From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id GBvYK+e5f2LGGQAAbAwnHQ (envelope-from ) for ; Sat, 14 May 2022 16:17:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id IPbWK+e5f2LO7AAA9RJhRA (envelope-from ) for ; Sat, 14 May 2022 16:17:11 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 44761141D1 for ; Sat, 14 May 2022 16:17:11 +0200 (CEST) Received: from localhost ([::1]:56012 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1npsZy-0002k5-Gx for larch@yhetil.org; Sat, 14 May 2022 10:17:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36112) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1npsZq-0002jq-Hu for bug-guix@gnu.org; Sat, 14 May 2022 10:17:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53294) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1npsZq-0002Q1-6J for bug-guix@gnu.org; Sat, 14 May 2022 10:17:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1npsZq-00007G-2R for bug-guix@gnu.org; Sat, 14 May 2022 10:17:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#55335: openssh-service no longer listens on IPv6 Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 14 May 2022 14:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55335 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Christopher Baines Cc: 55335@debbugs.gnu.org Received: via spool by 55335-submit@debbugs.gnu.org id=B55335.1652537811413 (code B ref 55335); Sat, 14 May 2022 14:17:02 +0000 Received: (at 55335) by debbugs.gnu.org; 14 May 2022 14:16:51 +0000 Received: from localhost ([127.0.0.1]:47189 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1npsZf-00006b-Bv for submit@debbugs.gnu.org; Sat, 14 May 2022 10:16:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42754) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1npsZd-00006P-K5 for 55335@debbugs.gnu.org; Sat, 14 May 2022 10:16:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:55564) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1npsZY-0002P5-BK; Sat, 14 May 2022 10:16:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=plexalgA5hrEeRoWv1TGsAgEfLE6/deYpJ5ETTCPUiE=; b=eS273/19sy51OjWIrTLB aq2SEMEkMfO/sAbhEiWC5yrq3g279VPJroRljRYUBp1fXaGfDYk2fps7cLXRjr0BZ5EyNnmGqfThb 47KpMtyBLeJgsZf2sl/wgKrTWaegYtkq9oMh+kOGFNyYSkktRNkM4ESg0LiqQF0Uror8dx/YaK2vo eBqonfwRyBrQAaSqx+k7FuEYSPWjoMi5DjfCjZJ3tTt8TQUEiw4fO/w4zIhwirKYow1pumD4mCRLC XpZqdLEcesj/FO8/6+Mx8CsgyJ60uRDjfEC0HC2R49FxojE+p3GlGPjF+p8Vv54w5E2OEH3Quazu7 UjzB23xQ82jk+Q==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:49181 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1npsZX-0000AB-VA; Sat, 14 May 2022 10:16:44 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87r153q913.fsf@cbaines.net> <20220513142312.21382-1-mail@cbaines.net> Date: Sat, 14 May 2022 16:16:42 +0200 In-Reply-To: <20220513142312.21382-1-mail@cbaines.net> (Christopher Baines's message of "Fri, 13 May 2022 15:23:12 +0100") Message-ID: <87zgjkfbcl.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1652537831; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=plexalgA5hrEeRoWv1TGsAgEfLE6/deYpJ5ETTCPUiE=; b=DuIapEARwPa+fjoUd60It0FBTieVgPbUbq/j1kSR3DZHl0EVkbRi+Sjnbnjz6zaOnL3PYv uiME0IlPcbdbHSnDTzEItKWe+8JCgPqaGyelU2SIyRD3d+akTBwhLxxN+FnBJ+FWqvgMsz R3a29TEotWy6vXINJtomY/glVt1j18SDAG0NP7P3MvfnYH55dJM65D18rcXjOaXSPyoSm6 BLf78eFBc8Tb+8zA6suinHIQMf9SRbX8wLBz842BQ1ew7bM7JUGHhb6RTCu5/68L/YGYsM aZXIxlTY4tf4/b1LvldzpHMLA41igVpaBMDJWb7jFT8rZ7j4J66gH3C6nWVKjg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1652537831; a=rsa-sha256; cv=none; b=Oj3CVg6dr8FFP5pRe9nUFGW3o+SBlaZBLZjOzccEq+XJoGn1FrOz9dFthtRrFjEegyV4cB Ma1HeSVxIv8zc6R9gpoT/NX/1+mJQGS7mhSuQx69TfJ/Zbopu5fK05/iEsmNyogNDKQShT oa8ii+gOubsPfEcEjMLv10rt3/KqsF3Ukyo0u2Ovn6uFBjxS5Of1CcgcPVEd2MFqeuKUWW IffmurdTDhVpyVv6KLC3djCI+2BtQ5XdsEpR8VTkDZ3YsRUrnxNzcZm9smUlQkam6tAWcB 1XjjH+oTj+/SpOLaHkq5TIZ0qrgQABC8GTKs5O0NVb48IfpxPggvAqpHYID79g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b="eS273/19"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -5.03 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b="eS273/19"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 44761141D1 X-Spam-Score: -5.03 X-Migadu-Scanner: scn0.migadu.com X-TUID: /Dzg1s4oKcf7 Hi, Christopher Baines skribis: > Prior to the switch to the openssh service using inetd, you could connect= over > IPv4 or IPv6. With inetd, you can only connect over IPv4, meaning for mac= hines > with just IPv6 connectivity, you can't connect. > > Switching to listing via IPv6 should support IPv4 connections, as Linux is > capable of translating IPv4 connections to IPv6. I think there's a risk t= hat > switching to this approach will affect some uses of the openssh > service. Therefore, this commit makes this a configuration option, which = is #f > by default. > > In the future, once it's easy to do so via Guile and the shepherd, it wou= ld be > good if two sockets were used, one for IPv4 and one for IPv6. That's not = easy > at the moment, as the IPv6 socket conflicts with the IPv4 one, due to the > translation behaviour described above. Yes, I was going to suggest turning the =E2=80=98address=E2=80=99 argument = of =E2=80=98make-inetd-constructor=E2=80=99 into =E2=80=98addresses=E2=80=99 (= plural), with backward compatibility. For sshd, we=E2=80=99d do: (make-inetd-constructor (append #$openssh-command '("-i")) (list (make-socket-address AF_INET INADDR_ANY #$port-number) (make-socket-address AF_INET6 INADDR_ANY #$port-number))) It=E2=80=99s not that simple, due to the v6-to-v4 translation you mention: --8<---------------cut here---------------start------------->8--- scheme@(guile-user)> (define v4 (make-socket-address AF_INET INADDR_ANY 555= 5)) scheme@(guile-user)> (define v6 (make-socket-address AF_INET6 INADDR_ANY 55= 55)) scheme@(guile-user)> (define s4 (socket AF_INET SOCK_STREAM 0)) scheme@(guile-user)> (define s6 (socket AF_INET6 SOCK_STREAM 0)) scheme@(guile-user)> (bind s4 v4) scheme@(guile-user)> (bind s6 v6) ice-9/boot-9.scm:1685:16: In procedure raise-exception: In procedure bind: Address already in use Entering a new prompt. Type `,bt' for a backtrace or `,q' to continue. --8<---------------cut here---------------end--------------->8--- =E2=80=A6 but it can be made to work: --8<---------------cut here---------------start------------->8--- scheme@(guile-user)> (define s4 (socket AF_INET SOCK_STREAM 0)) scheme@(guile-user)> (define s6 (socket AF_INET6 SOCK_STREAM 0)) scheme@(guile-user)> (define IPPROTO_IPV6 41) scheme@(guile-user)> (define IPV6_V6ONLY 26) scheme@(guile-user)> (setsockopt s6 IPPROTO_IPV6 IPV6_V6ONLY 1) scheme@(guile-user)> (bind s4 v4) scheme@(guile-user)> (bind s6 v6) --8<---------------cut here---------------end--------------->8--- So =E2=80=98make-inetd-constructor=E2=80=99 would interpret v6 addresses as= v6-only, with the understanding that the caller has to explicitly pass all the relevant addresses. Thoughts? We could release Shepherd shortly with the fixes that have accumulated. The service in Guix would be able to use it, but only if PID=C2=A01 is rece= nt enough. Thanks, Ludo=E2=80=99.