Page MenuHomePhabricator

Unable to bind SSH only to a dynamic interface
Open, Requires assessmentPublicFEATURE REQUEST

Description

The "set service ssh listen-address" command only accepts IPv4 or IPv6 addresses as arguments but if the given interface is getting it's address from DHCP, this address is unknown as it can and will change over time. Other commands accept an interface for these cases so it would be fantastic if we could do this...

set service ssh listen-address eth0

... and have eth0 translated to the provisioned address at runtime (and update sshd_config, restart sshd, etc. whenever the IP address changes via dhcpc hooks/systemd/etc.).

I'm opening this as a feature request but IMHO this is a gap in Crux that prevents VyOS from being fully utilized with DHCP interfaces. Thanks!

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

c-po added a subscriber: c-po.May 22 2019, 4:02 PM

You can always let SSH listen to a loopback address

ekim added a comment.May 22 2019, 7:23 PM

Our use case requires that the SSH listener be a public IP address (no NAT), of which we only get the one on the DHCP interface. As such, your suggestion will not work for us.

hagbard added a subscriber: hagbard.EditedMay 22 2019, 7:50 PM

What about destination nat? (https://vyos.readthedocs.io/en/latest/nat.html#destination-nat) + binding it too loopback.

Or if DNAT is a no go, use wireguard and tunnel it.

ekim added a comment.May 22 2019, 8:25 PM

There are many complexities with our deployments that force our hand for acceptable configuration paradigms. It might make more sense to discuss this directly via email like we did for the DHCP VTI/VPN features/bug fixes that are included in 1.2.1.

Much like the VPN portion of the config that allows for the selection for a dhcp-interface we're looking for similar capability with ssh-listen address.

pasik added a subscriber: pasik.May 23 2019, 6:51 AM