Module Name: src Committed By: ws Date: Fri Dec 1 12:07:20 UTC 2023
Modified Files: src/crypto/external/bsd/openssh/dist: readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect.c Log Message: Add option IPv6PreferTemporary to allow selection of temporary vs. static IPv6 addresses on a host by host basis. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.43 src/crypto/external/bsd/openssh/dist/readconf.c cvs rdiff -u -r1.32 -r1.33 src/crypto/external/bsd/openssh/dist/readconf.h cvs rdiff -u -r1.30 -r1.31 src/crypto/external/bsd/openssh/dist/scp.1 cvs rdiff -u -r1.29 -r1.30 src/crypto/external/bsd/openssh/dist/sftp.1 cvs rdiff -u -r1.37 -r1.38 src/crypto/external/bsd/openssh/dist/ssh.1 cvs rdiff -u -r1.38 -r1.39 src/crypto/external/bsd/openssh/dist/ssh_config.5 cvs rdiff -u -r1.35 -r1.36 src/crypto/external/bsd/openssh/dist/sshconnect.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssh/dist/readconf.c diff -u src/crypto/external/bsd/openssh/dist/readconf.c:1.42 src/crypto/external/bsd/openssh/dist/readconf.c:1.43 --- src/crypto/external/bsd/openssh/dist/readconf.c:1.42 Wed Oct 25 20:19:57 2023 +++ src/crypto/external/bsd/openssh/dist/readconf.c Fri Dec 1 12:07:19 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: readconf.c,v 1.42 2023/10/25 20:19:57 christos Exp $ */ +/* $NetBSD: readconf.c,v 1.43 2023/12/01 12:07:19 ws Exp $ */ /* $OpenBSD: readconf.c,v 1.381 2023/08/28 03:31:16 djm Exp $ */ /* @@ -15,7 +15,7 @@ */ #include "includes.h" -__RCSID("$NetBSD: readconf.c,v 1.42 2023/10/25 20:19:57 christos Exp $"); +__RCSID("$NetBSD: readconf.c,v 1.43 2023/12/01 12:07:19 ws Exp $"); #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> @@ -160,6 +160,7 @@ typedef enum { oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider, + oIPv6PreferTemporary, oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -303,6 +304,7 @@ static struct { { "casignaturealgorithms", oCASignatureAlgorithms }, { "bindaddress", oBindAddress }, { "bindinterface", oBindInterface }, + { "ipv6prefertemporary", oIPv6PreferTemporary }, { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, { "verifyhostkeydns", oVerifyHostKeyDNS }, @@ -1474,6 +1476,10 @@ parse_char_array: charptr = &options->bind_interface; goto parse_string; + case oIPv6PreferTemporary: + intptr = &options->ipv6_prefer_temporary; + goto parse_flag; + case oPKCS11Provider: charptr = &options->pkcs11_provider; goto parse_string; @@ -2615,6 +2621,7 @@ initialize_options(Options * options) options->preferred_authentications = NULL; options->bind_address = NULL; options->bind_interface = NULL; + options->ipv6_prefer_temporary = -1; options->pkcs11_provider = NULL; options->sk_provider = NULL; options->enable_ssh_keysign = - 1; Index: src/crypto/external/bsd/openssh/dist/readconf.h diff -u src/crypto/external/bsd/openssh/dist/readconf.h:1.32 src/crypto/external/bsd/openssh/dist/readconf.h:1.33 --- src/crypto/external/bsd/openssh/dist/readconf.h:1.32 Wed Oct 25 20:19:57 2023 +++ src/crypto/external/bsd/openssh/dist/readconf.h Fri Dec 1 12:07:19 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: readconf.h,v 1.32 2023/10/25 20:19:57 christos Exp $ */ +/* $NetBSD: readconf.h,v 1.33 2023/12/01 12:07:19 ws Exp $ */ /* $OpenBSD: readconf.h,v 1.152 2023/08/28 03:31:16 djm Exp $ */ /* @@ -99,6 +99,7 @@ typedef struct { char *preferred_authentications; char *bind_address; /* local socket address for connection to sshd */ char *bind_interface; /* local interface for bind address */ + int ipv6_prefer_temporary; /* Prefer temporary IPv6 address */ char *pkcs11_provider; /* PKCS#11 provider */ char *sk_provider; /* Security key provider */ int verify_host_key_dns; /* Verify host key using DNS */ Index: src/crypto/external/bsd/openssh/dist/scp.1 diff -u src/crypto/external/bsd/openssh/dist/scp.1:1.30 src/crypto/external/bsd/openssh/dist/scp.1:1.31 --- src/crypto/external/bsd/openssh/dist/scp.1:1.30 Fri Jul 28 05:06:44 2023 +++ src/crypto/external/bsd/openssh/dist/scp.1 Fri Dec 1 12:07:19 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: scp.1,v 1.30 2023/07/28 05:06:44 rin Exp $ +.