From debbugs-submit-bounces@debbugs.gnu.org Mon May 09 06:45:44 2022 Received: (at submit) by debbugs.gnu.org; 9 May 2022 10:45:44 +0000 Received: from localhost ([127.0.0.1]:56328 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1no0tc-0005qv-2v for submit@debbugs.gnu.org; Mon, 09 May 2022 06:45:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:48478) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1no0ta-0005pc-R7 for submit@debbugs.gnu.org; Mon, 09 May 2022 06:45:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58300) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1no0tY-000330-3W for bug-guix@gnu.org; Mon, 09 May 2022 06:45:40 -0400 Received: from mira.cbaines.net ([2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27]:52997) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1no0tW-0005G3-8j for bug-guix@gnu.org; Mon, 09 May 2022 06:45:39 -0400 Received: from localhost (unknown [IPv6:2a02:8010:68c1:0:54d1:d5d4:280e:f699]) by mira.cbaines.net (Postfix) with ESMTPSA id 6E73E27BBE9 for ; Mon, 9 May 2022 11:45:34 +0100 (BST) Received: from felis (localhost [127.0.0.1]) by localhost (OpenSMTPD) with ESMTP id fa72f84e for ; Mon, 9 May 2022 10:45:30 +0000 (UTC) User-agent: mu4e 1.6.10; emacs 27.2 From: Christopher Baines To: bug-guix@gnu.org Subject: openssh-service no longer listens on IPv6 Date: Mon, 09 May 2022 11:39:47 +0100 Message-ID: <87r153q913.fsf@cbaines.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a01:7e00:e000:2f8:fd4d:b5c7:13fb:3d27; envelope-from=mail@cbaines.net; helo=mira.cbaines.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain This looks to be a recent regression, probably connected with the shepherd now doing the listening, rather than sshd itself. Previously, you could use both IPv4 and IPv6. netstat -tlnp | grep sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 26683/sshd: /gnu/st tcp6 0 0 :::22 :::* LISTEN 26683/sshd: /gnu/st Now though, it looks like with shepherd doing the listening, you can only use IPv4. netstat -tlnp | grep 22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1/guile On an affected machine, you can reproduce this by trying to SSH over v6. cbaines@lakeside ~$ ssh 127.0.0.1 The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established. ED25519 key fingerprint is SHA256:1wV7w84awrGv5ilP5e8k5ygIvSkXSJ6LIy3MnqZG2Jw. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C cbaines@lakeside ~$ ssh ::1 ssh: connect to host ::1 port 22: Connection refused This isn't an issue if you're not using IPv6, but if you have a machine only accessible via IPv6, then you can't ssh in. The main workaround I've found is getting access via other means, then starting sshd listening on a different port (as the shepherd is using 22). --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKlBAEBCgCPFiEEPonu50WOcg2XVOCyXiijOwuE9XcFAmJ48MhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcRHG1haWxAY2Jh aW5lcy5uZXQACgkQXiijOwuE9Xej5BAAuTPOUHID47ahLzs49HfFGQzGKPWFZoOj RbneFfm27U3/NXsHY19To/yj/OtVK9L5hWtWiLF93nHYWUQDHvS/XXEGWHOCD0jM ToVBfvGRu+KFuGsB3au9vZHGoiZprQWOhKw1r8rfQ3Cs2rKy/QCfTAcAa7Ie7vtB G/sQyFhbH8i6+pJaGifkdvMaX01vdlIyFfhIXuKvmcOexHvneN0jXEnbQR8sWzD9 hhKPMAw3NJGrrB/eJgkKE9rcoeXRo3SAESBDdj6ZTyePaJRxXf/enpkCMUy8+nJr a/KWl7h8EOJnGSzI55Fltk2K+MKqHURSp2JTuin6CinNLIAzRcROlrDFh5aCMLFh lE57sGvuccxVCWBOxVEwiZg2dWWuSXxWI8FiKzYXDWDrEwy4vphA4Ed7fo9nzPP8 e49iEPQveoQ4vOfXVQSHwDnuTt0yFMQH929OAr0nzJS4AaLkjos2KZfawsdPCO67 Ngwpf03gCPeDaoXU7Pf8qO9DudvR+0GM2WOvrp4hwTobyVGTnl8kfFPHg0lrLWSU lhSplkvGmXaAiCLQKqB2DFCV5X7C/9Dt2/pcLWtmbg1u2l5J16slAx2TJaoPga5t K5zTMJy0TpHslkuW2yLxNb/y/l7jWgq8ZuXlCuTnusshbVjASoNrDz0TzLRfPRvw SNcfJV0Sofg= =55Mq -----END PGP SIGNATURE----- --=-=-=--