Bug 1063278

Summary: sss_ssh_knownhostsproxy doesn't fall back to ipv4
Product: [Fedora] Fedora Reporter: Dennis Gilmore <dennis>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: abokovoy, awilliam, dennis, jcholast, jhrozek, lslebodn, nalin, pbrezina, sbose, sgallagh, ssorce
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.15.2-3.fc26 sssd-1.15.2-3.fc25 sssd-1.15.2-3.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-04 13:32:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed fix none

Description Dennis Gilmore 2014-02-10 11:56:48 UTC
Description of problem:
When sshing to a box with dual stack networking from a box with a broken network setup, fallback to ipv4 fails to occur. -4 command line option on ssh is also ignored



Version-Release number of selected component (if applicable):
sssd-common-1.11.3-1.fc21.x86_64

How reproducible:
always

Steps to Reproduce:
1. ssh to host with ipv6 from network that cant route to host via ipv6
2.
3.

Actual results:
ssh -4 -vvvvv fedorapeople.org
OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/dennis/.ssh/config
debug1: /home/dennis/.ssh/config line 30: Applying options for fedorapeople.org
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 fedorapeople.org
debug1: permanently_drop_suid: 217600001
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/dennis/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/dennis/.ssh/id_rsa type 1
debug1: identity file /home/dennis/.ssh/id_rsa-cert type -1
debug1: identity file /home/dennis/.ssh/id_dsa type -1
debug1: identity file /home/dennis/.ssh/id_dsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/dennis/.ssh/id_ecdsa" as a RSA1 public key
debug1: identity file /home/dennis/.ssh/id_ecdsa type 3
debug1: identity file /home/dennis/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
ssh_exchange_identification: Connection closed by remote host

Expected results:
ssh to work 

Additional info:

adding -4 to ssh command line to force ipv4 fails also

Comment 1 Jakub Hrozek 2014-02-10 12:12:44 UTC
Can you include the logs produced by sssd when you put debug_level=7 to the [ssh] and [domain] sections?

Comment 2 Pavel Březina 2014-02-10 12:19:24 UTC
This is probably the same problem as described in deferred ticket: https://fedorahosted.org/sssd/ticket/1498

Comment 3 openshift-github-bot 2014-02-11 18:28:18 UTC
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/e893f1d1b6a6658275ade55a75a1a330124ee792
Bug 1063278 - kill user processes before user

	modified:   node-util/sbin/oo-admin-gear

Comment 4 Jakub Hrozek 2014-02-12 16:12:59 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1498

Comment 5 Adam Williamson 2014-10-09 03:43:09 UTC
I just ran into this on F21 today. Rather annoying in the case where IPv6 routing fails but IPv4 works.

Comment 6 Jaroslav Reznik 2015-03-03 15:28:16 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 7 Fedora End Of Life 2016-07-19 10:59:10 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 8 Jan Kurik 2016-07-26 04:24:28 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 9 Nalin Dahyabhai 2016-08-18 18:50:32 UTC
Created attachment 1191974 [details]
proposed fix

Comment 10 Jakub Hrozek 2016-08-19 12:03:18 UTC
(In reply to Nalin Dahyabhai from comment #9)
> Created attachment 1191974 [details]
> proposed fix

Thank you, I sent the patch to sssd-devel.

Comment 11 Jakub Hrozek 2016-08-19 12:03:49 UTC
Dennis, are you interested in testing the patch?

Comment 12 Dennis Gilmore 2016-08-23 23:06:36 UTC
Jakub, happy to help test the patch

Comment 13 Jakub Hrozek 2016-08-24 08:00:07 UTC
(In reply to Dennis Gilmore from comment #12)
> Jakub, happy to help test the patch

OK, which version should I base the test package on (rpm -q sssd output is sufficient) ?

Comment 14 Dennis Gilmore 2016-08-29 13:06:49 UTC
fedora 24 or fedora 25 builds would be good

Comment 15 Jakub Hrozek 2016-08-29 14:19:16 UTC
OK, I prepared a F-24 repo here (COPR didn't offer me F-25..)

https://copr.fedorainfracloud.org/coprs/jhrozek/sssd-addrfamily-fallback/

Comment 16 Dennis Gilmore 2016-08-30 15:39:52 UTC
in quick testing it works.  fall back is very slow, but it does appear to do so.

Comment 17 Dennis Gilmore 2016-08-31 01:46:35 UTC
actually it seems something is really broken. I have a bunch of ipv6 only hosts ssh to them fails with
packet_write_wait: Connection to UNKNOWN port 65535: Broken pipe

if i ssh to root@host it works okay

Comment 18 Jakub Hrozek 2016-08-31 08:36:14 UTC
(In reply to Dennis Gilmore from comment #17)
> actually it seems something is really broken. I have a bunch of ipv6 only
> hosts ssh to them fails with
> packet_write_wait: Connection to UNKNOWN port 65535: Broken pipe
> 
> if i ssh to root@host it works okay

Does this only happen with the sssd ssh responder? If yes, we should look at the debug logs, Broken Pipe would suggest the connection between sss_ssh and sshd was terminated abruptly for some reason.

Comment 19 Lukas Slebodnik 2017-04-28 17:19:12 UTC
master:
* 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9
* 5f6232c7e6d9635c1d6b6b09f799309b6094b143
* 08084b1179bb9fc38bc22b464b3d44907107bfd3

Comment 20 Fedora Update System 2017-05-01 08:13:21 UTC
sssd-1.15.2-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8addfc0188

Comment 21 Fedora Update System 2017-05-01 08:15:20 UTC
sssd-1.15.2-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ac43ea8522

Comment 22 Fedora Update System 2017-05-01 08:21:26 UTC
sssd-1.15.2-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-2b18f89e47

Comment 23 Fedora Update System 2017-05-02 03:30:41 UTC
sssd-1.15.2-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ac43ea8522

Comment 24 Fedora Update System 2017-05-02 05:04:57 UTC
sssd-1.15.2-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-2b18f89e47

Comment 25 Fedora Update System 2017-05-02 06:37:21 UTC
sssd-1.15.2-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8addfc0188

Comment 26 Fedora Update System 2017-05-04 13:32:02 UTC
sssd-1.15.2-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2017-05-12 12:03:58 UTC
sssd-1.15.2-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2017-05-12 19:23:19 UTC
sssd-1.15.2-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.