Hide Forgot
Description of problem: openssh-server with default configuration (AddressFamily any) and IPv6 disabled (net.ipv6.conf.eth0.disable_ipv6 = 1, not default) do not forward X11 requests when requested using "ssh -X server" command. Version-Release number of selected component (if applicable): rpm -q openssh openssh-6.6.1p1-31.el7.x86_64 Steps to Reproduce: Perform following steps on Server machine - # vim /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.ens3.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.virbr0.disable_ipv6 = 1 net.ipv6.conf.virbr0-nic.disable_ipv6 = 1 reload the configuration using sysctl -p or by rebooting the server # cat /etc/ssh/sshd_config | grep AddressFamily AddressFamily any # systemctl restart sshd Actual results: From client execute - ssh -X server X11 forwarding request failed on channel 0 Last login: Mon Mar 27 12:45:13 2017 from xyz Expected results: ssh -X server Last login: Mon Mar 27 12:45:13 2017 from xyz Additional info: Moreover, related fixed bugs exists in bugrack. Maybe a regression?? (pls, read in order): https://bugzilla.redhat.com/show_bug.cgi?id=732955 https://bugzilla.redhat.com/show_bug.cgi?id=1173052 All rhel 7.3 with default sshd config and net.ipv6.conf.eth0.disable_ipv6 = 1 are impacted. workaround is set sshd_config option "AddressFamily any" as stated in: https://access.redhat.com/solutions/110103
To my understanding, it looks like a problem that `getaddrinfo()` is returning AF_INET6 addresses even though it is disabled "systemwide" (at least on Fedora as I tested). The related logs in my environment look like [...] debug2: bind port 6491: Cannot assign requested address debug3: sock_set_v6only: set socket 10 IPV6_V6ONLY [...] error: Failed to allocate internet-domain X11 display socket. You can resolve the problem by explicitly selecting ipv4 (not `any` as mentioned in the description): AddressFamily inet Since we have this configuration option there (it is unfortunate that it does not confirm to some system-wide settings) it is not probable it will get fixed somehow. This is explained and documented in the KBS about disabling IPv6 [1] even with this limitation explained in this bug. Adding psimerda if he can give some light into that or if there is anything we can do to improve the state. [1] https://access.redhat.com/solutions/8709
(In reply to Jakub Jelen from comment #2) > To my understanding, it looks like a problem that `getaddrinfo()` is > returning AF_INET6 addresses even though it is disabled "systemwide" (at > least on Fedora as I tested). In my opinion you should not expect getaddrinfo to remove those addresses for you and the code should be capable of handling the case. When you try to connect to an unreachable IPv6 address, you get an error immediately and you can continue trying with the next address without delay. In your case the problem seems to be related to binding, though. And that's another story. Can you please describe the specific usage of getaddrinfo, the upcoming network-related syscalls and the expected/actual results of those?
Well, this was how the OpenSSH behaved before version 5.0. Current behavior was introduced by a fix for CVE-2008-1483 [1] (related commit [2]). The related code can be found here: https://github.com/openssh/openssh-portable/blob/master/channels.c#L4299 So from my point of view it is still either a problem in the getaddinfo() or a thing that really needs to be configured (as described in the KBS). Nothing that could be fixed in OpenSSH source code. What you mean about "another story"? [1] http://www.openssh.com/txt/release-5.0 [2] https://github.com/openssh/openssh-portable/commit/5f5cd746
For the record, there are upstream bugs discussion this problem for years: https://bugzilla.mindrot.org/show_bug.cgi?id=2143 https://bugzilla.mindrot.org/show_bug.cgi?id=1356 I raised the issue on the upstream mailing list again to see if we can have it fixed in some way.