2

When I connect to a CentOS 7 host with IPv6 my ssh client always adds <IPv6 host addr>%2 to known_hosts even though the host key for this host (with the host's IPv6 address) is already present in known_hosts.

What does the %2 stand for? I'm using the unmodified OpenSSH from CentOS 7 which is version 6.6.1p1-25, release 25.el7_2.

Update: A comment mentioned name resolution as a possible problem. Indeed I'm using systemd-resolved on the client machine. When I remove resolved from /etc/nsswitch.conf (hosts option) the problem does not occur anymore. This is with systemd-resolved-219-19.el7_2.7.x86_64).

Update (Feb 2017): I just noticed systemd-resolved bug 4465 so the behavior I noticed was/is just a bug which will be fixed in a later version of systemd.

Felix Schwarz
  • 203
  • 2
  • 11

1 Answers1

6

Different classes of IPv6 address have different scope. You will come across addresses of scope host (for example ::1), link (for example fe80::200:5eff:fe00:5342), global (for example 2001:db8::1).

When an address with scope link is used on a host with more than one link, the % notation is used to indicate which link the address is used on.

All addresses starting with fe80: are in the link-local scope and may need an interface specification. Interfaces can be specified by their name or their number. For example on the computer I am typing this from eth0 is interface number 2, so fe80::200:5eff:fe00:5342%2 and fe80::200:5eff:fe00:5342%eth0 would be equivalent. Either notation would indicate the host with link-local address fe80::200:5eff:fe00:5342 on the network which my eth0 interface is connected to.

kasperd
  • 29,894
  • 16
  • 72
  • 122