0

In the below command, example.com has both IPv4 and IPv6 addresses but SSH server listens only on the IPv4 address.

Is there a way to request duplicity to use IPv4 only?

duplicity --progress --ssh-options -oIdentityFile=./cloud.pem --encrypt-key=REDACTED --full-if-older-than 2W --include-filelist ./list.txt --exclude '**' --exclude /root/.cache/duplicity / sftp://example.com//mnt/duplicity/
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Halacs
  • 103
  • 4
  • What is the point? Why publish an address and then decide not to use it? Either its usable, then the client *should chose freely*, because the client preference is usually ideal. Or its not working, then it should not even be there, regardless of client configuration. – anx Jun 25 '23 at 13:11
  • probably a routerbox nat'ing some IPv4 port. surely resolving IPv4 to a different domain name would be cleaner, but maybe that is not wanted/possible? – ede-duply.net Jun 26 '23 at 12:39

2 Answers2

2

SSH defaults to AddressFamily=any - switch it to AddressFamily=inet (IPv4) or AddressFamily=inet6 (IPv6) when you want only one IP version attempted. You may need to put such ssh options in ~/.ssh/config, even though you already have -oIdentityFile= in your cmdline. At least my manual page still tells me:

If needed provide more host specific options via ssh_config file.

It would look something like this:

# cat ~/.ssh/config
Host example.com
  AddressFamily=inet
  IdentityFile=/path/to/certificate.pem

Verify your configuration is picked up by reviewing the effective configuration for that host:

ssh -G example.com | grep -i address
addressfamily inet

Mind warnings potentially emitted on duplicity startup, as I have seen its non-OpenSSH backend silently mistreat ssh options before.

anx
  • 8,963
  • 5
  • 24
  • 48
  • It seems dupllicity ignore those arguments: both as a CLI and as ~/.ssh/config – Halacs Jun 25 '23 at 15:25
  • @Halacs It works for me, my destination is `rsync://` though... Did you confirm your configuration works by manually calling `sftp -vv example.com` ? If that works, but duplicity does not, maybe it is because are not using OpenSSH, but a broken version of paramiko, which can silently pretend to be a drop-on-replacement even when it should know it is not. You can force duplicity revert to the legacy "just use the sftp binary" behaviour by specifying the destination with `pexpect+sftp://`. – anx Jun 25 '23 at 17:48
  • another option would be using `pexpect+sftp://` and adding `--ssh-options='AddressFamily=inet'` as a temporary overwrite of the `sftp` command call parameter. – ede-duply.net Jun 26 '23 at 12:43
  • I checked `pxexpect+sftp://` and `sftp://` both with `--ssh-options` and with `~/.ssh/config` with no luck. To make sure, I checked with `ssh -G example.com | grep -i address` and it looks okay. Good news is, however, that `rsync://` with `--ssh-options='-oAddressFamily=inet'` argument works as expected so my problem is solved now. Thanks for all of you! – Halacs Jun 26 '23 at 20:11
  • @Halacs Happy that you solved your immediate problem, but it got intriguing.. mind sharing your versions of OpenSSH, duplicity, python3-paramiko, ..? I wonder how rsync via ssh could possibly end up behaving different from sftp via ssh.. – anx Jun 27 '23 at 00:51
  • 1
    @anx sure! duplicity/jammy,now 0.8.21-1build1 amd64; python3-paramiko/jammy,now 2.9.3-0ubuntu1 all; openssh-client/jammy-updates,now 1:8.9p1-3ubuntu0.1 amd64; Ubuntu 22.04.2 LTS – Halacs Jun 27 '23 at 06:44
  • I tried and could not reproduce it on a matching Ubuntu jammy system. My remaining theories are inadvertent reuse of already-established connections (`ControlMaster`) or hostname canonicalization changing what configuration is applied, which should also be visible when using `-G` on the ssh cmdline mentioned in `duplicity --verbosity debug` output. – anx Jul 01 '23 at 22:01
0

while the answer above sounds like a perfectly good solution i just want to add this.

There is no global Python switch for this, ...

Another would be to use an underlying way to get your C library to prefer IPv4 or disable IPv6. This will vary by platform, but on Linux using glibc you could edit /etc/gai.conf to always prefer IPv4 over IPv6:

precedence ::ffff:0:0/96  100

as described on https://serverfault.com/a/1134818/493381

ede-duply.net
  • 324
  • 1
  • 4