[Bug 3473] New: Option to use non-temporary IPv6 source addresses for sessions

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 13 07:26:38 AEST 2022


            Bug ID: 3473
           Summary: Option to use non-temporary IPv6 source addresses for
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla.mindrot.org at pobox.madduck.net

When IPv6-privacy addresses are in use, Linux generates new IPv6
addresses at regular intervals, and deprecates old ones. Those
deprecated addresses won't get used for new connections, but where they
are active in existing connections, they remain valid until the end of
their validity period. Once the validity lifetime expires, however, the
source address simply vanishes, and all TCP connections using this
address die. Arguably, this could be fixed at kernel-level, and those
addresses kept alive, but hear me out…

I can set `net.ipv6.conf.default.use_tempaddr=1`, and the IPv6 address
encoding my MAC address will be used for all outgoing connections —
this would fix the problem — but it would also mean that I become
instantly trackable across locations, because of my MAC address.

With SSH, I also don't generally care about privacy like I do with HTTP
& Co.. In fact, when I log in to remote systems, I *like* it when
reverse DNS works and `w` and `last` and what-have-you-command show
from whence folks are logged in.

I am not sure it's at all possible, but I surely wanted to file a
wishlist issue that SSH offer an option to choose a non-temporary,
non-privacy IPv4 for outgoing connections, as if
`net.ipv6.conf.default.use_tempaddr` was set to 1, not 2.

If it's any help, then here is the `ip addr` output for both types of

    inet6 fc00:39:39:0:defb:48ff:fe15:304/64 scope global dynamic
mngtmpaddr noprefixroute 
       valid_lft 86345sec preferred_lft 14345sec
    inet6 fc00:39:39:0:574a:eeb:ba9c:f9a2/64 scope global temporary
       valid_lft 85878sec preferred_lft 9933sec

The first is static in that it encodes the MAC address. The second is
random. The `mngtmpaddr` is the flag you are after.

I.e.: can SSH be configured to prefer using `mngtmpaddr` source
addresses for outgoing connections over the temporary ones, even if the
system is configured to prefer the temporary ones?

Thanks for your consideration!

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list