6

TLDR

In sshd_config(5), this config segment:

Match Address fe80::/10
        PasswordAuthentication yes

... is not matching link-local IPv6 addresses as expected. Why and how to fix?

I am trying to configure sshd to only allow password authentication when connecting from local addresses. Otherwise public key authentication is required. This is the relevant config in sshd_config.

PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no

# Allow password auth on local network
Match Address 169.254.0.0/16,192.168.0.0/16
        PasswordAuthentication yes
Match Address fe80::/10
        PasswordAuthentication yes

What works:

  • Public key authentication enabled on all addresses, as expected.
  • Password authentication enabled on address range 169.254.0.0/16,192.168.0.0/16 when connecting via IPv4, as expected.

What does not work:

  • Password authentication is not enabled on address range fe80::/10 when connecting via IPv6.

PuTTY Error

Relevant line in var/log/secure:

sshd[9457]: Connection reset by fe80::39c9:9db5:5a2a:1299%eth0 port 60468 [preauth]

... which is an address that should be matched by fe80::/10

Checklist items I've done:

  • IPv6 traffic is not blocked by firewall
  • sshd is listening on both stacks
$ netstat -tupln | grep sshd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      8903/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      8903/sshd
  • Combining / splitting the Match statements for IPv4 and IPv6 does nothing Match Address 169.254.0.0/16,192.168.0.0/16,fe80::/10 This doesn't work either.
  • Putting the IPv6 address in square brackets Match Address [fe80::]/10 No bueno.
  • sshd does not log any config error in var/log/secure
  • Not a client problem - tried OpenSSH, PuTTY, WinSCP and got the same error

Versions:

sshd running on CentOS 7

$ uname -msr
Linux 5.4.72-v8.1.el7 aarch64
$ ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

I've already asked this question over on /r/sysadmin's discord server, and people's reaction was "weird". See our full conversation here if you are interested. It has some more minor details on the different things I tried.

Improve this question
8
  • 2
    Sorry for my previous comment. Please try to use only 1 time Match Address 169.254.0.0/16,192.168.0.0/16,fe80::/10, instead of 2 times. It may possible that the 2nd entry of Match Address is being discarded. Commented Jul 13, 2021 at 12:04
  • That was what I did originally, as I listed in the things I already tried. "Combining / splitting the Match statements for IPv4 and IPv6 does nothing" Commented Jul 13, 2021 at 13:18
  • Wait, you are trying to login via root? What value do you have for PermitRootLogin in your /etc/ssh/sshd_config? Please try to login with a normal user, instead of root. Commented Jul 13, 2021 at 13:39
  • The fact that I'm trying to login as root is irrelevant here. The error is clearly about authentication method; plus I can login as root just fine as long as I'm on IPv4 and/or using public key authentication. Commented Jul 13, 2021 at 13:44
  • No, it's not irrelevant, the default login method for root ssh login is using public-key-only. You better check your value for PermitRootLogin. Commented Jul 13, 2021 at 13:47

1 Answer 1

Reset to default
11

After trying just about everything I could think of, I was able to find a solution that worked for me. I wanted to allow password auth to users on my LAN but only allow key based auth from outside the LAN which is why I ended up finding this post.

From other reading I saw some indication that square brackets should be used with an ipv6 address and I also saw in the sshd logs that it logged the interface name (i.e. eth0, wlan0) where my connection came from when I would connect using ipv6.

I decided to test all of the combos until I found something that worked. I put in my full ipv6 address and did not use a /10 to make sure that the format of that would not interfere and I tried with and without the interface name and with and without brackets (and putting them around different parts of the address) and I can definitively say that sshd does not like the brackets. Any time I included them it did not work.

It also did not work without the interface name specified even if I used my full exact ipv6 address so it seems like sshd expects an ipv6 address to not include square brackets as it would in a URL and expects that it will include the interface name no matter what.

The last piece was the /10 to include all link local addresses. I initially expected the correct form to be fe80::/10%eth0 but surprisingly that did not work. Instead sshd expects you to write fe80::%eth0/10. I guess this kind of makes sense if you view the /10 as modifying the entire ip address where a proper and complete ipv6 address is some number and an interface name while an ipv4 is only the number, but in either case, with that twist unraveled, I had a solution.

This was the full match block I used to allow ipv4 and ipv6 local connections to authenticate with passwords:

Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fe80::%eth0/10
        PasswordAuthentication yes

Obviously you would need to modify the name eth0 to be the correct interface name for you machine, (you can look at the list of them with ifconfig or check the sshd logs when you attempt to connect via ipv6 to see what interface your connection is using) and If you wanted to support connections from multiple interfaces I think you need to specify ,fe80::%name/10 for each one.

I hope this answer helps others who stumble upon this thread (and maybe OP, though I am not sure how much help this will be five months later)

Improve this answer
2
  • 1
    OP here. Thanks for this very detailed answer - such answers are never too late. The servers in question are my personal servers, and the entire reason I wanted to have such a configuration is so that I don't get locked out in case I lost all my private keys in some terrible accident. I will be applying this configuration this weekend; your effort is very much appreciated! Commented Jan 7, 2022 at 8:00
  • I had the same problem and your solution worked, but because I was using a NAT with port forwarding, external IPs were still able to connect as SSH just saw the local router IP... So be careful! Commented Dec 21, 2023 at 23:40

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.