When IPv6-privacy addresses are in use, Linux generates new IPv6 addresses at regular intervals, and deprecates old ones. Those deprecated addresses won't get used for new connections, but where they are active in existing connections, they remain valid until the end of their validity period. Once the validity lifetime expires, however, the source address simply vanishes, and all TCP connections using this address die. Arguably, this could be fixed at kernel-level, and those addresses kept alive, but hear me out… I can set `net.ipv6.conf.default.use_tempaddr=1`, and the IPv6 address encoding my MAC address will be used for all outgoing connections — this would fix the problem — but it would also mean that I become instantly trackable across locations, because of my MAC address. With SSH, I also don't generally care about privacy like I do with HTTP & Co.. In fact, when I log in to remote systems, I *like* it when reverse DNS works and `w` and `last` and what-have-you-command show from whence folks are logged in. I am not sure it's at all possible, but I surely wanted to file a wishlist issue that SSH offer an option to choose a non-temporary, non-privacy IPv4 for outgoing connections, as if `net.ipv6.conf.default.use_tempaddr` was set to 1, not 2. If it's any help, then here is the `ip addr` output for both types of addresses: ``` inet6 fc00:39:39:0:defb:48ff:fe15:304/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 86345sec preferred_lft 14345sec inet6 fc00:39:39:0:574a:eeb:ba9c:f9a2/64 scope global temporary dynamic valid_lft 85878sec preferred_lft 9933sec ``` The first is static in that it encodes the MAC address. The second is random. The `mngtmpaddr` is the flag you are after. I.e.: can SSH be configured to prefer using `mngtmpaddr` source addresses for outgoing connections over the temporary ones, even if the system is configured to prefer the temporary ones? Thanks for your consideration!
I am aware of the `-b` option, and one could obviously write a wrapper around `ssh` to determine the source address to use, and then pass it on to `ssh`. However, not many stories exist where a wrapper around `ssh` solved more problems than it would introduce new ones, so this is best avoided. The best solution would be to influence IPv6 source address selection somehow, but I could not find glibc to export such functionality yet. I'll take it up with them. ;)
Mind me while I continue talking to myself ;) The key lies in RFC 5014, I think, and with reference to the section 9 usage example, the following line should do the trick: preferences = IPV6_PREFER_SRC_CGA | IPV6_PREFER_SRC_HOME | IPV6_PREFER_SRC_PUBLIC However, at least my glibc include files' `struct addrinfo` do not define a field `ai_eflags`, and a bit of browsing the Web doesn't instill a lot of confidence that this functionality is supported by glibc. I'll have to do a bit more research before I dip my toes into the glibc issue tracking waters about this…
Note that you can use a ProxyCommand to make outbound connections with whatever address selection policy you want (and, if you use ProxyUseFdpass, there's no overhead for using that connection). See OpenBSD's netcat (https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/nc/netcat.c?annotate=1.219, function fdpass()) for an example of the latter.