Debian Bug report logs -
#327443
X Forwarding broken on IPv6 systems without X11UseLocalhost
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Matthew Vernon <matthew@debian.org>:
Bug#327443; Package ssh.
(full text, mbox, link).
Acknowledgement sent to Elliott Mitchell <ehem@m5p.com>:
New Bug report received and forwarded. Copy sent to Matthew Vernon <matthew@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Turns out that if X11UseLocalhost is disabled, sshd will only bind to the
X11 port on one of the local IPv6 addresses (might bind to several, but I
haven't tested that), rather than ::/IN6ADDR_ANY_INIT. As a result
IPv4-only X clients *cannot* connect as only :: receives IPv4-mapped
connections.
OTOH when X11UseLocalhost is enabled, the current version binds to both
127.0.0.1 and ::1, and as a result all X clients can connect. So I'm
actually happy since this configuration is both more functional and more
secure.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\BS ( | EHeM@gremlin.m5p.com PGP 8881EF59 | ) /
\_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
\___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/
Acknowledgement sent to Rémi Denis-Courmont <rdenis@simphalempin.com>:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #10 received at 327443-quiet@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le samedi 10 septembre 2005 07:19, vous avez écrit :
> Package: ssh
> Version: 1:3.8.1p1-8.sarge.4
>
> Turns out that if X11UseLocalhost is disabled, sshd will only bind to
> the X11 port on one of the local IPv6 addresses (might bind to
> several, but I haven't tested that), rather than ::/IN6ADDR_ANY_INIT.
> As a result IPv4-only X clients *cannot* connect as only :: receives
> IPv4-mapped connections.
>
> OTOH when X11UseLocalhost is enabled, the current version binds to
> both 127.0.0.1 and ::1, and as a result all X clients can connect. So
> I'm actually happy since this configuration is both more functional
> and more secure.
I cannot reproduce this on Sarge. sshd binds to :: port 6010+ when
X11UseLocalhost is disabled, so IPv4 clients should be accepted through
IPv4-mapped addresses. How many (and which scopes) do your IPv6
addresses have on the server?
--
Rémi Denis-Courmont
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#327443; Package ssh.
(full text, mbox, link).
Acknowledgement sent to Rob Fulton <rob@cow-frenzy.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(full text, mbox, link).
Message #15 received at 327443@bugs.debian.org (full text, mbox, reply):
I have encountered exactly the problem reported in this bug and it is
causing me problems, it also appears to effect ssh port forwarding in ssh,
the setup was working perfectly until Novemeber 6th 2007 when I ran an
apt-get upgrade.
The sshd_config file has :
X11Forwarding yes
X11UseLocalhost no
GatewayPorts yes
And when I try and open a connection I can see the port is open on the
ipv6 interface :
tcp6 0 0 :::6010 :::* LISTEN
But nothing on the ipv4 interface.
I also get the same error when trying to forward a port, my client ssh
attempts to forward port 6005 on the server to port 6000 locally. Again I
can see the ipv6 interface :
tcp6 0 0 :::6005 :::* LISTEN
But nothing for ipv4, I also get :
Nov 28 09:26:05 testserver sshd[7457]: error: bind: Address already in use
In the auth.log file although netstat -an shows nothing listening and I
can run nc on the port fine after logging in
If I turn on X11UseLocalHost then my X forwading works, it has no effect
on port forwarding though.
