2

My VPS listens to SSH on port 222. On my clients I created a ssh_config such that the non-default port needs not to be explicitly provided on the command line every time. (Some daemons which internally use SSH and must connect to my server do not even allow to specify a different port).

Matching of the DNS name and IPv4 address works as expected, but IPv6 is not matched. How do I specify IPv6 addresses in ssh_config?

My configuration looks like

Host my-server.my-domain.tld x.y.w.z [xxxx:yyyy::zzzz]
    HostName my-server.my-domain.tld
    Port 222

Currently, when some process tries to connect to my server, I see an error that the server refused the connection on port 22 via IPv6 and then the process falla back to IPv4 and successfully connect to the server on port 222.

I have already tried to specify the IPv6 adress without the square brackets, but then SSH complains about an syntactically invalid DNS or IPv4 address. I also have tried to move the IPv6 address to its own Host-block without success.

Improve this question
8
  • Please edit your post to include the ListenAddress directives from your SSHD configuration. Also, your question appears to be about your sshd server but your Host configuration that you list is client-side configuration. Your server settings should be in /etc/ssh/sshd_config, while your client settings are in /etc/ssh/ssh_config. Commented Jul 1, 2024 at 17:10
  • 1
    Remove [ ]? What's HostName doing there? Commented Jul 1, 2024 at 17:15
  • Even though you say "I have already tried to specify the IPv6 adress without the square brackets, but then SSH complains about an syntactically invalid DNS or IPv4 address", using IPv6 addresses without the brackets works just fine for Host patterns for me (OpenSSH 9.7p1). Which version are you using? Commented Jul 1, 2024 at 17:24
  • Your server configuration is not related to ssh_config. Your server configuration is specified in sshd_config. Commented Jul 1, 2024 at 17:34
  • I do solve this using aliases plus entries in /etc/hosts. Works fine with all IPv6. Even SSHFS is working proper. Commented Jul 1, 2024 at 19:38

1 Answer 1

Reset to default
2

It's possible you may be confused on where to configure how your SSH server listens for connections, and where to configure how your SSH client initiates connections.

When I put these entries in /etc/ssh/sshd_config:

Port 222
#ListenAddress 0.0.0.0
#ListenAddress ::

(in other words, a configured port number, but default values for IPv4 and IPv6 listening addresses) and if I configure my public interface with these IPs:

inet 10.10.11.35 netmask 0xffffff00 broadcast 10.10.11.255
inet6 fdad:cafe:f00d::1 prefixlen 48

and restart my sshd service to look for which sockets it's listening on, I see both TCPv4 port 222, and TCPv6 port 222:

root     sshd        8722 3   tcp6   *:222           *:*
root     sshd        8722 4   tcp4   *:222           *:*

Now if I edit ~/.ssh/config to instruct my SSH client to differentiate between the IPv6 host jimsdesk and the IPv4 host jimsdeskv4:

$ grep -B4 -A3 jimsdeskv4 ~/.ssh/config
Host jimsdesk fdad:cafe:f00d::1
  Hostname fdad:cafe:f00d::1
  Port 222

Host jimsdeskv4 10.10.11.35
  Hostname 10.10.11.35
  Port 222

Notice there are no brackets around the IPv6 addresses. Also, those entries could equally well be put in /etc/ssh/ssh_config.

Then by choosing the right host nickname, I can connect via IPv6:

$ ssh jimsdesk set | grep ^SSH
SSH_CLIENT='fdad:cafe:f00d::1 52341 222'
SSH_CONNECTION='fdad:cafe:f00d::1 52341 fdad:cafe:f00d::1 222'

or via IPv4:

$ ssh jimsdeskv4 set | grep ^SSH
SSH_CLIENT='10.10.11.35 29742 222'
SSH_CONNECTION='10.10.11.35 29742 10.10.11.35 222'

I can also SSH directly to the IPv6 address, and my .ssh/config figures it out just fine.

$ ssh fdad:cafe:f00d::1 set | grep ^SSH
SSH_CLIENT='fdad:cafe:f00d::1 47360 222'
SSH_CONNECTION='fdad:cafe:f00d::1 47360 fdad:cafe:f00d::1 222'

Update: As @Muru points out in the comments below, if you have trusted clients who need to connect but cannot accommodate a non-standard TCP port, you will need to use two Port lines in /etc/ssh/sshd_config:

Port 22
Port 222

Again, this needs to be in /etc/ssh/sshd_config, not /etc/ssh/ssh_config for the SSHD server to react to it.

If listening on port 22 is a deal-breaker for you, then you'll need to implement firewall rules sufficient to protect TCP4 and TCP6 ports 22 from any clients who are not authorized to access your SSH server. Alternatively, you could implement firewall rules which selectively redirect ports 22 to ports 222 but only for permitted source IP numbers, but you'd also need to similarly re-map reverse traffic. It's likely that simply permitting TCP ports 22 traffic only from known clients is the easier (and more secure) way to go.

Improve this answer
6
  • I think you have overlooked the first paragraph. OP has various software on their clients which use SSH but do not allow specifying custom ports, so they use ~/.ssh/config instead. And they specify both hostname and IP in it so that it doesn't matter if the problematic software does DNS resolution itself and passes the IP to ssh. (OP has already configured the server., you can see this from their statement that the client software uses IPv6 connections end up using port 22 and failing.) Commented Jul 2, 2024 at 0:13
  • @muru Updated. Let me know what else I can do to reverse the downvote. Commented Jul 2, 2024 at 6:16
  • Ok. These clients apparently do somehow use ssh_config and therefore do pick up the non-standard port for IPv4 addresses: "I see an error that the server refused the connection on port 22 via IPv6 and then the process falla back to IPv4 and successfully connect to the server on port 222". Commented Jul 2, 2024 at 6:39
  • Thanks, @muru. @user2690527, if that is the case, that suggests a possible error in your client's ~/.ssh/config or /etc/ssh/ssh_config. Ensure that they are using syntax equivalent to that shown below the grep -B4 -A3 ... command in my answer. Commented Jul 2, 2024 at 7:23
  • My server config is just fine. It listens to port 222 on both IPv4 and IPv6 just fine. I can also connect to my server on port 222 via IPv6, if I invoke ssh with the server's IPv6 address from one of my clients. The ONLY problem is that my client do not use port 222 if they try to connect via IPv6, because they apparently seem no to match the Host directive. @muru seems to have a point here that the square brackets are the problem here. I also run OpenSSH 9.7p1. Commented Jul 2, 2024 at 19:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.