[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#80503: ssh: default configuration breaks IPv6

Christian Kurz <shorty@debian.org> writes:

> On 01-01-02 horape@tinuviel.compendium.net.ar wrote:
> > [I'm CC'ing to debian-ipv6 again, sorry for not adding the notice before]
> 
> Thanks, I keep the Cc now.
> 
> > > > ListenAddress shouldn't be set by default. ListenAddress is to be used
> > > > when you want to bind only some addresses. The admin is who should add
> > > > that directive if it's needed.
> > > Well, but debian should provide the admin and the users also with some
> > > good choosen defaults.
> 
> > Openssh provides the admin a good chosen default (that's activated when
> > no ListenAddress directive is present) I don't understand why D.Miller has
> > changed it.
> 
> Well, maybe we will find it out. :)

 AFAIK if the DNS ipv6 reverse lookup times out then the entire
reverse lookup times out (either way you have to wait for it), this
was certainly a feature of older glibc releases (older may mean before
2.2.0 as well).
 Sorry for the lack of detail (I'm not testing ipv6 so i'm not
bothered), more info is available by looking at the archives for the
libc-alpha mailing list.

 Given that 99% of debian will not be connecting to 6bone, then I'd
say that the default is probably good (remember it's a _default_).

> > > > > > > Therefor this report should be changed to severity wishlist, which
> > > > > > > would be more approiate.
> > > > > > I believe that being so trivial to fix it, it should be changed to
> > > > > > fixed, not put in the wait queue.
> > > > > Why? You fail to give a good explanation why we should add this support
> 
> > > > Options are: 
> > > > (a) ListenAddress set: IPv4 works, IPv6 doesn't.
> > > > (b) ListenAddress unset: IPv4 works the very same way, IPv6 works.
> > >
> > > Would this cause first an IPv6 lookup for the IP and then a IPv4 lookup?
> 
> > [I assume lookup = dns lookup, else i don't understand the question]
> 
> Yes.
> 
> > No. That's a bind(2) call. There is no dns lookup anywhere.
> 
> Are you sure? I think there's also a dns-lookup involved as otherwise
> you won't know the IP-address of the host that ssh should connect to.

 The listen address does just influence the bind() call (or should),
but if sshd is listening on the ipv6 port then it'll try ipv6 lookups
... which is the prolem.

> > > Well, how fast is IPv6 developed? If you think about other tols and
> > > there IPv6-Support you will notice that it's even worse then the support
> > > in openssh (especially 2.3.0p1).
> 
> > Yep, but that's something I regret. I've been a debian user for more than
> > five years, but when i needed to work seriously with IPv6 I had to install
> > some BSDs (and we're FAR behind them, FBSD even allows installing over
> > the 6bone)
> 
> Hm, what's the 6bone? Where can I get more information about it?

 http://www.6bone.com/

 :)

-- 
# James Antill -- james@and.org
:0:
* ^From: .*james@and.org
/dev/null
Reply to: