Re: [Freeipa-users] sssd 1.13.3: sss_ssh_knownhostsproxy seems to break ssh -4
Hi Jakub, On 02/19/2016 04:04 PM, Jakub Hrozek wrote: > On Fri, Feb 19, 2016 at 03:27:50PM +0100, Harald Dunkel wrote: >> Hi Lukas, >> >> I found an ubuntu manpage saying sss_ssh_knownhostsproxy is >> an experimental feature. >> Would you suggest to drop it >> in ipa-client-install? > > It's not experimental (at least upstream) for several years.. What sssd > version is that? > Just google for sss_ssh_knownhostsproxy; its top of the list: http://manpages.ubuntu.com/manpages/precise/man1/sss_ssh_knownhostsproxy.1.html AFAIK ubuntu uses freeipa 4.1.5 and sssd 1.13.3. Maybe they did not update their man page on the web. I am using sssd 1.13.3 on Debian 8. The local man page does not say "experimental". >> >> IMHO this is a pretty annoying bug. I rely upon a port >> redirection for ssh on IPv4. For IPv6 there is no >> redirection, but the port is blocked in the packet filter. > > Would it help to set lookup_family_order to ipv4_only here so that ipv6 > is not even tried (or the other way around, depending on which AF you > want to try..) > Thats exactly what I was trying to achieve with the "-4". Sorry, but setting it globally conflicts with our efforts to propagate IPv6. I can still manually lookup the IPv4 address as a workaround. Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd 1.13.3: sss_ssh_knownhostsproxy seems to break ssh -4
On (19/02/16 16:04), Jakub Hrozek wrote: >On Fri, Feb 19, 2016 at 03:27:50PM +0100, Harald Dunkel wrote: >> Hi Lukas, >> >> I found an ubuntu manpage saying sss_ssh_knownhostsproxy is >> an experimental feature. >> Would you suggest to drop it >> in ipa-client-install? > >It's not experimental (at least upstream) for several years.. What sssd >version is that? > @see subject :-) >> >> IMHO this is a pretty annoying bug. I rely upon a port >> redirection for ssh on IPv4. For IPv6 there is no >> redirection, but the port is blocked in the packet filter. > >Would it help to set lookup_family_order to ipv4_only here so that ipv6 >is not even tried (or the other way around, depending on which AF you >want to try..) > I briefly look at the source code and it does not seems to read sssd.conf. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd 1.13.3: sss_ssh_knownhostsproxy seems to break ssh -4
On Fri, Feb 19, 2016 at 03:27:50PM +0100, Harald Dunkel wrote: > Hi Lukas, > > I found an ubuntu manpage saying sss_ssh_knownhostsproxy is > an experimental feature. > Would you suggest to drop it > in ipa-client-install? It's not experimental (at least upstream) for several years.. What sssd version is that? > > IMHO this is a pretty annoying bug. I rely upon a port > redirection for ssh on IPv4. For IPv6 there is no > redirection, but the port is blocked in the packet filter. Would it help to set lookup_family_order to ipv4_only here so that ipv6 is not even tried (or the other way around, depending on which AF you want to try..) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd 1.13.3: sss_ssh_knownhostsproxy seems to break ssh -4
Hi Lukas, I found an ubuntu manpage saying sss_ssh_knownhostsproxy is an experimental feature. Would you suggest to drop it in ipa-client-install? IMHO this is a pretty annoying bug. I rely upon a port redirection for ssh on IPv4. For IPv6 there is no redirection, but the port is blocked in the packet filter. Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd 1.13.3: sss_ssh_knownhostsproxy seems to break ssh -4
On (19/02/16 14:03), Harald Dunkel wrote: >Hi folks, > >is it just me, or does sss_ssh_knownhostsproxy break > > ssh -4 host.example.com > >? > >host.example.com has A and entries in DNS, of course. >If I comment out the line in ssh_config > ># ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h > >then I get the expected IPv4 connection. ??? > >This is sssd 1.13.3-1, built and run on Debian Jessie. > It's known bug https://fedorahosted.org/sssd/ticket/1498 https://bugzilla.redhat.com/show_bug.cgi?id=1063278 LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sssd 1.13.3: sss_ssh_knownhostsproxy seems to break ssh -4
Hi folks, is it just me, or does sss_ssh_knownhostsproxy break ssh -4 host.example.com ? host.example.com has A and entries in DNS, of course. If I comment out the line in ssh_config # ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h then I get the expected IPv4 connection. ??? This is sssd 1.13.3-1, built and run on Debian Jessie. Every helpful comment is highly appreciated Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
