Bug 732955
| Summary: | X11 forwarding fails, if IPv6 is enabled and X11UseLocalhost=no | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Albert Flügel <albert.fluegel> | ||||||
| Component: | openssh | Assignee: | Petr Lautrbach <plautrba> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Miroslav Vadkerti <mvadkert> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.1 | CC: | ksrot, mvadkert, pvrabec | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | openssh-5.3p1-79.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Cause: ssh X11 forwarding was failing, if IPv6 was enabled and X11UseLocalhost=no
Consequence: users couldn't set X forwarding
Fix: sshd and ssh was fixed to correctly bind port for IPv6 protocol
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-06-20 07:17:11 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
please can you check what rules you have in ipv6 firewall or temporarily switch off it (service ip6tabless stop) No ip6 firewall rules are set. For ip4 only the default restrictions for the FORWARD table coming with the distro are set: ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere Everything else is ACCEPTed If you have REALLY IPv6 firewall switched of try test the IPv6 routing. Try ping to my IPv6 interface (the same as X server is bound in) I'm really confused now.
First of all: IP6 interface works, whether i start the service ip6tables or not,
with IPv6 address or hostname:
prompt# ping6 bol001b
PING bol001b(bol001b.vih.infineon.com) 56 data bytes
64 bytes from bol001b.vih.infineon.com: icmp_seq=1 ttl=64 time=0.027 ms
64 bytes from bol001b.vih.infineon.com: icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from bol001b.vih.infineon.com: icmp_seq=3 ttl=64 time=0.038 ms
^C
--- bol001b ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2276ms
rtt min/avg/max/mdev = 0.027/0.033/0.038/0.004 ms
prompt# ping6 fec0::250:56ff:fe8f:178
PING fec0::250:56ff:fe8f:178(fec0::250:56ff:fe8f:178) 56 data bytes
64 bytes from fec0::250:56ff:fe8f:178: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from fec0::250:56ff:fe8f:178: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from fec0::250:56ff:fe8f:178: icmp_seq=3 ttl=64 time=0.034 ms
^C
--- fec0::250:56ff:fe8f:178 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2307ms
rtt min/avg/max/mdev = 0.023/0.031/0.037/0.007 ms
sshd is bound to both IPv4 and IPv6 address:
[root@bol001b]# ps -ef|grep sshd
root 24650 1 0 11:29 ? 00:00:00 /usr/sbin/sshd
root 25522 20142 0 11:36 pts/2 00:00:00 grep sshd
[root@bol001b]# lsof -p 24650
...
sshd 24650 root 0u CHR 1,3 0t0 3593 /dev/null
sshd 24650 root 1u CHR 1,3 0t0 3593 /dev/null
sshd 24650 root 2u CHR 1,3 0t0 3593 /dev/null
sshd 24650 root 3u IPv6 126271 0t0 TCP *:ssh (LISTEN)
sshd 24650 root 4u IPv4 126273 0t0 TCP *:ssh (LISTEN)
When logging in via ssh i see what i already posted in the strace.
Another try:
...
25364 socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 8
25364 connect(8, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
25364 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(50799), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
25364 connect(8, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0
25364 connect(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
25364 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(45001), inet_pton(AF_INET6, "::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
25364 close(8) = 0
25364 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8
25364 bind(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
25364 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9
25364 bind(9, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRINUSE (Address already in use)
25364 close(9) = 0
25364 close(8) = 0
...
