openSUSE
openssh package

With IPv6 disabled, openssh will not forward X connections

Bug #882878 reported by gdahlman
118
This bug affects 44 people
Affects Status Importance Assigned to Milestone
portable OpenSSH
Unknown
Unknown
openssh (Debian)
New
Unknown
openssh (Ubuntu)
Confirmed
Low
Unassigned
openssh (openSUSE)
Fix Released
Medium

Bug Description

If you disable IPv6 in /etc/sysctl.conf sshd will not forward X11.

It logs the failue in /var/log/auth.log

Oct 27 18:49:26 uscps002 sshd[14722]: Accepted password for root from 172.20.10.50 port 60322 ssh2
Oct 27 18:49:26 uscps002 sshd[14722]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 27 18:49:27 uscps002 sshd[14722]: error: Failed to allocate internet-domain X11 display socket.

Aparently the compiled sshd version will not try an ipv4 localhost if an ipv6 localhost does not exist.

Placing the following line in /etc/ssh/sshd_config fixes the issue

X11UseLocalHost no

root@uscps002:/var/log# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10
root@uscps002:/var/log#

root@uscps002:/var/log# uname -a
Linux uscps002 3.0.0-12-server #20-Ubuntu SMP Fri Oct 7 16:36:30 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

Tags: precise xenial
Revision history for this message
In , Diego-ercolani (diego-ercolani) wrote :

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0

When you disable ipv6 from the yast2 network, system correctly remove the assignation of ipv6 addresses from everywhere but there is an annoying bug in openssh that break the possibility to make X11 tunnels because it seems that ssh try to bind X11 tunnel to an ipv6 address even with ipv6 disabled causing this kind of message in /var/log/messages:

Aug 17 16:47:28 franz2011 sshd[6300]: error: Failed to allocate internet-domain X11 display socket.

this can avoided configuring correctly the file /etc/ssh/sshd_config with the parameter:

AddressFamily inet

and restarting sshd.
This is done in according to this bug reported to debian bugsystem:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=422327#20

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Revision history for this message
Robie Basak (racb) wrote :

Thanks for reporting this.

I'm a bit confused as to what sshd is trying to do, since on my system I have an IPv4-only localhost and an IPv6-only localhost6 defined in /etc/hosts.

I'm setting the priority to Low as this is an unusual configuration and a workaround is available.

Changed in openssh (Ubuntu):
importance: Undecided → Low
summary: - With IPv6 disable openssh will on forward X connections
+ With IPv6 disabled, openssh will not forward X connections
Revision history for this message
gdahlman (gdahlman) wrote :

It appears that they are not using the resolver when building arguments for xauth, but I agree.

I filed the bug mostly so that others experiencing the issue could find the workaround.

Revision history for this message
In , Alberto-zacchetti (alberto-zacchetti) wrote :

The same thing happens on my system. You can also fix it by entering the -4 option in /etc/sysconfig/ssh, but it would be better to correct the problem.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
H.-Dirk Schmitt (dirk-computer42)
tags: added: precise
Bug Watch Updater (bug-watch-updater)
Changed in openssh (Debian):
status: Unknown → New
Changed in openssh (openSUSE):
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
In , Pcerny-v (pcerny-v) wrote :

Created an attachment (id=580591)
OpenSSH 6.5p1 patch

preliminary patch for OpenSSH 6.5p1

Revision history for this message
In , Bwiedemann (bwiedemann) wrote :

This is an autogenerated message for OBS integration:
This bug (712683) was mentioned in
https://build.opensuse.org/request/show/224303 Factory / openssh

Revision history for this message
Etienne Papegnies (etienne-papegnies) wrote :

I'm affected by this on Xenial.

tags: added: xenial
Revision history for this message
In , Tchvatal (tchvatal) wrote :

Was fixed and updates were released. The issue was left open, closing.

Bug Watch Updater (bug-watch-updater)
Changed in openssh (openSUSE):
status: Confirmed → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I don't like to delta for that with upstream agreement - as it is a hard change in behavior.
I checked latest openssh git and the code is still as-is.

@CJWatson - with your openssh experience - what do you think about suggesting the Suse patch [1] or [2] - actually[3] is the latest version of the same - to upstream?

[1]: https://bugzilla.novell.com/attachment.cgi?id=580591&action=diff
[2]: https://build.opensuse.org/package/view_file/openSUSE:Factory/openssh/openssh-6.5p1-X_forward_with_disabled_ipv6.patch?rev=1c09c84b8dda320105cf7b59928951c4
[3]: https://build.opensuse.org/package/view_file/openSUSE:Factory/openssh/openssh-7.2p2-X_forward_with_disabled_ipv6.patch?expand=1

Revision history for this message
Colin Watson (cjwatson) wrote :

I'd suggest asking the author of the patch rather than me.

(And the patch is terribly ugly. It would need to be cleaned up before submission.)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote : Re: [Bug 882878] Re: With IPv6 disabled, openssh will not forward X connections

On Wed, Aug 23, 2017 at 6:26 PM, Colin Watson <email address hidden>
wrote:

> I'd suggest asking the author of the patch rather than me.
>

Yeah, right in terms of authorship and in any way he might know if that was
already tried/discussed upstream.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Peter,
while looking into an issue (on Ubuntu) I found that you solved it for SuSe
a long time ago in [1] via [2].
That change seems to be carried forward since, with the last revision being
[3].

I wondered if it was tried to bring the change upstream?
I didn't find any reference, but this is from long ago so I hoped you might
know some more context.
Was it discussed, nack-ed for a reason or is there anything else why this
isn't upstream after all the years?
Before adopting your or a similar change it would be nice to get that
context info.

[1]: https://bugzilla.novell.com/show_bug.cgi?id=712683
[2]: https://bugzilla.novell.com/attachment.cgi?id=580591&action=diff
[3]:
https://build.opensuse.org/package/view_file/openSUSE:Factory/openssh/openssh-7.2p2-X_forward_with_disabled_ipv6.patch?expand=1

P.S. This is the mail to Peter with the bug on CC, to "log" it there.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Reply from Petr, that is not auto-added due to not having a LP user, quoting:
"It's mainly me not pushing it (too busy to do it properly, but you're right, it's a shame). I actually found upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2143

Attached patch is pretty much what has been hanging in the upstream bugzilla for the last 4 years.

Thanks
Cheers"

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

He added a refreshed patch to the upstream issue (thanks!) and I linked the issue up here to track progress.
Given it is accepted upstream the next merge would pick the change up.

Revision history for this message
Tong Sun (suntong001) wrote :

Found this page while tracing for the fix to this very bug. I can't believe that after 6+ years, it is still not fixed.
Hope it can be fixed soon...

Revision history for this message
Steve Dodd (anarchetic) wrote :

Still broken in bionic in 2020!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.