Bug 640857

Summary: ssh throws an error when using default listening due to ipv4 and ipv6
Product: Red Hat Enterprise Linux 5 Reporter: Greg Swift <gregswift>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 5.5CC: cww, davem, herbert.xu, jbenc, jjaburek, kabbott, ksrot, mvadkert, plautrba, pvrabec, rmunilla, rvokal, tgraf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-4.3p2-80.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 06:11:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 758797    
Attachments:
Description Flags
sshd patch to set IPV6_V6ONLY (untested)
none
use IPV6_V6ONLY for inet6 socket none

Description Greg Swift 2010-10-06 22:24:54 UTC 
Description of problem:
The default sshd_config does not specify a specific interface to listen on.  When it attempts to bind port 22, it does so on ipv6 then ipv4.  The second attempt targeting ipv4 proceeds to throw an error due to a failed attempt to bind the port.

Version-Release number of selected component (if applicable):
openssh-4.3p2-41.el5

How reproducible:
Constantly.

Steps to Reproduce:
1. Install RHEL server
2. Restart sshd
3. tail /var/log/secure
  
Actual results:
Oct  6 22:18:12 infra3 sshd[1732]: Received signal 15; terminating.
Oct  6 22:18:13 infra3 sshd[3537]: Server listening on :: port 22.
Oct  6 22:18:13 infra3 sshd[3537]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

Expected results:
Oct  6 22:18:12 infra3 sshd[1732]: Received signal 15; terminating.
Oct  6 22:18:13 infra3 sshd[3537]: Server listening on :: port 22.

Additional info:
I realize that this is not a big deal, its a benign error.  But its an unnecessary error, and something admins in our organization have noticed and set their sshd_config's Listen value to prevent.
Comment 1 Jan F. Chadima 2011-07-28 10:22:12 UTC 
can you contact Red Hat support please?
Comment 2 Greg Swift 2011-07-28 13:14:55 UTC 
RH Ticket 918088 created
Comment 5 Jan F. Chadima 2011-08-01 08:59:43 UTC 
Please include your sshd_config and network configuration to be able to reproduce the problem. Indicate the specific settings that can affect the behavior of sshd.
Comment 9 Jan F. Chadima 2011-08-22 13:36:55 UTC 
I can confirm that the error occurs after restarting the service. 
I can also confirm that there the port is bound only on IPV6.
But trying to connect the host via IPV4 I've found no error.
This seems to be caused unexpected IPv4/IPv6 behavior in rhel5.
Comment 10 Jan F. Chadima 2011-08-22 13:59:25 UTC 
Reassigning to the kernel because it is due the kernel behavior.
Comment 12 Jiri Benc 2011-10-10 10:43:04 UTC 
From man 7 ipv6:

----
IPv4 and IPv6 share the local port space.  When you get an IPv4 connection or packet to a IPv6 socket, its source address will be mapped to v6 and it will be mapped to v6.
----

Obviously, there cannot be two sockets bound to the same port on the same address (or on INADDR_ANY/in6addr_any).

The kernel is behaving as expected here. ssh should bind only to ipv6 when both ipv4 and ipv6 variants are returned by getaddrinfo with AF_UNSPEC. Reassigning back.
Comment 13 Jiri Benc 2011-10-10 13:17:33 UTC 
Actually, a better solution is to set the IPV6_V6ONLY option on the IPv6 socket.

The reason for the reported behavior are IPv4-mapped IPv6 addresses. Linux AF_INET6 socket interface by default supports IPv4-compatible mode (RFC 3493 section 3.7). Thus, the IPv6 socket receives also all IPv4 traffic. Specifying the socket as IPV6_V6ONLY (RFC 3493 section 5.3) turns off the behavior, allowing the application to listen both on IPv4 and IPv6 socket.
Comment 14 Jiri Benc 2011-10-10 13:33:06 UTC 
Created attachment 527240 [details]
sshd patch to set IPV6_V6ONLY (untested)
Comment 18 Petr Lautrbach 2011-11-25 16:36:29 UTC 
Created attachment 536373 [details]
use IPV6_V6ONLY for inet6 socket

This patch will be used in update. It is adapted from openssh-5.9p1 and it's similar to #c14

Before:
Nov 25 17:33:23 rhel-5-openssh sshd[2488]: Server listening on :: port 22.
Nov 25 17:33:23 rhel-5-openssh sshd[2488]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

After:
Nov 25 17:34:08 rhel-5-openssh sshd[2538]: Server listening on :: port 22.
Nov 25 17:34:08 rhel-5-openssh sshd[2538]: Server listening on 0.0.0.0 port 22.
Comment 22 errata-xmlrpc 2012-02-21 06:11:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0237.html