[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 Damien Miller changed: What|Removed |Added Attachment #3121|ok?(dtuc...@dtucker.net)| Flags|| -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 Damien Miller changed: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #7 from Damien Miller --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 Damien Millerchanged: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED --- Comment #6 from Damien Miller --- This has been applied and will be in OpenSSH 7.7 - thanks! commit ac2e3026bbee1367e4cda34765d1106099be3287 (HEAD -> master, origin/master, origin/HEAD) Author: d...@openbsd.org Date: Fri Feb 23 02:34:33 2018 + upstream: Add BindInterface ssh_config directive and -B command-line argument to ssh(1) that directs it to bind its outgoing connection to the address of the specified network interface. BindInterface prefers to use addresses that aren't loopback or link- local, but will fall back to those if no other addresses of the required family are available on that interface. Based on patch by Mike Manning in bz#2820, ok dtucker@ OpenBSD-Commit-ID: c5064d285c2851f773dd736a2c342aa384fbf713 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 --- Comment #5 from Damien Miller--- IMO we should relax the restrictions for loopback and link-local addresses for BindAddress too. It's fine to use SSH to a loopback address (e.g. tunnelling / NAT / virtualisation) and definitiely fine to use it on a link-local address too. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 --- Comment #4 from Mike Manning--- Just to confirm that my testing is with a loopback interface (I have also tried eth intf) as the bind interface, with IPv4 and/or global IPv6 address(es) configured on that. I approve your changes (also your changes for #2814, thanks), with the proviso that I would prefer for the IPv6 loopback address (::1) and link-local addresses to be excluded for the reasons mentioned. Thanks also for the catch on checking that the bind interface needs to be up. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 --- Comment #3 from Mike Manning--- Many thanks for looking into this enhancement, which will make deployment for us a lot easier. I excluded the IPv6 loopback addr ::1, as it should not be used as the source address in packets that are sent outside of the node cf RFC4291, section 2.5.3. Also I excluded link-local addresses, as these could only work with a directly connected ssh server, also for reasons of parity with the bind address option, which errors as follows: ssh -b fe80::5054:ff:fe4d:a73 mike@VR3v6 bind: fe80::5054:ff:fe4d:a73: Invalid argument ssh: connect to host vr3v6 port 22: Invalid argument I confirm I have tested your changes, which are fine for loopback with IPv4 & IPv6 addr, IPv4 only, IPv6 only (apart from my concerns re use of IPv6 loopback & LL), and even if there is only an IPv6 link-local address, the end result is ok: ssh -B lo2 mike@VR4v6 debug2: resolving "vr4v6" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to vr4v6 [2000::4] port 22. debug1: ssh_create_socket: bound to fe80::fc55:b3ff:fee5:d46%lo2 debug1: connect to address 2000::4 port 22: Network is unreachable ssh: connect to host vr4v6 port 22: Network is unreachable I am fine with use of strcmp, I just wanted to point out that I was using strncmp with the length check using the maximum string size for interface names IFNAMSIZ (=16), so substring matches don't occur, but this approach avoids problems with strings that are not null-terminated (I appreciate that is not the case here!). Thanks again. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 Damien Millerchanged: What|Removed |Added Attachment #3114|0 |1 is obsolete|| CC||dtuc...@dtucker.net Assignee|unassigned-b...@mindrot.org |d...@mindrot.org Status|NEW |ASSIGNED Attachment #3121||ok?(dtuc...@dtucker.net) Flags|| --- Comment #2 from Damien Miller --- Created attachment 3121 --> https://bugzilla.mindrot.org/attachment.cgi?id=3121=edit revised diff This fixes the strcmp thing I mentioned above as well as a few other small things. Notably, it only considers interfaces in state UP and will fallback to accepting linklocal/loopback addresses after all other possibilities have been exhausted. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2820] Add support for ssh client to bind to an interface
https://bugzilla.mindrot.org/show_bug.cgi?id=2820 Damien Millerchanged: What|Removed |Added CC||d...@mindrot.org Blocks||2782 --- Comment #1 from Damien Miller --- This looks like a useful feature - thanks. One nit: + if (strncmp(ifa->ifa_name, options.bind_interface, + IFNAMSIZ)) + continue; I think this should be plain strcmp otherwise matching, say, "tun1" against "tun11" will succeed where it shouldn't. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2782 [Bug 2782] Tracking bug for OpenSSH 7.7 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs