effort)
for non-interactive sessions.
+.It Cm IPv6AddressPreference
+Specifies the RFC5014 IPv6 source address preference.
+Valid values of the argument are the string
+.Cm none
+(no preference, use OS defaults) or one the flags:
+.Cm home,
+.Cm coa
+(care-of address),
+.Cm tmp
+(temporary address),
+.Cm public
+(the default),
+.Cm cga
+(cryptographically generated address),
+.Cm noncga.
+.Pp
+This option may be specified multiple times. Flag arguments update the
+previous value; the
+.Cm none
+argument overrides the previous value.
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
The argument to this keyword must be
diff --git a/sshconnect.c b/sshconnect.c
index 47f0b1c9..26056ede 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -370,6 +370,10 @@ ssh_create_socket(struct addrinfo *ai)
if (options.ip_qos_interactive != INT_MAX)
set_sock_tos(sock, options.ip_qos_interactive);

+ if (options.ipv6_address_preference != 0 &&
+ ai->ai_family == AF_INET6 && options.bind_address == NULL)
+ sys_set_ipv6_addrpref(sock, options.ipv6_address_preference);
+
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && options.bind_interface == NULL)
return sock;
--
2.20.1

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev