From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id IGMWGyBqfmJjUQEAbAwnHQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 13 May 2022 16:24:32 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id IAX8GiBqfmKaMQAAauVa8A
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 13 May 2022 16:24:32 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id ECC913CC0C
	for <larch@yhetil.org>; Fri, 13 May 2022 16:24:31 +0200 (CEST)
Received: from localhost ([::1]:54586 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1npWDW-0004Kd-PK
	for larch@yhetil.org; Fri, 13 May 2022 10:24:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:54664)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1npWD4-0004EE-Ok
 for bug-guix@gnu.org; Fri, 13 May 2022 10:24:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:50590)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1npWD4-00034f-FA
 for bug-guix@gnu.org; Fri, 13 May 2022 10:24:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1npWD4-0006uN-7p
 for bug-guix@gnu.org; Fri, 13 May 2022 10:24:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#55335: [PATCH] services: Allow shepherd to listen for IPv6
 connections to openssh.
References: <87r153q913.fsf@cbaines.net>
In-Reply-To: <87r153q913.fsf@cbaines.net>
Resent-From: Christopher Baines <mail@cbaines.net>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Fri, 13 May 2022 14:24:02 +0000
Resent-Message-ID: <handler.55335.B55335.165245179626478@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 55335
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 55335@debbugs.gnu.org
Received: via spool by 55335-submit@debbugs.gnu.org id=B55335.165245179626478
 (code B ref 55335); Fri, 13 May 2022 14:24:02 +0000
Received: (at 55335) by debbugs.gnu.org; 13 May 2022 14:23:16 +0000
Received: from localhost ([127.0.0.1]:44486 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1npWCJ-0006t0-Os
 for submit@debbugs.gnu.org; Fri, 13 May 2022 10:23:16 -0400
Received: from mira.cbaines.net ([212.71.252.8]:41296)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@cbaines.net>) id 1npWCH-0006sn-Cd
 for 55335@debbugs.gnu.org; Fri, 13 May 2022 10:23:13 -0400
Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:54d1:d5d4:280e:f699])
 by mira.cbaines.net (Postfix) with ESMTPSA id 97A4927BBE9
 for <55335@debbugs.gnu.org>; Fri, 13 May 2022 15:23:12 +0100 (BST)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 4e558ddc
 for <55335@debbugs.gnu.org>; Fri, 13 May 2022 14:23:12 +0000 (UTC)
From: Christopher Baines <mail@cbaines.net>
Date: Fri, 13 May 2022 15:23:12 +0100
Message-Id: <20220513142312.21382-1-mail@cbaines.net>
X-Mailer: git-send-email 2.36.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1652451872;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=AmSoZTOIVmxIBct4bugTY5vc8lwIBS70YR+MLJXekco=;
	b=kZYnc/VBPWz6Y5Iw6B6AJ2qyq3tMp3mcrc1F79hNA18n+K3GjU6k7rGRn0eTojjMMrOxW0
	D2/JkxPXHmwwPhKgvPSAhyTlE9AnSwvzuAATsNWgxkWuIqphYfuqjVpZJ+/7J5RTeK4XiP
	AbWPJXqC8w8XdoDalbm+67HXHNbJAIF2MPdxPiBp8PT20s/FTGEGCyJgACfT+8sgaULrNu
	EuRjye1U8WIfSjbbDSCHnfKmacKTMsXtMjuWu8Y5uIacvBTI/EbDsmTRyCJMU/WQSbr5yB
	Ux3Tf6szugOiFa8VapizQkqkEdx0Hv6uTsUwjvQavq1reQW6tnm8he5xcUkThA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1652451872; a=rsa-sha256; cv=none;
	b=Hiell42Cw/D5V6B/8nS3uNs4jGfr9Oi1ZV5QNVbSQd9yhikLUe+NZq40/vdVELUTweDchh
	iyaBCjr0/cO8S34c9+GbpRJtvTx2w7GffaDrI8Pk448L7VEUNV/rmApJ5A+rSdOSwoBVuY
	aW+ddxER/RvkWPsTelb5zAGMdg+qSMulgIuEtFlRB8cEcBKuDRpfYKQXuHr1Y0/scmAMmN
	AFxj4br9ZOXqA+yBoZN3jBi2YVoDO7MN8u7souDyk0eomEQ/eXsru2G/t0BXIMq5yRn8hA
	MBOEWO+tpBS3OCNfCk2F6tXKAaWh7SJ8QCXYkxB1fwT1c/tFH6RSSEedHV/gag==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -2.33
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: ECC913CC0C
X-Spam-Score: -2.33
X-Migadu-Scanner: scn0.migadu.com
X-TUID: NJl8rgf/djVF

Prior to the switch to the openssh service using inetd, you could connect over
IPv4 or IPv6. With inetd, you can only connect over IPv4, meaning for machines
with just IPv6 connectivity, you can't connect.

Switching to listing via IPv6 should support IPv4 connections, as Linux is
capable of translating IPv4 connections to IPv6. I think there's a risk that
switching to this approach will affect some uses of the openssh
service. Therefore, this commit makes this a configuration option, which is #f
by default.

In the future, once it's easy to do so via Guile and the shepherd, it would be
good if two sockets were used, one for IPv4 and one for IPv6. That's not easy
at the moment, as the IPv6 socket conflicts with the IPv4 one, due to the
translation behaviour described above.

* gnu/services/ssh.scm (openssh-listen-via-ipv6?): New procedure.
(openssh-shepherd-service): Factor in listen-via-ipv6? when constructing the
socket address.
* doc/guix.texi (Networking Services): Document the new listen-via-ipv6?
field.
---
 doc/guix.texi        |  9 +++++++++
 gnu/services/ssh.scm | 13 +++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index c168a66072..b168cb379e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -19119,6 +19119,15 @@ Match Address 192.168.0.1
   PermitRootLogin yes"))
 @end lisp
 
+@item @code{listen-via-ipv6?} (default: @code{#f})
+When listening via a inetd-style Shepherd service, connections will only
+be accepted via IPv4.
+
+To have the shepherd listen instead via IPv6, set this option to
+#t. Depending on how network connections are handled, this will either
+enable connecting via IPv6 and translated IPv4, or just enable IPv6
+connections only.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 7fbbe383e5..427f0e4739 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -363,7 +363,13 @@ (define-record-type* <openssh-configuration>
   ;; proposed in <https://bugs.gnu.org/27155>.  Keep it internal/undocumented
   ;; for now.
   (%auto-start?          openssh-auto-start?
-                         (default #t)))
+                         (default #t))
+
+  ;; Boolean
+  ;; XXX: The service should really listen via IPv4 and IPv6 by default, but
+  ;; this is a little tricky. See https://issues.guix.gnu.org/55335
+  (listen-via-ipv6?      openssh-listen-via-ipv6?
+                         (default #f)))
 
 (define %openssh-accounts
   (list (user-group (name "sshd") (system? #t))
@@ -535,7 +541,10 @@ (define openssh-command
          (start #~(if (defined? 'make-inetd-constructor)
                       (make-inetd-constructor
                        (append #$openssh-command '("-i"))
-                       (make-socket-address AF_INET INADDR_ANY
+                       (make-socket-address #$(if (openssh-listen-via-ipv6? config)
+                                                  #~AF_INET6
+                                                  #~AF_INET)
+                                            INADDR_ANY
                                             #$port-number)
                        #:max-connections #$max-connections)
                       (make-forkexec-constructor #$openssh-command
-- 
2.34.0