#1498 sss_ssh_knownhostsproxy prevents connection if the network is unreachable via one IP address
Closed: Fixed 5 years ago Opened 9 years ago by pbrezina.

If ssh uses sss_ssh_knownhostproxy, it cannot established connection to a hostname if an address is unreachable.

/etc/ssh/ssh_config

GlobalKnownHostsFile2 /var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

It seems that sss_ssh_knownhostsproxy tries only one IP address of a host. If the host is via this address unreachable, ssh fails to connect. If ssh is used without sss_ssh_knownhostsproxy, it is able to establish the connection successfully.

[vm-024: ~]$ ssh -vvv fedorapeople.org
OpenSSH_5.9p1, OpenSSL 1.0.0j-fips 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 50: Deprecated option "GlobalKnownHostsFile2"
debug1: /etc/ssh/ssh_config line 53: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 fedorapeople.org
debug1: permanently_drop_suid: 529
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/pbrezina/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/pbrezina/.ssh/id_rsa type 1
debug1: identity file /home/pbrezina/.ssh/id_rsa-cert type -1
debug1: identity file /home/pbrezina/.ssh/id_dsa type -1
debug1: identity file /home/pbrezina/.ssh/id_dsa-cert type -1



[vm-024: ~]$ /usr/bin/sss_ssh_knownhostsproxy -p 22 fedorapeople.org --debug 10
(Thu Aug 23 08:12:27:146532 2012) [/usr/bin/sss_ssh_knownhostsproxy] [main] (0x0040): sss_ssh_get_ent() failed (111): Connection refused
(Thu Aug 23 08:12:27:147323 2012) [/usr/bin/sss_ssh_knownhostsproxy] [connect_socket] (0x0040): connect() failed (101): Network is unreachable



[vm-024: ~]$ host fedorapeople.org
fedorapeople.org has address 152.19.134.191
fedorapeople.org has IPv6 address 2610:28:3090:3001:5054:ff:fedb:7f5a
[vm-024: ~]$ ssh 152.19.134.191
(works)
[vm-024: ~]$ ssh 2610:28:3090:3001:5054:ff:fedb:7f5a
ssh: connect to host 2610:28:3090:3001:5054:ff:fedb:7f5a port 22: Network is unreachable

Fields changed

milestone: NEEDS_TRIAGE => SSSD Deferred
rhbz: => todo

Can we bump this one in priority? With the increased adoption of IPv6, I now see this quite often. We have public DNS servers returning AAAA records, but then IPv6 gets blocked by network, and services fail.

changelog: =>
design: =>
design_review: => 0
fedora_test_page: =>
mark: => 0
review: => 0
selected: =>
sensitive: => 0

If you're seeing issues then we should move the ticket out of deferred, but I don't think it's realistic to squeeze it into 1.14 (unless patches are provided :-)) therefore I would propose 1.15

milestone: SSSD Deferred => NEEDS_TRIAGE

This should be a 1.14 stretch goal, but we're not sure we will have the capacity to fix the bug in 1.14.0

milestone: NEEDS_TRIAGE => SSSD 1.14 backlog

Any updates on this? Could you at least add a decent error message.

Replying to [comment:6 jimmyhedman]:

Any updates on this? Could you at least add a decent error message.
There is a candidate fix in the bugzilla linked to this message, but not all reports were positive. It would be nice if you could test the patch linked to that bugzilla.

Since the 1.14 branch is transitioning into maintenance mode and new functionality is being developed in master which will become 1.15 eventually, I'm mass-moving tickets from the 1.14 backlog milestone to the "Future releases" milestone.

milestone: SSSD 1.14 backlog => SSSD Future releases (no date set yet)

Metadata Update from @pbrezina:
- Issue set to the milestone: SSSD Future releases (no date set yet)

5 years ago

So apparently #3366 is a duplicate of this, and it is worrying to see that we do not have a target release to fix this ticket.
Is there a documented workaround ?

Metadata Update from @lslebodn:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None

5 years ago

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

5 years ago

Metadata Update from @lslebodn:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.15.3 (was: SSSD Future releases (no date set yet))
- Issue status updated to: Closed (was: Open)

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2540

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata