Bug 1436097
| Summary: | ssh -X shows shows error: X11 forwarding request failed on channel 0 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Yogita <ysoni> |
| Component: | openssh | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | cww, ysoni |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-21 21:35:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Yogita
2017-03-27 07:26:15 UTC
To my understanding, it looks like a problem that `getaddrinfo()` is returning AF_INET6 addresses even though it is disabled "systemwide" (at least on Fedora as I tested). The related logs in my environment look like
[...]
debug2: bind port 6491: Cannot assign requested address
debug3: sock_set_v6only: set socket 10 IPV6_V6ONLY
[...]
error: Failed to allocate internet-domain X11 display socket.
You can resolve the problem by explicitly selecting ipv4 (not `any` as mentioned in the description):
AddressFamily inet
Since we have this configuration option there (it is unfortunate that it does not confirm to some system-wide settings) it is not probable it will get fixed somehow. This is explained and documented in the KBS about disabling IPv6 [1] even with this limitation explained in this bug.
Adding psimerda if he can give some light into that or if there is anything we can do to improve the state.
[1] https://access.redhat.com/solutions/8709
(In reply to Jakub Jelen from comment #2) > To my understanding, it looks like a problem that `getaddrinfo()` is > returning AF_INET6 addresses even though it is disabled "systemwide" (at > least on Fedora as I tested). In my opinion you should not expect getaddrinfo to remove those addresses for you and the code should be capable of handling the case. When you try to connect to an unreachable IPv6 address, you get an error immediately and you can continue trying with the next address without delay. In your case the problem seems to be related to binding, though. And that's another story. Can you please describe the specific usage of getaddrinfo, the upcoming network-related syscalls and the expected/actual results of those? Well, this was how the OpenSSH behaved before version 5.0. Current behavior was introduced by a fix for CVE-2008-1483 [1] (related commit [2]). The related code can be found here: https://github.com/openssh/openssh-portable/blob/master/channels.c#L4299 So from my point of view it is still either a problem in the getaddinfo() or a thing that really needs to be configured (as described in the KBS). Nothing that could be fixed in OpenSSH source code. What you mean about "another story"? [1] http://www.openssh.com/txt/release-5.0 [2] https://github.com/openssh/openssh-portable/commit/5f5cd746 For the record, there are upstream bugs discussion this problem for years: https://bugzilla.mindrot.org/show_bug.cgi?id=2143 https://bugzilla.mindrot.org/show_bug.cgi?id=1356 I raised the issue on the upstream mailing list again to see if we can have it fixed in some way. |