[Bug 2143] X11 forwarding for ipv4 is broken when ipv6 is disabled on the loopback interface

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Feb 13 10:17:12 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=2143

Bill McGonigle <bill-bugzilla.mindrot.org at bfccomputing.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bill-bugzilla.mindrot.org at b
                   |                            |fccomputing.com

--- Comment #8 from Bill McGonigle <bill-bugzilla.mindrot.org at bfccomputing.com> ---

I ran into this on a current Debian machine with ipv6.disable=1 on the
kernel command line (completely disables IPv6 at boot time).

When searching for:

  X11 forwarding request failed on channel 0

I came across many articles/stackexchanges offering advice for fixing
this, basically all saying to set:

  X11UseLocalhost no

Since everything works after setting it, it seems like "the fix" to
people who implement it.  Being naturally paranoid, I read the man
page, and, horrified, I went looking further.  I found:

  AddressFamily inet

which works properly for this machine, though it should be noted that
none of the other daemons running on it fail functionality with IPv6
disabled.

My concern is that by not addressing this problem, many users are
configuring their machines insecurely.  I see there are some security
concerns noted above if this isn't fixed correctly, but it needs to be
pointed out that not fixing it also has security concerns on an
ecosystem level.

Are there any concrete security objections to either of the proposed
patches?

SuSE appears to be carrying Andrev's patch.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list