Bug 732955 - X11 forwarding fails, if IPv6 is enabled and X11UseLocalhost=no
Summary: X11 forwarding fails, if IPv6 is enabled and X11UseLocalhost=no
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh
Version: 6.1
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Miroslav Vadkerti
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-24 09:46 UTC by Albert Flügel
Modified: 2012-06-20 07:17 UTC (History)
3 users (show)

Fixed In Version: openssh-5.3p1-79.el6
Doc Type: Bug Fix
Doc Text:
Cause: ssh X11 forwarding was failing, if IPv6 was enabled and X11UseLocalhost=no Consequence: users couldn't set X forwarding Fix: sshd and ssh was fixed to correctly bind port for IPv6 protocol
Clone Of:
Environment:
Last Closed: 2012-06-20 07:17:11 UTC


Attachments (Terms of Use)
netstat -lnpt output on the machine, where my X server is running (3.02 KB, text/plain)
2011-08-26 12:46 UTC, Albert Flügel
no flags Details
netstat -lnpt output on the machine i ssh to i.e. where sshd is running (3.13 KB, text/plain)
2011-08-26 12:46 UTC, Albert Flügel
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0884 normal SHIPPED_LIVE Low: openssh security, bug fix, and enhancement update 2012-06-19 19:28:43 UTC

Description Albert Flügel 2011-08-24 09:46:18 UTC
Description of problem:
With X11Forwarding=yes and X11UseLocalhost=no
to allow other hosts to tunnel X11 connections through the host
running sshd as gateway the X11 forwarding completely fails.

In the strace one can see, that sshd tries to bind both an IPv4
and IPv6 socket. The second one fails for obvious reasons and
sshd gives up X11 forwarding completely.

Version-Release number of selected component (if applicable):
openssh-5.3p1-52.el6_1.2

How reproducible:

Steps to Reproduce:
1. Configure in /etc/ssh/sshd_config:
     X11Forwarding yes
     X11UseLocalhost no
2. Restart sshd
3. Make a ssh connection from a remote host
4. enter: echo $DISPLAY
  
Actual results:
Error message: DISPLAY: Undefined variable.
(with (t)csh. (ba)sh prints out nothing)
X11 forwarding does not work.

Expected results:
output sth like:
localhost:10.0
and i can start X11 programs displaying remotely through ssh TCP tunneling

Additional info:
strace snippet:
6246  socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 8
6246  connect(8, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
6246  getsockname(8, {sa_family=AF_INET6, sin6_port=htons(49537), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
6246  connect(8, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0
6246  connect(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
6246  getsockname(8, {sa_family=AF_INET6, sin6_port=htons(49255), inet_pton(AF_INET6, "::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
6246  close(8)                          = 0
6246  socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8
6246  bind(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
6246  socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9
6246  bind(9, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRINUSE (Address already in use)
6246  close(9)                          = 0
6246  close(8)                          = 0

Probably for the same reason ssh -g -L ... without -4 and IPv6 enabled on the system always brings the error message:
bind: Address already in use
In the strace the same algorithm can be seen like above. Probably the same function is use within openssh.

Comment 2 Jan F. Chadima 2011-08-24 11:26:57 UTC
please can you check what rules you have in ipv6 firewall or temporarily switch off it (service ip6tabless stop)

Comment 3 Albert Flügel 2011-08-24 11:33:05 UTC
No ip6 firewall rules are set.
For ip4 only the default restrictions for the FORWARD table coming with the distro are set:
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.122.0/24     anywhere            

Everything else is ACCEPTed

Comment 4 Jan F. Chadima 2011-08-25 21:38:34 UTC
If you have REALLY IPv6 firewall switched of try test the IPv6 routing. Try ping to my IPv6 interface (the same as X server is bound in)

Comment 5 Albert Flügel 2011-08-26 09:41:06 UTC
I'm really confused now.

First of all: IP6 interface works, whether i start the service ip6tables or not,
with IPv6 address or hostname:

prompt# ping6 bol001b
PING bol001b(bol001b.vih.infineon.com) 56 data bytes
64 bytes from bol001b.vih.infineon.com: icmp_seq=1 ttl=64 time=0.027 ms
64 bytes from bol001b.vih.infineon.com: icmp_seq=2 ttl=64 time=0.034 ms
64 bytes from bol001b.vih.infineon.com: icmp_seq=3 ttl=64 time=0.038 ms
^C
--- bol001b ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2276ms
rtt min/avg/max/mdev = 0.027/0.033/0.038/0.004 ms

prompt# ping6 fec0::250:56ff:fe8f:178
PING fec0::250:56ff:fe8f:178(fec0::250:56ff:fe8f:178) 56 data bytes
64 bytes from fec0::250:56ff:fe8f:178: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from fec0::250:56ff:fe8f:178: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from fec0::250:56ff:fe8f:178: icmp_seq=3 ttl=64 time=0.034 ms
^C
--- fec0::250:56ff:fe8f:178 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2307ms
rtt min/avg/max/mdev = 0.023/0.031/0.037/0.007 ms


