Impossible to disable IPv4

Bug #713002 reported by dnmvisser on 2011-02-04
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Undecided
Unassigned
Hardy
Medium
Colin Watson

Bug Description

Stable release update justification:

Impact: IPv4 access to IPv6-only OpenSSH servers cannot be disabled in Ubuntu 8.04 LTS. On systems where IPv4 connectivity is present but IPv6 is primary (which is currently fairly rare, but seems likely to become much more common over the remaining lifetime of 8.04) this will have confusing effects on access control.
Development branch: Fixed upstream for OpenSSH 4.9p1 (http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/5290).
Patch: See "Development branch" - the patch applies cleanly.
TEST CASE: Either of the two sshd_config options in the original report below should disable IPv4 access (test with 'ssh -4') and leave IPv6 access intact (test with 'ssh -6').
Regression potential: The most likely problem is a socket that becomes IPv6-only but was somehow important for IPv4 access. I suggest testing that IPv4 access remains unimpaired, and in particular I think it would be worth testing X forwarding.

Original report:

Last week I changed our infrastructure so that our ~20 Ubuntu boxes can only be managed with SSH via IPv6.
To do this I added "ListenAddress ::1" to sshd_config.
This seems to work fine on our 10.04LTS boxes (OpenSSH_5.3p1 Debian-3ubuntu), but this configuration does not work on our 8.04LTS boxes: they are still reachable via IPv4.

The same thing goes for "AddressFamily inet6", that options works on 10.04, but not on 8.04.

Classified as security bug, although I realise that probably not many are affected by this.

Kees Cook (kees) on 2011-02-05
security vulnerability: yes → no
visibility: private → public
Colin Watson (cjwatson) wrote :

Fixed in newer releases, as you say. I suspect that this may be the upstream commit responsible for fixing it, which would mean that it was fixed in OpenSSH 4.9p1:

  http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/5290

I've applied this patch to version 1:4.7p1-8ubuntu2~ppa1 in this archive:

  https://launchpad.net/~cjwatson/+archive/openssh

Could you please try it out and report whether it fixes this problem?

Changed in openssh (Ubuntu):
status: New → Fix Released
Changed in openssh (Ubuntu Hardy):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → Medium
status: New → Triaged
dnmvisser (dnmvisser) wrote :

Confirmed, the patched version works as expected, both options actually work!

Thanks for testing! I've uploaded this change to hardy-proposed; it's
currently waiting for approval. Once it's published there (you'll be
notified by way of a comment in this bug), it would be helpful if you
could validate that that version also works, so that it can be promoted
to hardy-updates.

description: updated

Accepted openssh into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in openssh (Ubuntu Hardy):
status: Triaged → Fix Committed
tags: added: verification-needed
dnmvisser (dnmvisser) wrote :

Pakcage from hardy-proposed works FINE.
Thanks.

tags: added: verification-done
removed: verification-needed
Marc Deslauriers (mdeslaur) wrote :

NACK on this update.

Package currently in proposed is missing changes from 1:4.7p1-8ubuntu1.1 and 1:4.7p1-8ubuntu1.2.

See bug #722505

tags: added: verification-failed
removed: verification-done
Colin Watson (cjwatson) wrote :

Whoops, thanks! I'll merge these back together.

Colin Watson (cjwatson) wrote :

I've uploaded 1:4.7p1-8ubuntu3 now, which contains the changes from hardy-security.

dnmvisser (dnmvisser) wrote :

Should I test again?

Martin Pitt (pitti) wrote :

Accepted openssh into hardy-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: removed: verification-failed
tags: added: verification-needed
dnmvisser (dnmvisser) wrote :

new version in hardy-proposed 1:4.7p1-8ubuntu3 also works FINE.

Martin Pitt (pitti) on 2011-03-08
tags: added: verification-done
removed: verification-needed
Thorsten Glaser (mirabilos) wrote :

ssh-vulnkey and ssh’ing out WFM too. Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:4.7p1-8ubuntu3

---------------
openssh (1:4.7p1-8ubuntu3) hardy-proposed; urgency=low

  * Merge 1:4.7p1-8ubuntu1.1 and 1:4.7p1-8ubuntu1.2 from hardy-security.

openssh (1:4.7p1-8ubuntu2) hardy-proposed; urgency=low

  * Backport from upstream:
    - Only listen for IPv6 connections on AF_INET6 sockets (LP: #713002).
 -- Colin Watson <email address hidden> Wed, 02 Mar 2011 10:53:07 +0000

Changed in openssh (Ubuntu Hardy):
status: Fix Committed → Fix Released
tags: added: testcase
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers