I managed to lock myself out of my firewall today.
I disabled inet6 resolution by removing it from the `family` option in
resolve.conf(5). After a while I noticed I couldn't make new inbound
connections using either ipv4 or ipv6. My client kept reporting:
"kex_exchange_identification: Connection closed by remote host"
On the server I found the following errors in /var/log/authlog:
"fatal: bad addr or host: ::1 (no address associated with name)"
Totally my fault for changing resolv.conf without enough thought, but
perhaps sshd could disable the listener in such cases.
Client Details:
MacOS 12.3
OpenSSH_8.6p1, LibreSSL 3.3.5
Server Details:
OpenBSD 7.0 GENERIC.MP#5 amd64
OpenSSH_8.8, LibreSSL 3.4.1
# cat sshd_config
AcceptEnv LC_CTYPE
AllowUsers <snip>
ClientAliveInterval 3
ClientAliveCountMax 30
ListenAddress ::1
ListenAddress 127.0.0.1
PasswordAuthentication no
PermitRootLogin forced-commands-only
TrustedUserCAKeys /etc/ssh/ca.pub
# relevant /etc/pf.conf
pass quick inet proto tcp from (em2:network) to { (em2) (egress) } \
port ssh divert-to lo0 port ssh
Cheers,
--Aaron
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
