Bug 1173052
| Summary: | X11 forwarding fails if AddressFamily not inet and no IPV6 addresses configured | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Gerrit Slomma <gerrit.slomma> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | cfeller, jjelen, maurizio.antillon, om, plautrba, riehecky |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-11 09:08:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gerrit Slomma
2014-12-11 11:10:51 UTC
Thank you for taking the time to enter a bug report with us. We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain it receives the proper attention and prioritization to assure a timely resolution. For information on how to contact the Red Hat production support team, please visit: https://access.redhat.com/support/policy/support_process To this case, if I properly disable ipv6, according to: https://access.redhat.com/solutions/8709 respectively in /etc/sysctl.conf: > net.ipv6.conf.eth0.disable_ipv6 = 1 It works for me without any problems. If I leave ipv6 enabled and remove ipv6 addresses from all inteusing # /sbin/ifconfig <interface> inet6 del <ipv6address>/<prefixlength> I'm also unable to reproduce your problem. Using current version of openssh: openssh-5.3p1-104.el6.x86_64 Can you specify your reproducer how to get to your state or retest it with current version? I can confirm this very same problem on Fedora21 with openssh-6.6.1p1-11.1.fc21.x86_64 -- I had to add "AddressFamily inet" into sshd_config after disabling IPv6 via the /etc/sysctl.conf method. This same openssh problem has already been around at least five years, also has Debian and Ubuntu bugs issued to it (the latter also has a suggested patch): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595014 https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/882878 Now I can reproduce this behaviour on my Fedora 21, but still not on RHEL 6 # echo "net.ipv6.conf.eth0.disable_ipv6 = 1" >> /etc/sysctl.conf # service sshd restart and from different shell # ssh -X f21 X11 forwarding request failed on channel 0 # rpm -q openssh openssh-6.6.1p1-11.1.fc21.x86_64 Yes, there is more information about this problem even in upstream bugzilla [1], [2] and [3], but no final resolution. It doesn't look like there will be some resolution in upstream. The solution in your linked patch [4] has some issues, namely CVE-2008-1483, as stated in [3], so I think the solution will be one of these: 1) Configure your IPv6 address or disable it (correctly). 2) Configure your openssh (to use or not to use IPv6) according to your network configuration. [1] https://bugzilla.mindrot.org/show_bug.cgi?id=1457 [2] https://bugzilla.mindrot.org/show_bug.cgi?id=2143 [3] https://bugzilla.mindrot.org/show_bug.cgi?id=1356 [4] https://build.opensuse.org/package/view_file/openSUSE:Factory/openssh/openssh-6.5p1-X_forward_with_disabled_ipv6.patch?rev=1c09c84b8dda320105cf7b59928951c4 Development Management has reviewed and declined this request. You may appeal this decision by reopening this request. |