Am i doing anything incorrect ? sth missing ?
please provide output of netstat -lnpt and content of the environment variable DISPLAY Attached files: netstat-lnpt-local : netstat -lnpt , where my display is residing (VNC on a RHEL5) and where i start ssh to the remote host netstat-lnpt-after-ssh : netstat -nlpt , on the remote host, where sshd is running, after login (RHEL6.1) Where i start ssh ... the DISPLAY is set to shk.site.domain.com (have to anonymize the names). I can set the DISPLAY to localhost:1 or to ::1:1 or to shk6.site.domain.com:1 (the name with the IPv6 address) or to fec0::20d:56ff:fec0:12ef:1 (the IPv6 address of the host, wher my X server aka VNC server is running) and nothing changes compared to the above. Locally i can start X11 programs normally, but: After ssh on the remote host, DISPLAY is not set (because of the problem of this bug). Please note: Everything works, when i * start sshd with -4 on the remote host where sshd is running * set X11UseLocalhost to yes in sshd_config All the hostname resolving etc. is working correctly. IMO the sshd should not do the double bind, but only an IPv6 bind (if -4 is not given). When an IPv4 connection comes in, the sshd will get a mapping address of type ::FFFF:<ip-v4-address> when calling peername or whatever. So an additional IPv4 bind is not necessary. If code for converting the IPv6-v4 mapping addressess is needes, please see here: http://www.muc.de/~af/sw/#samba particularly the sourcecode for libgetaddr_allipv.so in samba-rx Created attachment 520079 [details]
netstat -lnpt output on the machine, where my X server is running
Created attachment 520080 [details]
netstat -lnpt output on the machine i ssh to i.e. where sshd is running
(In reply to comment #7) > > Where i start ssh ... the DISPLAY is set to shk.site.domain.com (have to > anonymize the names). which node are you speaking about? the ssh or sshd side? > I can set the DISPLAY to localhost:1 or to ::1:1 or to shk6.site.domain.com:1 > (the > name with the IPv6 address) or to fec0::20d:56ff:fec0:12ef:1 (the IPv6 address > of the host, wher my X server aka VNC server is running) and nothing changes > compared to the above. > Locally i can start X11 programs normally, but: > After ssh on the remote host, DISPLAY is not set (because of the problem of > this bug). do the X applications work after the change the DISPLAY? > > Please note: Everything works, when i > * start sshd with -4 on the remote host where sshd is running > * set X11UseLocalhost to yes in sshd_config there is "and" or "or" between the lines above? > All the hostname resolving etc. is working correctly. > > IMO the sshd should not do the double bind, but only an IPv6 bind (if -4 > is not given). When an IPv4 connection comes in, the sshd will get a mapping > address of type ::FFFF:<ip-v4-address> when calling peername or whatever. > So an additional IPv4 bind is not necessary. this is not generally true, in most configurations it does NOT work > If code for converting the IPv6-v4 mapping addressess is needes, please see > here: > http://www.muc.de/~af/sw/#samba > particularly the sourcecode for libgetaddr_allipv.so in samba-rx can you provide output of iptables6 -L v? Repeating and extending the respective sections: Where i start ssh ... the DISPLAY is set to shk.site.domain.com (have to anonymize the names). When i say: i start ssh , i mean: i start ssh i.e. run the command ssh and not sshd or whatever. What i want so say here, is: on the host, where my vnc X server is running, DISPLAY is set to shk.site.domain.com:1 and then i run the ssh command to logon to the other host. On the remote host DISPLAY is unset after successful ssh login (without any error message), when both IPv4 and IPv6 listen addresses are configured and sshd is started without -4 and without -6. > > I can set the DISPLAY to localhost:1 or to ::1:1 or to shk6.site.domain.com:1 > > (the > > name with the IPv6 address) or to fec0::20d:56ff:fec0:12ef:1 (the IPv6 address > > of the host, wher my X server aka VNC server is running) and nothing changes > > compared to the above. > > Locally i can start X11 programs normally, but: > > After ssh on the remote host, DISPLAY is not set (because of the problem of > > this bug). > do the X applications work after the change the DISPLAY? X without ssh-tunneling works (with xauth entries set appropriately manually) over IPv4 and IPv6. Works with names (different logical hostname for IPv4 and 6) and IP-Addresses in DISPLAY. Works locally and over the network between the two hosts. Works, too, with localhost, localhost6 (logical name for ::1) and IP-addresses 127.0.0.1 and ::1 set in DISPLAY. All this (bare X11 over TCP and both IPv4 and IPv6) works. > > Please note: Everything works, when i > > * start sshd with -4 on the remote host where sshd is running > > * set X11UseLocalhost to yes in sshd_config > there is "and" or "or" between the lines above? or. Either start with -4 or set X11UseLocalhost to yes. Or do both. > can you provide output of iptables6 -L v? I guess the 'v' is a typo. Furthermore i assume you mean ip6tables (searched the entire distribution and did not find any iptables6 in any RPM). So the incredibly complex output is on both hosts: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination What i found in the meantime (for further info): On the sshd side when configuring ListenAddress :: and not configuring ListenAddress 0.0.0.0 (i.e. this last line is NOT in the sshd_config) and starting with -6 and without -4, logging on via IPv6, then X11 forwarding works !!! (over an IPv4 address (!?!?!)) With the same configuration, but starting without -6 and without -4, it does not work. With both IPv4 and IPv6 listen address configured and starting without -4 and without -6 i still see: 19312 socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 8 19312 connect(8, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 19312 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(52836), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 19312 connect(8, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0 19312 connect(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 19312 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(38180), inet_pton(AF_INET6, "::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 19312 close(8) = 0 19312 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8 19312 bind(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 19312 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9 19312 bind(9, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRINUSE (Address already in use) 19312 close(9) = 0 19312 close(8) = 0 With only IPv6 listen address configured and starting without -4 and without -6 i see the same. With only IPv6 listen address configured and starting without -4 and with -6 i see this: 22215 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 8 22215 bind(8, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 22215 listen(8, 128) = 0 Especially here no previous "connect" call is visible. I really suggest you try yourself. Particularly configured on the sshd side: Protocol 2,1 ListenAddress 0.0.0.0 ListenAddress :: GatewayPorts yes X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost no TCPKeepAlive yes (don't know, whether the Protocol and KeepAlive settings do matter, though) Since RHEL 6.2 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. I'm able to reproduce it. The IPv6 socket is not set IPV6_V6ONLY due to openssh-4.3p2-no-v6only.patch. The IPv6 socket then supports IPv4-compatible mode and IPv4 socket is already engaged and cannot be bind. Reverting mentioned patch fixes this problem.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: ssh X11 forwarding was failing, if IPv6 was enabled and X11UseLocalhost=no
Consequence: users couldn't set X forwarding
Fix: sshd and ssh was fixed to correctly bind port for IPv6 protocol
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0884.html |
Description of problem: With X11Forwarding=yes and X11UseLocalhost=no to allow other hosts to tunnel X11 connections through the host running sshd as gateway the X11 forwarding completely fails. In the strace one can see, that sshd tries to bind both an IPv4 and IPv6 socket. The second one fails for obvious reasons and sshd gives up X11 forwarding completely. Version-Release number of selected component (if applicable): openssh-5.3p1-52.el6_1.2 How reproducible: Steps to Reproduce: 1. Configure in /etc/ssh/sshd_config: X11Forwarding yes X11UseLocalhost no 2. Restart sshd 3. Make a ssh connection from a remote host 4. enter: echo $DISPLAY Actual results: Error message: DISPLAY: Undefined variable. (with (t)csh. (ba)sh prints out nothing) X11 forwarding does not work. Expected results: output sth like: localhost:10.0 and i can start X11 programs displaying remotely through ssh TCP tunneling Additional info: strace snippet: 6246 socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 8 6246 connect(8, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0 6246 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(49537), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 6246 connect(8, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0 6246 connect(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 6246 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(49255), inet_pton(AF_INET6, "::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0 6246 close(8) = 0 6246 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8 6246 bind(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 6246 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9 6246 bind(9, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRINUSE (Address already in use) 6246 close(9) = 0 6246 close(8) = 0 Probably for the same reason ssh -g -L ... without -4 and IPv6 enabled on the system always brings the error message: bind: Address already in use In the strace the same algorithm can be seen like above. Probably the same function is use within openssh.