Debian Bug report logs - #422327
openssh-server: Fails to bind port for X11 forwarding, ipv4/ipv6 mess

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sami Liedes <sliedes@cc.hut.fi>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openssh-server: Fails to bind port for X11 forwarding, ipv4/ipv6 mess

Date: Sat, 5 May 2007 09:58:55 +0300

[Message part 1 (text/plain, inline)]

Package: openssh-server
Version: 1:4.3p2-10
Severity: normal

Hi,

I started to get mysterious messages in my auth.log like this:

  May  5 08:52:09 lh sshd[27269]: error: Failed to allocate internet-domain X11 display socket.

and decided to investigate why it fails. The debug output of sshd is
at least not immediately very helpful (at least if you don't know of
EADDRNOTAVAIL and recognize its string form):

------------------------------------------------------------
[...]
debug1: session_input_channel_req: session 0 req x11-req
debug2: bind port 6010: Cannot assign requested address
debug2: bind port 6011: Cannot assign requested address
debug2: bind port 6012: Cannot assign requested address
debug2: bind port 6013: Cannot assign requested address
debug2: bind port 6014: Cannot assign requested address
debug2: bind port 6015: Cannot assign requested address
debug2: bind port 6016: Cannot assign requested address
[...]
debug2: bind port 6998: Cannot assign requested address
debug2: bind port 6999: Cannot assign requested address
Failed to allocate internet-domain X11 display socket.
debug1: x11_create_display_inet failed.
[...]
------------------------------------------------------------

What happens is that in x11_create_display_inet() (channels.c),
getaddrinfo() apparently returns the IPv6 address family first, and
sshd only tries to bind to that. However I have no IPv6 address, but
IPv6 is enabled in the kernel:

------------------------------------------------------------
$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:17:31:BC:14:5F
          inet addr:82.130.40.84  Bcast:82.130.40.127  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11664235 errors:272 dropped:0 overruns:0 frame:0
          TX packets:4679903 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7295902428 (6.7 GiB)  TX bytes:1215730740 (1.1 GiB)
          Interrupt:23 Base address:0xe000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:3023153 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3023153 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2334865217 (2.1 GiB)  TX bytes:2334865217 (2.1 GiB)
------------------------------------------------------------

Hence, bind() to ::1 returns EADDRNOTAVAIL. From strace output:

------------------------------------------------------------
2410  socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9
2410  setsockopt(9, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
2410  setsockopt(9, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
2410  bind(9, {sa_family=AF_INET6, sin6_port=htons(6010), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRNOTAVAIL (Cannot assign requested address)
2410  write(2, "debug2: bind port 6010: Cannot a"..., 57) = 57
2410  close(9)                          = 0
2410  close(8)                          = 0
2410  socket(PF_NETLINK, SOCK_RAW, 0)   = 8
2410  bind(8, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
2410  getsockname(8, {sa_family=AF_NETLINK, pid=2410, groups=00000000}, [12]) = 0
2410  sendto(8, "\24\0\0\0\26\0\1\3j$<F\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
2410  recvmsg(8, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0j$<Fj\t\0\0\2\10\200\376\1\0\0\0\10\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108
2410  recvmsg(8, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0j$<Fj\t\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
2410  close(8)                          = 0
2410  socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 8
2410  connect(8, {sa_family=AF_INET6, sin6_port=htons(6011), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)
2410  close(8)                          = 0
2410  socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 8
2410  connect(8, {sa_family=AF_INET, sin_port=htons(6011), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
2410  getsockname(8, {sa_family=AF_INET, sin_port=htons(45259), sin_addr=inet_addr("127.0.0.1")}, [8589934608]) = 0
2410  close(8)                          = 0
2410  socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 8
2410  setsockopt(8, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
2410  bind(8, {sa_family=AF_INET, sin_port=htons(6011), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
2410  socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP) = 9
2410  setsockopt(9, SOL_IPV6, IPV6_V6ONLY, [1], 4) = 0
2410  setsockopt(9, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
2410  bind(9, {sa_family=AF_INET6, sin6_port=htons(6011), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EADDRNOTAVAIL (Cannot assign requested address)
2410  write(2, "debug2: bind port 6011: Cannot a"..., 57) = 57
[...]
------------------------------------------------------------

>From how I read x11_create_display_inet(), it takes the first IPv*
address family given by getaddrinfo() and only tries to bind to that:

------------------------------------------------------------
2820 #ifndef DONT_TRY_OTHER_AF
2821                         if (num_socks == NUM_SOCKS)
2822                                 break;
2823 #else
2824                         if (x11_use_localhost) {
2825                                 if (num_socks == NUM_SOCKS)
2826                                         break;
2827                         } else {
2828                                 break;
2829                         }
2830 #endif
------------------------------------------------------------

In my case, X11UseLocalhost is enabled so the break on line 2826 is
eventually taken after all bind()s to a nonexistent interface have
failed.