\" $NetBSD: scp.1,v 1.31 2023/12/01 12:07:19 ws Exp $ .\" .\" scp.1 .\" @@ -196,6 +196,7 @@ For full details of the options listed b .It IdentityAgent .It IdentityFile .It IPQoS +.It IPv6PreferTemporary .It KbdInteractiveAuthentication .It KbdInteractiveDevices .It KexAlgorithms Index: src/crypto/external/bsd/openssh/dist/sftp.1 diff -u src/crypto/external/bsd/openssh/dist/sftp.1:1.29 src/crypto/external/bsd/openssh/dist/sftp.1:1.30 --- src/crypto/external/bsd/openssh/dist/sftp.1:1.29 Fri Jul 28 04:49:38 2023 +++ src/crypto/external/bsd/openssh/dist/sftp.1 Fri Dec 1 12:07:19 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: sftp.1,v 1.29 2023/07/28 04:49:38 rin Exp $ +.\" $NetBSD: sftp.1,v 1.30 2023/12/01 12:07:19 ws Exp $ .\" $OpenBSD: sftp.1,v 1.143 2022/12/16 03:40:03 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. @@ -258,6 +258,7 @@ For full details of the options listed b .It IdentityAgent .It IdentityFile .It IPQoS +.It IPv6PreferTemporary .It KbdInteractiveAuthentication .It KbdInteractiveDevices .It KexAlgorithms Index: src/crypto/external/bsd/openssh/dist/ssh.1 diff -u src/crypto/external/bsd/openssh/dist/ssh.1:1.37 src/crypto/external/bsd/openssh/dist/ssh.1:1.38 --- src/crypto/external/bsd/openssh/dist/ssh.1:1.37 Wed Oct 25 20:19:57 2023 +++ src/crypto/external/bsd/openssh/dist/ssh.1 Fri Dec 1 12:07:19 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: ssh.1,v 1.37 2023/10/25 20:19:57 christos Exp $ +.\" $NetBSD: ssh.1,v 1.38 2023/12/01 12:07:19 ws Exp $ .\" .\" Author: Tatu Ylonen <y...@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland @@ -548,6 +548,7 @@ For full details of the options listed b .It IdentityAgent .It IdentityFile .It IPQoS +.It IPv6PreferTemporary .It KbdInteractiveAuthentication .It KbdInteractiveDevices .It KexAlgorithms Index: src/crypto/external/bsd/openssh/dist/ssh_config.5 diff -u src/crypto/external/bsd/openssh/dist/ssh_config.5:1.38 src/crypto/external/bsd/openssh/dist/ssh_config.5:1.39 --- src/crypto/external/bsd/openssh/dist/ssh_config.5:1.38 Wed Oct 25 20:19:57 2023 +++ src/crypto/external/bsd/openssh/dist/ssh_config.5 Fri Dec 1 12:07:19 2023 @@ -1,4 +1,4 @@ -.\" $NetBSD: ssh_config.5,v 1.38 2023/10/25 20:19:57 christos Exp $ +.\" $NetBSD: ssh_config.5,v 1.39 2023/12/01 12:07:19 ws Exp $ .\" .\" Author: Tatu Ylonen <y...@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland @@ -1162,6 +1162,17 @@ for interactive sessions and .Cm cs1 (Lower Effort) for non-interactive sessions. +.It Cm IPv6PreferTemporary +In the absence of an explicitly specified +.Cm BindAddress , +this defines whether to prefer temporary addresses as source address. +The argument to this can by either +.Cm yes , +meaning to prefer any temporary address, or +.Cm no , +resulting in the use of a permanent address, if available. +If this option isn't specified, +the address selection depends on the OS configuration. .It Cm KbdInteractiveAuthentication Specifies whether to use keyboard-interactive authentication. The argument to this keyword must be Index: src/crypto/external/bsd/openssh/dist/sshconnect.c diff -u src/crypto/external/bsd/openssh/dist/sshconnect.c:1.35 src/crypto/external/bsd/openssh/dist/sshconnect.c:1.36 --- src/crypto/external/bsd/openssh/dist/sshconnect.c:1.35 Fri Jul 28 05:02:46 2023 +++ src/crypto/external/bsd/openssh/dist/sshconnect.c Fri Dec 1 12:07:19 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: sshconnect.c,v 1.35 2023/07/28 05:02:46 rin Exp $ */ +/* $NetBSD: sshconnect.c,v 1.36 2023/12/01 12:07:19 ws Exp $ */ /* $OpenBSD: sshconnect.c,v 1.363 2023/03/10 07:17:08 dtucker Exp $ */ /* * Author: Tatu Ylonen <y...