Re: Why do OpenSSH do a CNAME lookup when using IPv6 addresses?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On Wed, 8 May 2024 at 20:39, Patrik Ek <ek.patrik@xxxxxxxxx> wrote:
[...]
> user1@XXXX[12:18][home/user1/Desktop]$ ssh -V
> OpenSSH_9.6p1, OpenSSL 3.1.5 30 Jan 2024

That's OpenSSH.  What platform is it on?  The behaviour of the
resolver libraries might be a factor.

> user1@XXXX[12:18][home/user1/Desktop]$
> /app/moshell/24.0f/moshell/commonjars/ssh.lin64
> user@2001:1:8100:a3::fe

That is not the same binary you just showed the version of.

> ignoring bad CNAME "2001:1:8100:a3::fe" for host "2001:1:8100:a3::fe":
> domain name "2001:1:8100:a3::fe" contains invalid characters
> ssh: connect to host 2001:1:8100:a3::fe port 22: Connection refused
> user1@XXXX[12:18][home/user1/Desktop]$
>
> Usernames, hostnames and IP addresses are replaced with other values.
> It is apparently able to establish a connection with the destination,
> even though port 22 is not in use. Does anyone know why OpenSSH treats
> valid IPv6 addresses as CNAMEs and tries to do a DNS lookup on these?

Do you have CanonicalizePermittedCNAMEs or VerifyHostKeyDNS set in
your config?  Does it do the same thing if you load an empty config?
("ssh -F /dev/null ...").

Running with full debugging (ssh -vvv) might shed some light.  Here's
what it looks like on Fedora:

$ ssh -vvv -F /dev/null user@2001:1:8100:a3::fe
OpenSSH_9.6p1, OpenSSL 3.0.9 30 May 2023
debug1: Reading configuration data /dev/null
debug2: resolve_canonicalize: hostname 2001:1:8100:a3::fe is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/dtucker/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/dtucker/.ssh/known_hosts2'
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 2001:1:8100:a3::fe [2001:1:8100:a3::fe] port 22.
debug3: set_sock_tos: set socket 3 IPV6_TCLASS 0x48

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux