Auteur Sujet: SSH: Configurer SSH pour ne pas écouter en IPv4 (IPv6 only)  (Lu 10181 fois)

0 Membres et 1 Invité sur ce sujet

raf

  • Expert France-IX
  • Expert
  • *
  • Messages: 645
SSH: Configurer SSH pour ne pas écouter en IPv4 (IPv6 only)
« Réponse #12 le: 19 février 2017 à 12:18:18 »
Je n'ai pas la réponse à ma question : que donne ListenAddress :: ?
Pour SSHD recent(et probablement l'ensemble des distribs recents) ca devrait marcher comme ca.
Sinon ..... ::ffff:192.0.0.2 -> IPv4-mapped adresses (RFC4291 2.5.5.2).

Nh3xus

  • Réseau Deux Sarres (57)
  • Abonné MilkyWan
  • *
  • Messages: 3 247
  • Sarrebourg (57)

corrector

  • Invité
IPV6_V6ONLY
« Réponse #14 le: 21 février 2017 à 22:28:37 »
Citer
IPV6_V6ONLY controls behavior of AF_INET6 wildcard listening socket. The following example sets the option to 1:

int on = 1;
setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on) );


If set to 1, AF_INET6 wildcard listening socket will accept IPv6 traffic only. If set to 0, it will accept IPv4 traffic as well, as if it was from IPv4 mapped address like ::ffff:10.1.1.1. Note that if you set it this to 0, IPv4 access control gets much more complicated. For example, even if you have no listening AF_INET listening socket on port X, you will end up accepting IPv4 traffic by AF_INET6 listening socket on the same port. The default value for this flag is copied at socket instantiation time, from net.inet6.ip6.v6only sysctl(3) variable. The option affects TCP and UDP sockets only.
http://mirror.informatimago.com/next/developer.apple.com/documentation/Darwin/Reference/ManPages/html/ip6.4.html

corrector

  • Invité
SSH: Configurer SSH pour ne pas écouter en IPv4 (IPv6 only)
« Réponse #15 le: 21 février 2017 à 23:23:40 »
Bref, je suis preneur d'une solution propre pour ne pas écouter en IPv4 (sans spécifier une IPv4 qui n'existe pas sur le serveur, ni utiliser iptables).
Pourquoi refuser iptables?

- Pour ne pas avoir une config spécifique à linux?
- Afin de laisser la possibilité de lancer un sshd IPv4 only à coté?
- Pour que la config ne nécessite pas d'être administrateur?

corrector

  • Invité
SSH: Configurer SSH pour ne pas écouter en IPv4 (IPv6 only)
« Réponse #16 le: 21 février 2017 à 23:55:23 »
Explication sur les socket AF_INET6 :

IPv4 connections can be handled with the v6 API by using the v4-mapped-on-v6 address type; thus a program only needs to support this API type to support both protocols. This is handled transparently by the address handling functions in the C library.

IPv4 and IPv6 share the local port space. When you get an IPv4 connection or packet to a IPv6 socket, its source address will be mapped to v6 and it will be mapped to v6.

Address format

struct sockaddr_in6 {
    sa_family_t     sin6_family;   /* AF_INET6 */
    in_port_t       sin6_port;     /* port number */
    uint32_t        sin6_flowinfo; /* IPv6 flow information */
    struct in6_addr sin6_addr;     /* IPv6 address */
    uint32_t        sin6_scope_id; /* Scope ID (new in 2.4) */
};

struct in6_addr {
    unsigned char   s6_addr[16];   /* IPv6 address */
};
sin6_family is always set to AF_INET6; sin6_port is the protocol port (see sin_port in ip(7)); sin6_flowinfo is the IPv6 flow identifier; sin6_addr is the 128-bit IPv6 address. sin6_scope_id is an ID depending on the scope of the address. It is new in Linux 2.4. Linux only supports it for link-local addresses, in that case sin6_scope_id contains the interface index (see netdevice(7))
IPv6 supports several address types: unicast to address a single host, multicast to address a group of hosts, anycast to address the nearest member of a group of hosts (not implemented in Linux), IPv4-on-IPv6 to address a IPv4 host, and other reserved address types.

The address notation for IPv6 is a group of 8 4-digit hexadecimal numbers, separated with a ':'. "::" stands for a string of 0 bits. Special addresses are ::1 for loopback and ::FFFF:<IPv4 address> for IPv4-mapped-on-IPv6.

The port space of IPv6 is shared with IPv4.

https://linux.die.net/man/7/ipv6