Bugzilla – Attachment 2865 Details for
Bug 2606
IPv6 bind address vs autoconfiguration privacy
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
revised patch
bz2606.diff (text/plain), 4.57 KB, created by
Damien Miller
on 2016-08-23 10:40:50 AEST
(
hide
)
Description:
revised patch
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2016-08-23 10:40:50 AEST
Size:
4.57 KB
patch
obsolete
>diff --git a/configure.ac b/configure.ac >index a3c22c1..7406d11 100644 >--- a/configure.ac >+++ b/configure.ac >@@ -399,6 +399,7 @@ AC_CHECK_HEADERS([ \ > inttypes.h \ > langinfo.h \ > limits.h \ >+ linux/in6.h \ > locale.h \ > login.h \ > maillock.h \ >diff --git a/ssh.c b/ssh.c >index 03a23fb..9e8806c 100644 >--- a/ssh.c >+++ b/ssh.c >@@ -927,7 +927,7 @@ main(int ac, char **av) > options.control_path = xstrdup(optarg); > break; > case 'b': >- options.bind_address = optarg; >+ options.bind_address = xstrdup(optarg); > break; > case 'F': > config = optarg; >diff --git a/ssh_config.5 b/ssh_config.5 >index 7630e7b..0079fd6 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -284,6 +284,18 @@ Note that this option does not work if > .Cm UsePrivilegedPort > is set to > .Dq yes . >+.Pp >+Additionally, this option may be used to control the selection of IPv6 >+binding addresses on platforms that support it. >+A >+.Cm BindAddress >+of >+.Dq public >+will cause >+.Xr ssh 1 >+to use a stable public IPv6 address, while >+.Dq temp >+will prefer a randomised temporary address. > .It Cm CanonicalDomains > When > .Cm CanonicalizeHostname >diff --git a/sshconnect.c b/sshconnect.c >index 356ec79..c36fbfc 100644 >--- a/sshconnect.c >+++ b/sshconnect.c >@@ -42,6 +42,10 @@ > #include <string.h> > #include <unistd.h> > >+#ifdef HAVE_LINUX_IN6_H >+#include <linux/in6.h> >+#endif >+ > #include "xmalloc.h" > #include "key.h" > #include "hostfile.h" >@@ -267,6 +271,52 @@ ssh_kill_proxy_command(void) > kill(proxy_command_pid, SIGHUP); > } > >+static int >+set_v6_bindpref(int sock, const char *op) >+{ >+#if defined(IPV6_ADDR_PREFERENCES) && defined(IPV6_PREFER_SRC_PUBLIC) && \ >+ defined(IPV6_PREFER_SRC_TMP) && defined(IPV6_PREFER_SRC_PUBTMP_DEFAULT) >+ int val, add, del; >+ socklen_t len = sizeof(val); >+ >+ if (strcasecmp(op, "%public") == 0 || >+ strcasecmp(op, "%pub") == 0) { >+ add = IPV6_PREFER_SRC_PUBLIC; >+ del = IPV6_PREFER_SRC_TMP|IPV6_PREFER_SRC_PUBTMP_DEFAULT; >+ } else if (strcasecmp(op, "%temporary") == 0 || >+ strcasecmp(op, "%temp") == 0 || >+ strcasecmp(op, "%tmp") == 0) { >+ add = IPV6_PREFER_SRC_TMP; >+ del = IPV6_PREFER_SRC_PUBLIC|IPV6_PREFER_SRC_PUBTMP_DEFAULT; >+ } else >+ return 0; >+ >+ debug("%s: setting IPV6_ADDR_PREFERENCES to %s", __func__, op+1); >+ >+ if (getsockopt(sock, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES, >+ &val, &len) != 0) { >+ debug("%s: getsockopt: %s", __func__, strerror(errno)); >+ return -1; >+ } >+ val = (val & ~del) | add; >+ if (setsockopt(sock, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES, >+ &val, len) != 0) { >+ debug("%s: getsockopt: %s", __func__, strerror(errno)); >+ return -1; >+ } >+ return 1; >+#else >+ /* Silently eat operations on hosts that lack support */ >+ if (strcasecmp(op, "%public") == 0 || >+ strcasecmp(op, "%pub") == 0 || >+ strcasecmp(op, "%temporary") == 0 || >+ strcasecmp(op, "%temp") == 0 || >+ strcasecmp(op, "%tmp") == 0) >+ return 1; >+ return 0; >+#endif >+} >+ > /* > * Creates a (possibly privileged) socket for use as the ssh connection. > */ >@@ -275,6 +325,7 @@ ssh_create_socket(int privileged, struct addrinfo *ai) > { > int sock, r, gaierr; > struct addrinfo hints, *res = NULL; >+ const char *bind_address = options.bind_address; > > sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); > if (sock < 0) { >@@ -283,19 +334,27 @@ ssh_create_socket(int privileged, struct addrinfo *ai) > } > fcntl(sock, F_SETFD, FD_CLOEXEC); > >+ /* Support for IPV6_ADDR_PREFERENCES if present */ >+ if (ai->ai_family == AF_INET6 && bind_address != NULL) { >+ if (set_v6_bindpref(sock, bind_address) != 0) { >+ /* Skip explicit bind(2) below */ >+ bind_address = NULL; >+ } >+ } >+ > /* Bind the socket to an alternative local IP address */ >- if (options.bind_address == NULL && !privileged) >+ if (bind_address == NULL && !privileged) > return sock; > >- if (options.bind_address) { >+ if (bind_address) { > memset(&hints, 0, sizeof(hints)); > hints.ai_family = ai->ai_family; > hints.ai_socktype = ai->ai_socktype; > hints.ai_protocol = ai->ai_protocol; > hints.ai_flags = AI_PASSIVE; >- gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res); >+ gaierr = getaddrinfo(bind_address, NULL, &hints, &res); > if (gaierr) { >- error("getaddrinfo: %s: %s", options.bind_address, >+ error("getaddrinfo: %s: %s", bind_address, > ssh_gai_strerror(gaierr)); > close(sock); > return -1; >@@ -316,8 +375,7 @@ ssh_create_socket(int privileged, struct addrinfo *ai) > } > } else { > if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { >- error("bind: %s: %s", options.bind_address, >- strerror(errno)); >+ error("bind: %s: %s", bind_address, strerror(errno)); > fail: > close(sock); > freeaddrinfo(res);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2865">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2606
:
2862
|
2863
| 2865