[Bug 3338] New: ListenAddress does hostname lookup, Match LocalAddress does not

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Aug 12 10:15:16 AEST 2021 

https://bugzilla.mindrot.org/show_bug.cgi?id=3338

            Bug ID: 3338
           Summary: ListenAddress does hostname lookup, Match LocalAddress
                    does not
           Product: Portable OpenSSH
           Version: 8.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: clarfon at pm.me

(I tried to initially start a discussion about this on the
openssh-unix-dev mailing list, but could not because the list requires
approval to join.)

My goal is to be able to set up SSH to perform normal remote login on
one IP, and to access git repositories via gitea on another. To do this
with a single sshd instance, from what I understand, the only way is to
provide both IPs to ListenAddress, and then use Match LocalAddress to
separately configure the settings that differ between them.

Right now, I'm trying to simplify my setup so I don't have to hard-code
the IPs into my OpenSSH config, so that I can easily replicate the
config if I switch hosting providers. The simplest way to do this would
be to parameterise hostnames instead of IPs, and simply configure them
locally via /etc/hosts.

As implied by the email subject, this cannot work, since ListenAddress
does perform hostname lookup but Match LocalAddress does not.

I noticed this behaviour in my own testing and confirmed it in the
code: ListenAddress ultimately calls add_one_listen_addr, which calls
getaddrinfo to look up hosts before listening, but for Match
LocalAddress, the string is directly passed to addr_match_list, which
appears to parse the line on every connection and does not perform any
hostname lookup.

I currently do not know enough about the code to make proper changes,
but it seems that the problem here is twofold:

1. The Match parameters should really be parsed ahead of time, so that
the runtime overhead is lower. This isn't strictly required (explained
in a bit), but would be nice anyway.
2. Match LocalAddress should perform address lookup during this parsing
step, to match ListenAddress.
3. Since Match Address uses the same code, this should be modified to
do hostname lookup at runtime instead. We actually would expect
hostnames to change for remote addresses, so, it makes sense to do at
runtime and let the OS subsystems deal with DNS caching.

The problem could potentially be fixed in the meantime by performing
address lookup in addr_match_list, but I'd imagine that the overhead of
the DNS lookup will be much greater than the overhead of simply parsing
the list every time, enough to potentially cause performance problems.
Plus, since ListenAddress only performs the lookup once (it would be
absurd to periodically check DNS and change the listening address if
the DNS changes), I think that Match LocalAddress should do this ahead
of time as well, even though a well-configured system should not care.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list