Bug 3526

Summary:

Config option AddressFamily has no effect?

Product:

Portable OpenSSH

Reporter:

nix-muell

Component:

ssh

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

NEW ---

Severity:

trivial

CC:

djm

Priority:

Version:

9.0p1

Hardware:

amd64

OS:

Mac OS X

Attachments:

Description	Flags
conffile + verbose output	none

Description nix-muell 2023-01-21 09:46:59 AEDT

Using both OpenSSH_7.9p1 or OpenSSH_9.0p1 installed via Homebrew on MacOS X 10.14 (Mojave)

I'm trying to connect to a host that has A and AAAA DNS records, where the AAAA is wrong (not under my control).
When connecting, IPv6 is tried, then after a timeout is reached, IP4 connects just fine. Using the `ssh -4 host` argument, the connection uses v4 right away, as expected.

So, being lazy, I decided to set `AddressFamily inet` in my .ssh/config. To my surprise, this has no effect. SSH tries a v6 connection, then falls back to v4, as if the option were not set. It is, though.
Verifying with `ssh -G host`, i get the expected `addressfamily inet` line. The output is no bit different than the one i get from `ssh -4 -G host`

Am I expecting or doing something wrong? Hesitating to file a bug, stumbled upon unexpected but technically not wrong behaviour a few times lately.

Comment 1 Damien Miller 2023-02-10 14:28:03 AEDT

I'm not able to replicate this unfortunately. Please attach the debug output from a session failing to do the right thing (ssh -vvv ...)

Comment 2 nix-muell 2023-02-11 12:25:55 AEDT

Created attachment 3669 [details]
conffile + verbose output

reduced the config to only the most relevant stuff

Comment 3 nix-muell 2023-02-11 12:32:36 AEDT

Huh, found it. Because of canonicalization, the hostname is resolved before its canonical form is parsed in the config. This lookup must be cached and not resolve both A and AAAA records for later decision which of both to use.

Comment 4 nix-muell 2023-02-11 14:31:03 AEDT

Just checked, the lookup is for both (A and AAAA) records. Anyways, the IP4/IP6 decision is made too early. AddressFamily is not used like -G output suggests.

Change "Host lazy.actual-domain.redacted" to "Host lazy lazy.actual-domain.redacted", does the trick for now. It's still a bug, though. 
I can picture myself wanting to force v4/v6 upon a whole CanonicalDomain and not create a Host matching for each host :)

This makes me think about -W and things like LocalForward or ProxyCommand. This will be a *mess* once my company finally decides to go IPv6.