sshd is bound to both IPv4 and IPv6 address:
[root@bol001b]# ps -ef|grep sshd
root     24650     1  0 11:29 ?        00:00:00 /usr/sbin/sshd
root     25522 20142  0 11:36 pts/2    00:00:00 grep sshd
[root@bol001b]# lsof -p 24650
...
sshd    24650 root    0u   CHR    1,3      0t0   3593 /dev/null
sshd    24650 root    1u   CHR    1,3      0t0   3593 /dev/null
sshd    24650 root    2u   CHR    1,3      0t0   3593 /dev/null
sshd    24650 root    3u  IPv6 126271      0t0    TCP *:ssh (LISTEN)
sshd    24650 root    4u  IPv4 126273      0t0    TCP *:ssh (LISTEN)

When logging in via ssh i see what i already posted in the strace.
Another try:
...
25364 socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 8
25364 connect(8, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
25364 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(50799), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
25364 connect(8, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0
25364 connect(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
25364 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(45001), inet_pton(AF_INET6, "::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
25364 close(8)                          = 0
25364 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8
25364 bind(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
25364 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9
25364 bind(9, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRINUSE (Address already in use)
25364 close(9)                          = 0
25364 close(8)                          = 0
...

Am i doing anything incorrect ? sth missing ?

Comment 6 Jan F. Chadima 2011-08-26 12:06:47 UTC
please provide output of netstat -lnpt
and content of the environment variable DISPLAY

Comment 7 Albert Flügel 2011-08-26 12:44:56 UTC
Attached files:
netstat-lnpt-local : netstat -lnpt , where my display is residing (VNC on a RHEL5) and where i start ssh to the remote host
netstat-lnpt-after-ssh : netstat -nlpt , on the remote host, where sshd is running, after login (RHEL6.1)

Where i start ssh ... the DISPLAY is set to shk.site.domain.com (have to
anonymize the names).
I can set the DISPLAY to localhost:1 or to ::1:1 or to shk6.site.domain.com:1 (the
name with the IPv6 address) or to fec0::20d:56ff:fec0:12ef:1 (the IPv6 address
of the host, wher my X server aka VNC server is running) and nothing changes
compared to the above.
Locally i can start X11 programs normally, but:
After ssh on the remote host, DISPLAY is not set (because of the problem of this bug).

Please note: Everything works, when i
* start sshd with -4 on the remote host where sshd is running
* set X11UseLocalhost to yes in sshd_config
All the hostname resolving etc. is working correctly.

IMO the sshd should not do the double bind, but only an IPv6 bind (if -4
is not given). When an IPv4 connection comes in, the sshd will get a mapping
address of type ::FFFF:<ip-v4-address> when calling peername or whatever.
So an additional IPv4 bind is not necessary.
If code for converting the IPv6-v4 mapping addressess is needes, please see here:
http://www.muc.de/~af/sw/#samba
particularly the sourcecode for libgetaddr_allipv.so in samba-rx

Comment 8 Albert Flügel 2011-08-26 12:46:01 UTC
Created attachment 520079 [details]
netstat -lnpt output on the machine, where my X server is running

Comment 9 Albert Flügel 2011-08-26 12:46:42 UTC
Created attachment 520080 [details]
netstat -lnpt output on the machine i ssh to i.e. where sshd is running

Comment 10 Jan F. Chadima 2011-09-07 06:11:47 UTC
(In reply to comment #7)
> 
> Where i start ssh ... the DISPLAY is set to shk.site.domain.com (have to
> anonymize the names).

which node are you speaking about? the ssh or sshd side?


> I can set the DISPLAY to localhost:1 or to ::1:1 or to shk6.site.domain.com:1
> (the
> name with the IPv6 address) or to fec0::20d:56ff:fec0:12ef:1 (the IPv6 address
> of the host, wher my X server aka VNC server is running) and nothing changes
> compared to the above.
> Locally i can start X11 programs normally, but:
> After ssh on the remote host, DISPLAY is not set (because of the problem of
> this bug).

do the X applications work after the change the DISPLAY?

> 
> Please note: Everything works, when i
> * start sshd with -4 on the remote host where sshd is running
> * set X11UseLocalhost to yes in sshd_config

there is "and" or "or" between the lines above?

> All the hostname resolving etc. is working correctly.
> 
> IMO the sshd should not do the double bind, but only an IPv6 bind (if -4
> is not given). When an IPv4 connection comes in, the sshd will get a mapping
> address of type ::FFFF:<ip-v4-address> when calling peername or whatever.
> So an additional IPv4 bind is not necessary.

this is not generally true, in most configurations it does NOT work

> If code for converting the IPv6-v4 mapping addressess is needes, please see
> here:
> http://www.muc.de/~af/sw/#samba
> particularly the sourcecode for libgetaddr_allipv.so in samba-rx

can you provide output of iptables6 -L v?

