Bugzilla – Attachment 2862 Details for
Bug 2606
IPv6 bind address vs autoconfiguration privacy
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
reuse BindAddress for this functionality
bz2606.diff (text/plain), 3.92 KB, created by
Damien Miller
on 2016-08-19 11:51:11 AEST
(
hide
)
Description:
reuse BindAddress for this functionality
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2016-08-19 11:51:11 AEST
Size:
3.92 KB
patch
obsolete
>diff --git a/ssh.c b/ssh.c >index 03a23fb..9e8806c 100644 >--- a/ssh.c >+++ b/ssh.c >@@ -927,7 +927,7 @@ main(int ac, char **av) > options.control_path = xstrdup(optarg); > break; > case 'b': >- options.bind_address = optarg; >+ options.bind_address = xstrdup(optarg); > break; > case 'F': > config = optarg; >diff --git a/ssh_config.5 b/ssh_config.5 >index 7630e7b..0079fd6 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -284,6 +284,18 @@ Note that this option does not work if > .Cm UsePrivilegedPort > is set to > .Dq yes . >+.Pp >+Additionally, this option may be used to control the selection of IPv6 >+binding addresses on platforms that support it. >+A >+.Cm BindAddress >+of >+.Dq public >+will cause >+.Xr ssh 1 >+to use a stable public IPv6 address, while >+.Dq temp >+will prefer a randomised temporary address. > .It Cm CanonicalDomains > When > .Cm CanonicalizeHostname >diff --git a/sshconnect.c b/sshconnect.c >index 356ec79..b4640ce 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -267,6 +267,45 @@ ssh_kill_proxy_command(void) > kill(proxy_command_pid, SIGHUP); > } > >+static int >+set_v6_bindpref(int sock, const char *op) >+{ >+#if defined(IPV6_ADDR_PREFERENCES) && defined(IPV6_PREFER_SRC_PUBLIC) && \ >+ defined(IPV6_PREFER_SRC_TMP) && defined(IPV6_PREFER_SRC_PUBTMP_DEFAULT) >+ int val, add, del; >+ socklen_t len = sizeof(val); >+ >+ if (strcasecmp(op, "public") == 0) { >+ add = IPV6_PREFER_SRC_PUBLIC; >+ del = IPV6_PREFER_SRC_TMP|IPV6_PREFER_SRC_PUBTMP_DEFAULT; >+ } else if (strcasecmp(op, "temp") == 0) { >+ add = IPV6_PREFER_SRC_TMP; >+ del = IPV6_PREFER_SRC_PUBLIC|IPV6_PREFER_SRC_PUBTMP_DEFAULT; >+ } else >+ return 0; >+ >+ debug("%s: setting IPV6_ADDR_PREFERENCES to %s", __func__, op); >+ >+ if (getsockopt(sock, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES, >+ &val, &len) != 0) { >+ debug("%s: getsockopt: %s", __func__, strerror(errno)); >+ return -1; >+ } >+ val = (val & ~del) | add; >+ if (setsockopt(sock, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES, >+ &val, len) != 0) { >+ debug("%s: getsockopt: %s", __func__, strerror(errno)); >+ return -1; >+ } >+ return 1; >+#else >+ /* Silently eat public/temp operations on hosts that lack support */ >+ if (strcasecmp(op, "public") == 0 || strcasecmp(op, "temp") == 0) >+ return 1; >+ return 0; >+#endif >+} >+ > /* > * Creates a (possibly privileged) socket for use as the ssh connection. > */ >@@ -275,6 +314,7 @@ ssh_create_socket(int privileged, struct addrinfo *ai) > { > int sock, r, gaierr; > struct addrinfo hints, *res = NULL; >+ const char *bind_address = options.bind_address; > > sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); > if (sock < 0) { >@@ -283,19 +323,27 @@ ssh_create_socket(int privileged, struct addrinfo *ai) > } > fcntl(sock, F_SETFD, FD_CLOEXEC); > >+ /* Support for IPV6_ADDR_PREFERENCES if present */ >+ if (ai->ai_family == AF_INET6 && bind_address != NULL) { >+ if (set_v6_bindpref(sock, bind_address) != 0) { >+ /* Skip explicit bind(2) below */ >+ bind_address = NULL; >+ } >+ } >+ > /* Bind the socket to an alternative local IP address */ >- if (options.bind_address == NULL && !privileged) >+ if (bind_address == NULL && !privileged) > return sock; > >- if (options.bind_address) { >+ if (bind_address) { > memset(&hints, 0, sizeof(hints)); > hints.ai_family = ai->ai_family; > hints.ai_socktype = ai->ai_socktype; > hints.ai_protocol = ai->ai_protocol; > hints.ai_flags = AI_PASSIVE; >- gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res); >+ gaierr = getaddrinfo(bind_address, NULL, &hints, &res); > if (gaierr) { >- error("getaddrinfo: %s: %s", options.bind_address, >+ error("getaddrinfo: %s: %s", bind_address, > ssh_gai_strerror(gaierr)); > close(sock); > return -1; >@@ -316,8 +364,7 @@ ssh_create_socket(int privileged, struct addrinfo *ai) > } > } else { > if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { >- error("bind: %s: %s", options.bind_address, >- strerror(errno)); >+ error("bind: %s: %s", bind_address, strerror(errno)); > fail: > close(sock); > freeaddrinfo(res);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2862">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2606
:
2862
|
2863
|
2865