@cs.hut.fi> @@ -15,7 +15,7 @@ */ #include "includes.h" -__RCSID("$NetBSD: sshconnect.c,v 1.35 2023/07/28 05:02:46 rin Exp $"); +__RCSID("$NetBSD: sshconnect.c,v 1.36 2023/12/01 12:07:19 ws Exp $"); #include <sys/param.h> /* roundup */ #include <sys/types.h> @@ -27,6 +27,8 @@ __RCSID("$NetBSD: sshconnect.c,v 1.35 20 #include <net/if.h> #include <netinet/in.h> +#include <netinet/in_var.h> +#include <netinet6/ip6_var.h> #include <rpc/rpc.h> #include <ctype.h> @@ -312,29 +314,30 @@ ssh_set_socket_recvbuf(int sock) */ static int check_ifaddrs(const char *ifname, int af, const struct ifaddrs *ifaddrs, - struct sockaddr_storage *resultp, socklen_t *rlenp) + int prefertemp, struct sockaddr_storage *resultp, socklen_t *rlenp) { struct sockaddr_in6 *sa6; struct sockaddr_in *sa; struct in6_addr *v6addr; const struct ifaddrs *ifa; - int allow_local; + int try; /* + * Prefer temporary addresses according to prefertemp. * Prefer addresses that are not loopback or linklocal, but use them * if nothing else matches. */ - for (allow_local = 0; allow_local < 2; allow_local++) { + for (try = 0; try < 3; try++) { for (ifa = ifaddrs; ifa != NULL; ifa = ifa->ifa_next) { if (ifa->ifa_addr == NULL || ifa->ifa_name == NULL || (ifa->ifa_flags & IFF_UP) == 0 || ifa->ifa_addr->sa_family != af || - strcmp(ifa->ifa_name, options.bind_interface) != 0) + strcmp(ifa->ifa_name, ifname) != 0) continue; switch (ifa->ifa_addr->sa_family) { case AF_INET: sa = (struct sockaddr_in *)ifa->ifa_addr; - if (!allow_local && sa->sin_addr.s_addr == + if (try < 2 && sa->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) continue; if (*rlenp < sizeof(struct sockaddr_in)) { @@ -347,7 +350,7 @@ check_ifaddrs(const char *ifname, int af case AF_INET6: sa6 = (struct sockaddr_in6 *)ifa->ifa_addr; v6addr = &sa6->sin6_addr; - if (!allow_local && + if (try < 2 && (IN6_IS_ADDR_LINKLOCAL(v6addr) || IN6_IS_ADDR_LOOPBACK(v6addr))) continue; @@ -355,6 +358,26 @@ check_ifaddrs(const char *ifname, int af error_f("v6 addr doesn't fit"); return -1; } + + /* + * For now, ignore scope and + * don't allow deprecated addresses. XXX + */ + if (ifa->ifa_addrflags & IN6_IFF_ANYCAST) + continue; + if (ifa->ifa_addrflags & IN6_IFF_NOTREADY) + continue; + if (ifa->ifa_addrflags & IN6_IFF_DETACHED) + continue; + if (ifa->ifa_addrflags & IN6_IFF_DEPRECATED) + continue; + + if (prefertemp >= 0 && try < 1) { + int istemp = ifa->ifa_addrflags + & IN6_IFF_TEMPORARY; + if (!!istemp != prefertemp) + continue; + } *rlenp = sizeof(struct sockaddr_in6); memcpy(resultp, sa6, *rlenp); return 0; @@ -392,9 +415,6 @@ ssh_create_socket(struct addrinfo *ai) set_sock_tos(sock, options.ip_qos_interactive); /* Bind the socket to an alternative local IP address */ - if (options.bind_address == NULL && options.bind_interface == NULL) - return sock; - if (options.bind_address != NULL) { memset(&hints, 0, sizeof(hints)); hints.ai_family = ai->ai_family; @@ -421,12 +441,27 @@ ssh_create_socket(struct addrinfo *ai) } bindaddrlen = sizeof(bindaddr); if (check_ifaddrs(options.bind_interface, ai->ai_family, - ifaddrs, &bindaddr, &bindaddrlen) != 0) { + ifaddrs, options.ipv6_prefer_temporary, + &bindaddr, &bindaddrlen) != 0) { logit("getifaddrs: %s: no suitable addresses", options.bind_interface); goto fail; } + } else { + /* Apply user specified temporary address preference */ + if (ai->ai_family == AF_INET6 + && options.ipv6_prefer_temporary >= 0) { + int temp = options.ipv6_prefer_temporary + ? IP6PO_TEMPADDR_PREFER + : IP6PO_TEMPADDR_NOTPREFER; + if (setsockopt(sock, IPPROTO_IPV6, IPV6_PREFER_TEMPADDR, + &temp, sizeof temp) < 0) + error("setsockopt(IPV6_PREFER_TEMPADDR: %.100s", + strerror(errno)); + } + return sock; } + if ((r = getnameinfo((struct sockaddr *)&bindaddr, bindaddrlen, ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST)) != 0) { error_f("getnameinfo failed: %s", ssh_gai_strerror(r));