Comment 11 Albert Flügel 2011-10-07 12:14:34 UTC
Repeating and extending the respective sections:

Where i start ssh ... the DISPLAY is set to shk.site.domain.com (have to
anonymize the names). When i say: i start ssh , i mean: i start ssh i.e.
run the command ssh and not sshd or whatever. What i want so say here, is:
on the host, where my vnc X server is running, DISPLAY is set to
shk.site.domain.com:1 and then i run the ssh command to logon to the other host.
On the remote host DISPLAY is unset after successful ssh login (without
any error message), when both IPv4 and IPv6 listen addresses are configured
and sshd is started without -4 and without -6.

> > I can set the DISPLAY to localhost:1 or to ::1:1 or to shk6.site.domain.com:1
> > (the
> > name with the IPv6 address) or to fec0::20d:56ff:fec0:12ef:1 (the IPv6 address
> > of the host, wher my X server aka VNC server is running) and nothing changes
> > compared to the above.
> > Locally i can start X11 programs normally, but:
> > After ssh on the remote host, DISPLAY is not set (because of the problem of
> > this bug).

> do the X applications work after the change the DISPLAY?

X without ssh-tunneling works (with xauth entries set appropriately manually)
over IPv4 and IPv6. Works with names (different logical hostname for IPv4 and 6)
and IP-Addresses in DISPLAY. Works locally and over the network between the
two hosts. Works, too, with localhost, localhost6 (logical name for ::1) and
IP-addresses 127.0.0.1 and ::1 set in DISPLAY.
All this (bare X11 over TCP and both IPv4 and IPv6) works.

> > Please note: Everything works, when i
> > * start sshd with -4 on the remote host where sshd is running
> > * set X11UseLocalhost to yes in sshd_config
> there is "and" or "or" between the lines above?
or. Either start with -4 or set X11UseLocalhost to yes. Or do both.

> can you provide output of iptables6 -L v?
I guess the 'v' is a typo. Furthermore i assume you mean ip6tables
(searched the entire distribution and did not find any iptables6 in
any RPM). So the incredibly complex output is on both hosts:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

What i found in the meantime (for further info):
On the sshd side when configuring
ListenAddress ::
and not configuring
ListenAddress 0.0.0.0
(i.e. this last line is NOT in the sshd_config)
and starting with -6 and without -4, logging on via IPv6,
then X11 forwarding works !!! (over an IPv4 address (!?!?!))
With the same configuration, but starting without -6 and without -4,
it does not work.

With both IPv4 and IPv6 listen address configured and starting without -4 and
without -6 i still see:
19312 socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 8
19312 connect(8, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
19312 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(52836), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
19312 connect(8, {sa_family=AF_UNSPEC, sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 0
19312 connect(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
19312 getsockname(8, {sa_family=AF_INET6, sin6_port=htons(38180), inet_pton(AF_INET6, "::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
19312 close(8)                          = 0
19312 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8
19312 bind(8, {sa_family=AF_INET, sin_port=htons(6010), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
19312 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9
19312 bind(9, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRINUSE (Address already in use)
19312 close(9)                          = 0
19312 close(8)                          = 0

With only IPv6 listen address configured and starting without -4 and without -6
i see the same.

With only IPv6 listen address configured and starting without -4 and with -6
i see this:
22215 socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 8
22215 bind(8, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
22215 listen(8, 128)                    = 0
Especially here no previous "connect" call is visible.

I really suggest you try yourself. Particularly configured on the sshd side:
Protocol 2,1
ListenAddress 0.0.0.0
ListenAddress ::
GatewayPorts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
TCPKeepAlive yes
(don't know, whether the Protocol and KeepAlive settings do matter, though)

Comment 12 RHEL Product and Program Management 2011-10-07 16:02:37 UTC
Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 14 Petr Lautrbach 2012-02-10 14:43:20 UTC
I'm able to reproduce it. The IPv6 socket is not set IPV6_V6ONLY due to openssh-4.3p2-no-v6only.patch. The IPv6 socket then supports IPv4-compatible mode and IPv4 socket is already engaged and cannot be bind.

Reverting mentioned patch fixes this problem.

Comment 22 Petr Lautrbach 2012-04-27 13:00:55 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: ssh X11 forwarding was failing, if IPv6 was enabled and X11UseLocalhost=no
Consequence: users couldn't set X forwarding
Fix: sshd and ssh was fixed to correctly bind port for IPv6 protocol

Comment 25 errata-xmlrpc 2012-06-20 07:17:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0884.html


Note You need to log in before you can comment on or make changes to this bug.