Bug 829004

Summary: Link local IPv6 addresses do not work in openssh
Product: [Fedora] Fedora Reporter: Eric Hopper <eric-bugs2>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: kes-kes, mattias.ellert, mgrepl, mmalina, plautrba, sander, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-27 09:34:05 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Eric Hopper 2012-06-05 14:33:31 EDT
Description of problem:
ssh fails to connect to link local addresses. It appears to fail to recognize them as addresses. This did work at one point in time.

Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
1. ssh fe80::xxxx:9eff:fe02:xxxx%em0 

Actual results:
ssh: Could not resolve hostname fe80::3615:9eff:fe02:4094%em0: Address family for hostname not supported

Expected results:
Logging in to the relevant host using my public key.

Additional info:
This works just fine:

ssh -o 'ProxyCommand nc -6 -X connect %h 22' fe80::xxxx:9eff:fe02:xxx%em0

And it also fails (but slightly differently) when I do this:

$ ssh -6 fe80::xxxx:9eff:fe02:xxxx%em0 
ssh: Could not resolve hostname fe80::xxxx:9eff:fe02:xxxx%em0: Name or service not known
Comment 1 Eric Hopper 2012-06-19 14:31:29 EDT
Another relevant piece of information:

$ /sbin/ip link ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: em0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
    link/ether xx:xx:4d:6a:xx:xx brd ff:ff:ff:ff:ff:ff

So yes, my ethernet card is called em0 on this system.
Comment 2 Eric Hopper 2012-06-19 14:37:09 EDT

$ ping6 -c 5 fe80::xxxx:9eff:fe02:xxxx%em0
PING fe80::xxxx:9eff:fe02:xxxx%em0(fe80::xxxx:9eff:fe02:xxxx) 56 data bytes
64 bytes from fe80::xxxx:9eff:fe02:xxxx: icmp_seq=1 ttl=64 time=0.399 ms
64 bytes from fe80::xxxx:9eff:fe02:xxxx: icmp_seq=2 ttl=64 time=0.268 ms
64 bytes from fe80::xxxx:9eff:fe02:xxxx: icmp_seq=3 ttl=64 time=0.273 ms
64 bytes from fe80::xxxx:9eff:fe02:xxxx: icmp_seq=4 ttl=64 time=0.264 ms
64 bytes from fe80::xxxx:9eff:fe02:xxxx: icmp_seq=5 ttl=64 time=0.249 ms

--- fe80::xxxx:9eff:fe02:xxxx%em0 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.249/0.290/0.399/0.057 ms
Comment 3 Eric Hopper 2012-06-19 21:23:48 EDT
My current workaround is something like this in my .ssh/config file:

Host foo.local
   HostName fe80::xxxx:9eff:fe02:xxxx%%em0
   ProxyCommand nc -6 -X connect %h %p
Comment 4 Martin Malina 2012-06-27 07:25:12 EDT
I would like to add that ::1 doesn't work
Comment 5 Petr Lautrbach 2012-06-27 09:34:05 EDT
ssh uses getaddrinfo() with hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG;
if AI_ADDRCONFIG flag is set then getaddrinfo() query for AAAA records
only if the node has at least one IPv6 source address configured. Link-local and loopback addresses are intentionally ignored so a system without any other ipv6 other looks like ipv4 only, see http://sourceware.org/bugzilla/show_bug.cgi?id=12377

To make this work you need to set non-link-local ipv6 address for your em0 device. e.g. fc00::1/64 from unique local addresses block:

# ssh ::1
ssh: Could not resolve hostname ::1: Address family for hostname not supported

# ssh fe80::216:3eff:fefd:1ea2%eth0
ssh: Could not resolve hostname fe80::216:3eff:fefd:1ea2%eth0: Address family for hostname not supported

# ip -6 addr add fc00::1/64 dev eth0

# ssh ::1
The authenticity of host '::1 (::1)' can't be established.
RSA key fingerprint is 75:14:60:a8:7e:ab:15:14:44:bf:68:b6:53:58:5d:cd.
Are you sure you want to continue connecting (yes/no)? ^C

# ssh fe80::xxx:fefd:1ea2%eth0
reverse mapping checking getaddrinfo for f17-openssh [fe80::xxx:fefd:1ea2%eth0] failed - POSSIBLE BREAK-IN ATTEMPT!
root@fe80::xxx:fefd:1ea2%eth0's password: ^C
Comment 6 kes-kes 2015-05-03 15:17:07 EDT
Connecting to ipv4 host from ipv6 cause next problem:

$ssh -b 2001:0:53aa:64c:3051:fa15:d124:ed3 user@
getaddrinfo: 2001:0:53aa:64c:3051:fa15:d124:ed3: Address family for hostname not supported
ssh: connect to host port 22: Success

# ip -f inet6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000
    inet6 fe80::225:22ff:fec0:fc31/64 scope link 
       valid_lft forever preferred_lft forever
8: teredo: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qlen 500
    inet6 2001:0:53aa:64c:3051:fa15:d124:ed3/32 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::ffff:ffff:ffff/64 scope link 
       valid_lft forever preferred_lft forever

How can I resolve this and connect from ipv6 to ipv4