With IPv6 disabled, openssh will not forward X connections

Bug #882878 reported by gdahlman on 2011-10-28
This bug affects 43 people
Affects Status Importance Assigned to Milestone
portable OpenSSH
openssh (Debian)
openssh (Ubuntu)
openssh (openSUSE)
Fix Released

Bug Description

If you disable IPv6 in /etc/sysctl.conf sshd will not forward X11.

It logs the failue in /var/log/auth.log

Oct 27 18:49:26 uscps002 sshd[14722]: Accepted password for root from port 60322 ssh2
Oct 27 18:49:26 uscps002 sshd[14722]: pam_unix(sshd:session): session opened for user root by (uid=0)
Oct 27 18:49:27 uscps002 sshd[14722]: error: Failed to allocate internet-domain X11 display socket.

Aparently the compiled sshd version will not try an ipv4 localhost if an ipv6 localhost does not exist.

Placing the following line in /etc/ssh/sshd_config fixes the issue

X11UseLocalHost no

root@uscps002:/var/log# lsb_release -rd
Description: Ubuntu 11.10
Release: 11.10

root@uscps002:/var/log# uname -a
Linux uscps002 3.0.0-12-server #20-Ubuntu SMP Fri Oct 7 16:36:30 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0

When you disable ipv6 from the yast2 network, system correctly remove the assignation of ipv6 addresses from everywhere but there is an annoying bug in openssh that break the possibility to make X11 tunnels because it seems that ssh try to bind X11 tunnel to an ipv6 address even with ipv6 disabled causing this kind of message in /var/log/messages:

Aug 17 16:47:28 franz2011 sshd[6300]: error: Failed to allocate internet-domain X11 display socket.

this can avoided configuring correctly the file /etc/ssh/sshd_config with the parameter:

AddressFamily inet

and restarting sshd.
This is done in according to this bug reported to debian bugsystem:

Reproducible: Always

Steps to Reproduce:

Robie Basak (racb) wrote :

Thanks for reporting this.

I'm a bit confused as to what sshd is trying to do, since on my system I have an IPv4-only localhost and an IPv6-only localhost6 defined in /etc/hosts.

I'm setting the priority to Low as this is an unusual configuration and a workaround is available.

Changed in openssh (Ubuntu):
importance: Undecided → Low
summary: - With IPv6 disable openssh will on forward X connections
+ With IPv6 disabled, openssh will not forward X connections
gdahlman (gdahlman) wrote :

It appears that they are not using the resolver when building arguments for xauth, but I agree.

I filed the bug mostly so that others experiencing the issue could find the workaround.

The same thing happens on my system. You can also fix it by entering the -4 option in /etc/sysconfig/ssh, but it would be better to correct the problem.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
tags: added: precise
Changed in openssh (Debian):
status: Unknown → New
Changed in openssh (openSUSE):
importance: Unknown → Medium
status: Unknown → Confirmed

Created an attachment (id=580591)
OpenSSH 6.5p1 patch

preliminary patch for OpenSSH 6.5p1

This is an autogenerated message for OBS integration:
This bug (712683) was mentioned in
https://build.opensuse.org/request/show/224303 Factory / openssh

I'm affected by this on Xenial.

tags: added: xenial

Was fixed and updates were released. The issue was left open, closing.

Changed in openssh (openSUSE):
status: Confirmed → Fix Released

I don't like to delta for that with upstream agreement - as it is a hard change in behavior.
I checked latest openssh git and the code is still as-is.

@CJWatson - with your openssh experience - what do you think about suggesting the Suse patch [1] or [2] - actually[3] is the latest version of the same - to upstream?

[1]: https://bugzilla.novell.com/attachment.cgi?id=580591&action=diff
[2]: https://build.opensuse.org/package/view_file/openSUSE:Factory/openssh/openssh-6.5p1-X_forward_with_disabled_ipv6.patch?rev=1c09c84b8dda320105cf7b59928951c4
[3]: https://build.opensuse.org/package/view_file/openSUSE:Factory/openssh/openssh-7.2p2-X_forward_with_disabled_ipv6.patch?expand=1

Colin Watson (cjwatson) wrote :

I'd suggest asking the author of the patch rather than me.

(And the patch is terribly ugly. It would need to be cleaned up before submission.)

On Wed, Aug 23, 2017 at 6:26 PM, Colin Watson <email address hidden>

> I'd suggest asking the author of the patch rather than me.

Yeah, right in terms of authorship and in any way he might know if that was
already tried/discussed upstream.

Hi Peter,
while looking into an issue (on Ubuntu) I found that you solved it for SuSe
a long time ago in [1] via [2].
That change seems to be carried forward since, with the last revision being

I wondered if it was tried to bring the change upstream?
I didn't find any reference, but this is from long ago so I hoped you might
know some more context.
Was it discussed, nack-ed for a reason or is there anything else why this
isn't upstream after all the years?
Before adopting your or a similar change it would be nice to get that
context info.

[1]: https://bugzilla.novell.com/show_bug.cgi?id=712683
[2]: https://bugzilla.novell.com/attachment.cgi?id=580591&action=diff

P.S. This is the mail to Peter with the bug on CC, to "log" it there.

Reply from Petr, that is not auto-added due to not having a LP user, quoting:
"It's mainly me not pushing it (too busy to do it properly, but you're right, it's a shame). I actually found upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2143

Attached patch is pretty much what has been hanging in the upstream bugzilla for the last 4 years.


He added a refreshed patch to the upstream issue (thanks!) and I linked the issue up here to track progress.
Given it is accepted upstream the next merge would pick the change up.

Tong Sun (suntong001) wrote :

Found this page while tracing for the fix to this very bug. I can't believe that after 6+ years, it is still not fixed.
Hope it can be fixed soon...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.