Bug 2892 - Connections to jump hosts do not respect -4 and -6
Summary: Connections to jump hosts do not respect -4 and -6
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.7p1
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-04 20:39 AEST by Pascal Jungblut
Modified: 2021-04-23 15:11 AEST (History)
1 user (show)

See Also:

Attachments
jump host address family patch (1.21 KB, patch)
2018-08-04 20:39 AEST, Pascal Jungblut 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal Jungblut 2018-08-04 20:39:40 AEST 
Created attachment 3167 [details]
jump host address family patch

When using a jump host via ProxyJump or -J the generated proxy command is missing "-4" or "-6". The man page states that the flags "force ssh to use IPv(4|6) addresses only".

Steps to reproduce:

ssh -v4 -J example.com abc.example.com

Actual result:

ssh does not necessarily connect to example.com via IPv4 and the debug log contains:
debug1: Executing proxy command: exec ssh -v -W '[abc.example.com]:22' example.com

Expected result:

ssh uses IPv4 for the jump host and the debug log contains:
debug1: Executing proxy command: exec ssh -4 -v -W '[abc.example.com]:22' example.com

The behavior was tested with portable OpenSSH 7.7 on Linux as well as on OpenBSD (see patch).
Comment 1 Damien Miller 2018-10-10 15:30:58 AEDT 
I'm not sure about that, because it would preclude the possibility of using a different address family for the jump host and the ultimate connection - since a -4/-6 specified on the commandline would override anything in the jump ssh instance's config.
Comment 2 Damien Miller 2018-12-07 14:53:14 AEDT 
Thinking about this some more, what I said in comment #1 is correct. It's entirely possible to have a JumpHost that want a different address family to the destination.

It's possible to address this via sshd_config by explicitly setting AddressFamily for the proxy host, so I don't think implicitly passing through the commandline AF options is desirable.
Comment 3 Pascal Jungblut 2018-12-17 09:49:59 AEDT 
Thanks for your comments. Yes, it's definitely feasible to use AddressFamily in ssh_config and this is what I ended up doing.

My confusion came from the man page descriptions of -4 and -6. I'm not sure whether changing the man page would make much sense. It might be irrelevant for the majority of users, but right now the flag does not do what the manual says.

Regarding the problem of overriding ssh_config: -4/-6 will also override AddressFamily for the target host (with or without -J). I'd argue that the opposite (of comment #2) is at least equally consistent: -4 forces AF_INET on all connections and if I wanted only the target host but not the jump hosts to use IPv4, then I should specify that in ssh_config for the target.

Feel free to close this issue if you think the current implementation acts correctly. It was just an inconsistency I stumbled upon while working with poorly configured hosts.
Comment 4 Damien Miller 2019-01-22 22:53:50 AEDT 
I don't think I want to go down the road of making commandline options affect ProxyJump hosts - there's too many interactions and too much loss of control (consider, passing a command-line option would generally preclude the ability to specify something in the config file).

I've committed some manpage changes to make it more explicit that users should set jump host configuration via ~/.ssh/config rather than using the commandline. Hopefully that is enough...
Comment 5 Damien Miller 2021-04-23 15:11:03 AEST 
closing resolved bugs as of 8.6p1 release