I discovered the behavior of getaddrinfo() can apparently be
controlled by editing /etc/gai.conf (which is somewhat cryptic to me
as I don't know the IPv6 address scheme very well, and which curiously
has no man page), but even after following the advice there ("For
sites which prefer IPv4 connections change the last line to precedence
::ffff:0:0/96 100") the situation did not change, apparently IPv6 is
still reported first and sshd only tries to bind to that. This might
be a separate bug in e.g. /etc/gai.conf comments. This is what I have
in /etc/gai.conf now:

------------------------------------------------------------
# the defaults, according to the comments
label  ::1/128       0
label  ::/0          1
label  2002::/16     2
label ::/96          3
label ::ffff:0:0/96  4
label  fec0::/10     5
label  fc00::/7      6

# still defaults
precedence  ::1/128       50
precedence  ::/0          40
precedence  2002::/16     30
precedence ::/96          20

# and this is what I changed:
precedence ::ffff:0:0/96  100
------------------------------------------------------------

Perhaps x11_create_display_inet() should be modified to try the other
IPv* address family if bind()ing to the first one fails (and if
getaddrinfo() returns it). In the least I suggest making the error
messages more informative. There's no way I could have got a clue
about why it fails without stracing sshd or reading the source.

	Sami


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.20.4-grsec-sli
Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  addus 3.102                              Add and remove users and groups
ii  debco 1.5.13                             Debian configuration management sy
ii  dpkg  1.13.25                            package maintenance system for Deb
ii  libc6 2.5-5                              GNU C Library: Shared libraries
ii  libco 1.39+1.40-WIP-2006.11.14+dfsg-2+b1 common error description library
ii  libkr 1.6.dfsg.1-2                       MIT Kerberos runtime libraries
ii  libpa 0.79-4                             Pluggable Authentication Modules f
ii  libpa 0.79-4                             Runtime support for the PAM librar
ii  libpa 0.79-4                             Pluggable Authentication Modules l
ii  libse 2.0.8-1                            SELinux shared libraries
ii  libss 0.9.8e-4                           SSL shared libraries
ii  libwr 7.6.dbs-13                         Wietse Venema's TCP wrappers libra
ii  opens 1:4.3p2-10                         Secure shell client, an rlogin/rsh
ii  zlib1 1:1.2.3-13                         compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 422327@bugs.debian.org (full text, mbox, reply):

From: Adrian Knoth <adi@drcomp.erfurt.thur.de>

To: 422327@bugs.debian.org

Subject: Similar problem

Date: Sun, 20 May 2007 17:50:38 +0200

Hi,

I had a similar problem, resulting in exactly the same debug messages
from sshd.

In my case, /etc/hosts did not contain anything. After adding

127.0.0.1   localhost
::1         ip6-localhost

X-forwarding was fine.

Judging your ifconfig output, you don't have IPv6 configured correctly,
most likely due to missing IPv6 module. You said it's enabled in the
kernel, so lo must at least contain something like this:

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host


Can you make sure that you're using a sensible /etc/hosts and have IPv6
loopback? (modprobe ipv6?)


-- 
mail: adi@thur.de  	http://adi.thur.de	PGP/GPG: key via keyserver

Bachelor: A man who chases women and never Mrs. one.

Message #15 received at 422327@bugs.debian.org (full text, mbox, reply):

From: Walter Rudametkin <rudametkin@gmail.com>

To: 422327@bugs.debian.org

Subject: RE: Similar problem

Date: Mon, 05 Jul 2010 16:37:17 +0200

[Message part 1 (text/plain, inline)]

I had the same problem ssh and x-forwarding after disabling ipv6 in sysctl.

It seems that disabling ipv6 using sysctl breaks both ssh x-forwarding 
and java networking, at least in my case.

To disable ipv6 I created this file:
/
cat /etc/sysctl.d/disableipv6.conf
/#Equal to sysctl -w net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6=1

As explained in the comments here:
http://www.debian-administration.org/article/Disabling_IPv6_under_a_2.6_kernel


Re-enabling ipv6 made both ssh x-forwarding and java networking work.

For reference, for Java to work you need to change the value of
/net.ipv6.bindv6only
/in sysctl to 0 as explained here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560044

Regards,
Walter

[Message part 2 (text/html, inline)]

Message #20 received at 422327@bugs.debian.org (full text, mbox, reply):

From: Andreas Steinel <a.steinel@googlemail.com>

To: 422327@bugs.debian.org

Subject: Only for the record

Date: Mon, 11 Apr 2011 10:38:47 +0200

Only for the record:

The following resolved my IPv6-Disabling issue with SSH:

1) Adding the following to your sshd_config
AddressFamily inet
2) Restart SSH

Afterwards, the SSH daemon is able to create the X11 socket and
X-Forwarding works as expected.

Best regards,
Andreas

Send a report that this bug log contains spam.