ValueError when attempting to connect to host via link-local IPv6 Address

[AdmiralNemo]

I encountered this issue today when deploying a service on a network that exclusively uses link-local addressing and multicast DNS.

Traceback (most recent call last):
  …
  File "/usr/lib64/python3.6/site-packages/asyncssh/connection.py", line 5107, in create_connection
    yield from auth_waiter
  File "/usr/lib64/python3.6/site-packages/asyncssh/connection.py", line 582, in connection_made
    self._connection_made()
  File "/usr/lib64/python3.6/site-packages/asyncssh/connection.py", line 2239, in _connection_made
    self._peer_addr, port)
  File "/usr/lib64/python3.6/site-packages/asyncssh/connection.py", line 473, in _match_known_hosts
    match_known_hosts(known_hosts, host, addr, port)
  File "/usr/lib64/python3.6/site-packages/asyncssh/known_hosts.py", line 324, in match_known_hosts
    known_hosts = known_hosts.match(host, addr, port)
  File "/usr/lib64/python3.6/site-packages/asyncssh/known_hosts.py", line 236, in match
    x509_subjects, revoked_subjects = self._match(host, addr, port)
  File "/usr/lib64/python3.6/site-packages/asyncssh/known_hosts.py", line 172, in _match
    ip = ip_address(addr) if addr else None
  File "/usr/lib64/python3.6/site-packages/asyncssh/misc.py", line 121, in ip_address
    return ipaddress.ip_address(_normalize_scoped_ip(addr))
  File "/usr/lib64/python3.6/ipaddress.py", line 54, in ip_address
    address)
ValueError: 'fe80::1298:36ff:fea1:892d%ens224' does not appear to be an IPv4 or IPv6 address

The host in question was specified by name (i.e. thehostname.local), which was resolved by Avahi/libnss_mdns_minimal. The problem is that getpeername returns an IPv6 address including the scope ID for link-local addresses, but the match_known_hosts function does not handle the scope ID correctly. I think the problem is the impedance mismatch between what the ipaddress module considers to be a valid address versus what the socket library needs. I am not sure what the best solution here would be. Since both the raw and parsed values for the address are passed to the match routine, perhaps ignoring the ValueError would be sufficient.

To work around the problem, I had to enable IPv4 link-local addressing on both the client and the server, and disable mDNS resolution to IPv6 addresses on the client.

CentOS Linux release 7.5.1804 (Core)
asyncssh-1.14.0
python36-3.6.6-1.el7.x86_64 (via EPEL)

[ronf]

Thanks for the report, Dustin.

If you look at the ip_address() function in asyncssh/misc.py, you'll see that I attempt to address this issue already of the standard Python ip_address() function not properly handling scoped addresses. That function looks like the following:

def ip_address(addr):
    """Wrapper for ipaddress.ip_address which supports scoped addresses"""

    return ipaddress.ip_address(_normalize_scoped_ip(addr))

The _normalize_scoped_ip() function is just above that:

def _normalize_scoped_ip(addr):
    """Normalize scoped IP address

       The ipaddress module doesn't handle scoped addresses properly,
       so we strip off the CIDR suffix here and normalize scoped IP
       addresses using socket.inet_pton before we pass them into
       ipaddress.

    """

    for family in (socket.AF_INET, socket.AF_INET6):
        try:
            return socket.inet_ntop(family, socket.inet_pton(family, addr))
        except (ValueError, socket.error):
            pass

    return addr

The idea is that _normalize_scoped_ip() should return a version of an IPv6 address with the scope bits set in the address itself, rather than as a '%<interface_name>' suffix. So, for instance, on my Mac here, I have the following interfaces (among others):

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        ...
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        ...
	inet6 fe80::1cd0:55a5:58f3:37ca%en0 prefixlen 64 secured scopeid 0x5 
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        ...
	inet6 fe80::1cd4:7386:2ee2:fcd7%en1 prefixlen 64 secured scopeid 0x6 

Here are some examples of the _normalize_scoped_ip() call:

>>> from asyncssh.misc import _normalize_scoped_ip
>>> _normalize_scoped_ip('fe80::1%lo0')
'fe80:1::1'
>>> _normalize_scoped_ip('fe80::1%en0')
'fe80:5::1'
>>> _normalize_scoped_ip('fe80::1%en1')
'fe80:6::1'

These new values can be fed to ip_address() without triggering the error you reported. Apparently this encoding of the scope ID inside the address is specific to BSD-based network stacks. Trying this same code on Linux, it doesn't appear to work. The call to inet_pton() gives an error:

>>> socket.inet_pton(socket.AF_INET6, 'fe80::1%lo')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: illegal IP address string passed to inet_pton

So, I'm not sure how to work around the problem that ip_address() doesn't accept interface-specific link-local IPv6 addresses using the '%' syntax.

Experimenting a bit, it looks like I might be able to use socket.getaddrinfo() to get back the scope ID from a '%'-style IPv6 literal link-local address on Linux, but I'm not sure there's any way to encode the scope ID inside the IPv6 address once I have that. Manually putting it into the second quad of the address definitely doesn't seem to work there.

I could extend IPv6Address() to actually store the address and interface (or scope ID) separately, and change the matching function to do the CIDR matching on just the IP portion with a separate equality check to make sure the interface/scope ID is correct, but this really feels like something I should leave up to the socket code.

Suggestions are welcome for how to make this work under Linux!

[AdmiralNemo]

Hi Ron, thanks for following up.

I am not really sure I follow you. I understand what you describe you are doing in order to get a value that is suitable for passing to ip_address(), but I am not certain what the point of that really is? The %-delimited value returned by the name lookup is used as-is by OpenSSH when writing to the key cache. I am sure I am missing something here, but I just do not see what benefit there is in attempting to parse it.

[ronf]

When matching using wildcard patterns on the hostname string, you're right that you wouldn't need to convert the string to an ip_address. However, it's also possible to match on CIDR prefixes of IP addresses, and that's where this conversion is needed.

One possibility here would be to catch this error and just fail to allow CIDR matches on link-local IPv6 addresses on systems which don't support the current workaround I put in, but a better answer is probably for me to actually parse out the suffix and do an exact string match on that part combined with a CIDR match on the IP address portion of it. The nice thing about the workaround is that it actually encoded the interface into the address itself, so a CIDR match on that actually matched on both the address and the interface in a single operation.

[ronf]

I just committed 1b6b583 in the "develop" branch to attempt to address this problem. I've reworked the normalization code I had so that it should now work on Linux in addition to Windows and macOS. The basic approach is still the same, inserting the scope id into the second quad of the address for link-local addresses before doing the comparison, but it does the determination of the scope ID differently and inserts it explicitly, rather than relying on inet_ntop/inet_pton. If you're able to test this, please let me know if it resolves the problem you've reported.

[ronf]

This change is now available in AsyncSSH 1.15.0.