TCP connect timeout with proxy

Bob Proulx bob at
Fri Mar 27 10:15:18 AEDT 2020

Anand Buddhdev wrote:
> Scott Neugroschl wrote:
> > What's wrong with just using "-4" for this host?
> Here's the situation: I'm connect to a dual-stacked host with A and AAAA
> records. The IPv6 connectivity to the host is broken.

The root cause of the problem is a host advertising IPv6 AAAA records
in the DNS but not supporting a working IPv6 connection.  Fix either
of those two things and your problem goes away at the source.  Either
fix IPv6 so that it works or remove the AAAA records so that no
attempt is made to use IPv6 to connect to it.  Anything else is simply
piling on layers of workaround instead of fixing the root cause of the

It is possible to configure /etc/gai.conf to prefer IPv4 for that host
address.  But that is just a workaround.

> Yes, if I connect directly to a host, I can use '-4' to force IPv4.
> When connecting through a proxy, I can't easily control which address
> family to use, nor the TCP connect timeout. Sure, if I use netcat to
> proxy, I could supply a '-4' to it to force connecting over IPv4. But
> making that permanent is also a pain because I want to connect to
> IPv6-only hosts too.

It is possible to force this for one host with something like this.
Which is just another workaround but perhaps the least bad option.

    ProxyCommand ssh -W %h:%p

             Specifies the real host name to log into.  This can be used to
             specify nicknames or abbreviations for hosts.  Arguments to
             Hostname accept the tokens described in the TOKENS section.
             Numeric IP addresses are also permitted (both on the command line
             and in Hostname specifications).  The default is the name given
             on the command line.

The "ssh -W %h:%p" uses whatever your client
defaults to for inet family.  That seems to be what you want.  Then
the %h expands to forcing IPv4 from the proxyhost to
the broken IPv6 host.  Which is also what you want.  I tested this and
was able to force the inet family using this technique.

It's ugly to hard code in the IPv4 address.  But that's just working
around the breakage of having AAAA DNS records when IPv6 is not
supported.  This could be kept updated with a script if the hostname
were to be changing.  But if this is a server environment with static
IP assignments as I suspect then this address will never change and a
hack like this would be sufficient.

> However, when I'm not on a trusted network, I have to use a proxy to
> connect to that same dual-stacked host. I can do the proxy in one of the
> following ways:
> 1. ssh -tt proxyhost ssh -tt host
> I don't like method #1 at all, for obvious reasons.

I don't know why #1 "works" because on proxyhost I assume it would get
the IPv6 address.  If it gets the IPv4 address then #2 & #3 would also
get the IPv4 address.  But you reported it doesn't.  Which seems in conflict.

> But none of these individual fixes are relevant. I would like a
> finely-tuned ssh config, with a proxy setup, whereby connecting to
> remote hosts doesn't take so long because of the default TCP timeout.
> My use case is connecting to several hosts with ansible using ssh as the
> transport. I can't adjust my ssh config for each host. If IPv6 is not
> working for a host at the time I'm connecting, I'd like the proxy to
> quickly fall back to IPv4. Later, if that host's IPv6 is working again,
> I'd like to be able to use it without hacks.

If there is already automation via ansible then it seems to me that
there could easily be automation on the client side too.  At least for
me there is.  But whatever.  All of these things are simply layers of
workaround on top of the original breakage.  Remember that two wrongs
are... well... really just the beginning! :-)


More information about the openssh-unix-dev mailing list