This is ssh version 1:4.3p2-9
My dpkg.log indicates the following were upgraded on 6th November :
2007-11-06 14:20:10 upgrade libc6 2.3.6.ds1-13 2.3.6.ds1-13etch2
2007-11-06 14:20:13 upgrade libc6-i686 2.3.6.ds1-13 2.3.6.ds1-13etch2
2007-11-06 14:20:14 upgrade lsb-base 3.1-23.1 3.1-23.2etch1
2007-11-06 14:20:14 upgrade x11-common 1:7.1.0-16 1:7.1.0-19
2007-11-06 14:20:16 upgrade xserver-xorg-core 2:1.1.1-21 2:1.1.1-21etch1
2007-11-06 14:20:18 upgrade xserver-xorg-video-all 1:7.1.0-16 1:7.1.0-19
2007-11-06 14:20:18 upgrade xserver-xorg-input-all 1:7.1.0-16 1:7.1.0-19
2007-11-06 14:20:20 upgrade xserver-xorg 1:7.1.0-16 1:7.1.0-19
2007-11-06 14:20:21 upgrade debian-archive-keyring 2007.02.19
2007.07.31~etch1
2007-11-06 14:20:22 upgrade libssl0.9.8 0.9.8c-4 0.9.8c-4etch1
2007-11-06 14:20:23 upgrade vim 1:7.0-122+1etch2 1:7.0-122+1etch3
2007-11-06 14:20:24 upgrade vim-runtime 1:7.0-122+1etch2 1:7.0-122+1etch3
2007-11-06 14:20:27 upgrade vim-common 1:7.0-122+1etch2 1:7.0-122+1etch3
2007-11-06 14:20:27 upgrade libisc11 1:9.3.4-2 1:9.3.4-2etch1
2007-11-06 14:20:28 upgrade libdns22 1:9.3.4-2 1:9.3.4-2etch1
2007-11-06 14:20:28 upgrade libisccc0 1:9.3.4-2 1:9.3.4-2etch1
2007-11-06 14:20:28 upgrade libisccfg1 1:9.3.4-2 1:9.3.4-2etch1
2007-11-06 14:20:28 upgrade libbind9-0 1:9.3.4-2 1:9.3.4-2etch1
2007-11-06 14:20:28 upgrade liblwres9 1:9.3.4-2 1:9.3.4-2etch1
2007-11-06 14:20:29 upgrade bind9-host 1:9.3.4-2 1:9.3.4-2etch1
2007-11-06 14:20:29 upgrade dnsutils 1:9.3.4-2 1:9.3.4-2etch1
2007-11-06 14:20:29 upgrade file 4.17-5etch1 4.17-5etch3
2007-11-06 14:20:29 upgrade libmagic1 4.17-5etch1 4.17-5etch3
2007-11-06 14:20:29 upgrade libkrb53 1.4.4-7etch1 1.4.4-7etch4
2007-11-06 14:20:29 upgrade libpcre3 6.7-1 6.7+7.4-2
2007-11-06 14:20:30 upgrade locales 2.3.6.ds1-13 2.3.6.ds1-13etch2
2007-11-06 14:20:31 upgrade ethereal 0.99.4-5 0.99.4-5.etch.0
2007-11-06 14:20:32 upgrade wireshark 0.99.4-5 0.99.4-5.etch.0
2007-11-06 14:20:33 upgrade wireshark-common 0.99.4-5 0.99.4-5.etch.0
2007-11-06 14:20:34 upgrade iceape-mailnews 1.0.8-4
1.0.11~pre071022-0etch1
2007-11-06 14:20:35 upgrade iceape-browser 1.0.8-4 1.0.11~pre071022-0etch1
2007-11-06 14:20:39 upgrade iceape 1.0.8-4 1.0.11~pre071022-0etch1
2007-11-06 14:20:39 upgrade initramfs-tools 0.85g 0.85h
2007-11-06 14:20:40 upgrade libfreetype6 2.2.1-5 2.2.1-5+etch1
2007-11-06 14:20:40 upgrade mozilla 2:1.8+1.0.8-4
2:1.8+1.0.11~pre071022-0etch1
2007-11-06 14:20:40 upgrade tcpdump 3.9.5-2 3.9.5-2etch1
2007-11-06 14:20:40 upgrade xorg 1:7.1.0-16 1:7.1.0-19
2007-11-06 14:20:40 upgrade x-window-system 1:7.1.0-16 1:7.1.0-19
Regards
Rob
Tags added: ipv6
Request was from Simon Paillard <simon.paillard@resel.enst-bretagne.fr>
to control@bugs.debian.org.
(Sun, 04 Jan 2009 16:30:06 GMT) (full text, mbox, link).
Severity set to 'serious' from 'normal'
Request was from Clint Adams <schizo@debian.org>
to control@bugs.debian.org.
(Tue, 23 Mar 2010 01:03:12 GMT) (full text, mbox, link).
Severity set to 'normal' from 'serious'
Request was from Gerfried Fuchs <rhonda@deb.at>
to control@bugs.debian.org.
(Tue, 23 Mar 2010 08:30:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Mar 25 16:52:39 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.