vino only listens for ipv6 connections

Bug #196675 reported by Mark Silence on 2008-02-28
52
This bug affects 6 people
Affects Status Importance Assigned to Milestone
vino
Fix Released
Medium
vino (Ubuntu)
Low
Ubuntu Desktop Bugs

Bug Description

Binary package hint: vino

It appears that vino only listens for ipv6 connections by default?

madasi@silence-guardian:/etc/X11$ sudo netstat -l -t -p
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh *:* LISTEN 4993/sshd
tcp 0 0 localhost:ipp *:* LISTEN 5054/cupsd
tcp 0 0 *:31416 *:* LISTEN 5129/boinc_client
tcp 0 0 *:smtp *:* LISTEN 5539/master
tcp6 0 0 *:5900 *:* LISTEN 5984/vino-server

root@silence-guardian:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=7.10
DISTRIB_CODENAME=gutsy
DISTRIB_DESCRIPTION="Ubuntu 7.10"

root@silence-guardian:~# apt-cache policy vino
vino:
  Installed: 2.20.0-0ubuntu1
  Candidate: 2.20.0-0ubuntu1
  Version table:
 *** 2.20.0-0ubuntu1 0
        500 http://us.archive.ubuntu.com gutsy/main Packages
        100 /var/lib/dpkg/status

I would expect it to also listen for ipv4 be default.

Related branches

Samuel Lidén Borell (samuellb) wrote :

I can connect from a IPv4 IP (127.0.0.1). I think tcp6 includes IPv4 tcp as well. Have you tried running "vncviewer 127.0.0.1" from a terminal?

Changed in vino:
status: New → Incomplete
Kees Cook (kees) wrote :

Confirmed for version 2.22.1-1.
  tcp6 0 0 ::1:5901 :::* LISTEN 32592/vino-server

Changed in vino:
importance: Undecided → Low
status: Incomplete → Confirmed
Kees Cook (kees) wrote :

(though I can still connect on ipv4...)

Richard Hansen (rhansen) wrote :

I am unable to connect via IPv4 (Hardy).

Thomas Guyot-Sionnest (dermoth) wrote :

When you select to allow only local connections, it listens on ::1, which doesn't seem to allow tcp4 connections to 127.0.0.1. The workaround is to allow all connections and implement firewall rules.

This is very annoying for those expecting "local" connections to be from remote hosts, like when using SSH tunnels.

Jorge Pereira (jpereiran) wrote :

Hi,

   if you known, try apply the last patch found in http://bugzilla.gnome.org/show_bug.cgi?id=403183
becouse this patch solve this problem, and next release fixed this problem!

[]s

Changed in vino:
assignee: nobody → desktop-bugs
status: Confirmed → Triaged
Changed in vino:
status: Unknown → Confirmed
Ambricka (petter-ambricka) wrote :

No problem connecting with ipv4 here, even though my netstat -tlp looks similar.
A bigger problem for me is when I'm only reachable via ipv6 and the host isn't listed in dns I can't connect with vinagre which doesn't accept raw ipv6 host addresses. (Or am I just wrong in the ipv6 notation?)

Jorge Pereira (jpereiran) wrote :

Ambricka,

what the version of vino that you using for test?

Ambricka (petter-ambricka) wrote :

oh, somewhat newer than the original post.

petter@nattbrygga:~$ apt-cache policy vino
vino:
  Installed: 2.24.1-0ubuntu1
  Candidate: 2.24.1-0ubuntu1
  Version table:
 *** 2.24.1-0ubuntu1 0
        500 http://se.archive.ubuntu.com intrepid/main Packages
        100 /var/lib/dpkg/status

It could depend on sysctl settings, if ipv6 binds ipv4 too
net.ipv6.bindv6only = 0

Ambricka (petter-ambricka) wrote :

Hmm, sorry. After some further investigations I can confirm that vino doesn't accept connections with "only allow local".
However, this seems to be fixed upstream since a couple of days ago.

Changed in vino:
status: Confirmed → Fix Released
Changed in vino:
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vino - 2.25.91-0ubuntu1

---------------
vino (2.25.91-0ubuntu1) jaunty; urgency=low

  * New upstream release (LP: #330215)
    - Install autostart file in $sysconfdir/xgd/autostart. Usually you
      should pass the argument --sysconfdir=/etc to configure (or
      autogen.sh) script.
    - i18n related fixes.
    - Minor fixes. (LP: #196675, #228370, #237883, #289034)
    - Translations (ast, bg, ca, da, es, et, eu, hu, nl, or, pl, pt_BR,
      pt, ro, sv, th, vi, zh_HK, zh_TW)
  * Add Vcs-Bzr in debian/control.in
  * Re-generate debian/control

 -- Didier Roche <email address hidden> Mon, 16 Feb 2009 20:35:56 +0100

Changed in vino:
status: Fix Committed → Fix Released
Neumarke (nospam1-neumarke) wrote :

I'm not sure how this is fixed.

I'm looking at Jaunty 9.04 Alpha 5 with vino 2.25.91, and it seems that the user interface has changed and no longer includes the option to allow only local connections. In fact, the whole "advanced" tab is gone.

So it's fixed by completely removing functionality? Screenshot attached.

Jonh Wendell (wendell) wrote :

That feature was replaced by the new gconf key: /desktop/gnome/remote_access/network_interface
Run gconf-editor and browse that directory in order to read the documentation on how it works.

And yes, I've removed the 'advanced' tab. 'Advanced' users know to ho use gconf-editor to tunning applications. The advanced tab was a mistake I made. Blame me.

Maverick88 (amtor) wrote :

Jonh -- It sounds like you must now run gconf-edito to be able to restrict the vino vnc server to accept only local connections. If you do that, can you still connect to vino via an SSH tunnel? It sounds like you can now.

Can you also confirm that this bug was fixed in Hardy Heron 8.04 LTS? If not, is there a workaround in Hardy?

Em Sáb, 2009-04-25 às 17:36 +0000, Maverick88 escreveu:
> Jonh -- It sounds like you must now run gconf-edito to be able to
> restrict the vino vnc server to accept only local connections. If you
> do that, can you still connect to vino via an SSH tunnel? It sounds
> like you can now.

Sure. It's enough to set the
key /desktop/gnome/remote_access/network_interface to "lo", for
instance.

> Can you also confirm that this bug was fixed in Hardy Heron 8.04 LTS?
> If not, is there a workaround in Hardy?

I don't think so.
--
Jonh Wendell
http://www.bani.com.br

Vladimir Senkov (hangup) wrote :

John,
You mentioned it's enough to set the key /desktop/gnome/remote_access/network_interface to "lo".
Could you clarify what is it enough for, specifically?
I did this and on my PC it is still listening on tcp6 :::5900 allowing other machines to connect. I have boxes on the same subnet and they were all able to connect without a problem.
I'd like only the localhost (i.e. ssh tunnel) to be able to connect.
How do i make vino bind to 127.0.0.1 only?
It looks like no matter how I configure it, vino opens a security hole on my machine if I enable it.
Please correct me if i'm wrong.
I'm running ubuntu 9.04 that was just installed a week ago and wasn't modified in any way.

Jonh Wendell (wendell) wrote :

Vladimir, go to a terminal and type ifconfig. Find out which interface is your loopback. In my machine it is "lo". Put that interface in the vino gconf key.

Changed in vino:
importance: Unknown → Medium
Jérôme Poulin (jeromepoulin) wrote :

I think this bug can be closed, I'm pretty sure it is related to the bindv6only /proc parameter which was set by default at that time.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.