Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

S10 sshd X forwarding problem

181 views
Skip to first unread message

Stuart Anderson

unread,
May 24, 2008, 5:47:57 PM5/24/08
to
I am having problems forwarding X11 connections to S10 machines over
ssh after applying the latest sshd Security patch (126133-03 or 126134-03).
This problem goes away when reverting to patch level -02.

The following syslog message is generated on the server,
sshd[1433]: [ID 800047 auth.error] error: Failed to allocate internet-domain
X11 display socket.


Is anyone else having this problem?


Thanks.

Wolfgang

unread,
May 25, 2008, 7:27:00 AM5/25/08
to
Stuart Anderson schrieb:

I fear the patches introducing a known bug from openssh. You can prove
an see the reason, when you start sshd in debug modus: it tries to open
several hundreds unix-sockets til it reaches a limit.

Paul Floyd

unread,
May 25, 2008, 3:11:39 PM5/25/08
to

I was just about to post a message saying exactly the same thing.

126134-03 on an AMD64 machine, connected from a Mac OS X machine.

So you are not alone.

A bientot
Paul
--
Paul Floyd http://paulf.free.fr

Frank Giessler

unread,
May 26, 2008, 2:49:19 AM5/26/08
to

Same here. I noticed the following:

1) It does not happen on a machine that has IPv6 installed (though I
have only one of those, might be coincidence)

2) I can work around it by setting

X11UseLocalhost no

in /etc/ssh/sshd_config.


Hope this helps,
Frank.

Tony Curtis

unread,
May 26, 2008, 8:59:28 AM5/26/08
to
Frank Giessler wrote:
> Stuart Anderson wrote:
>> I am having problems forwarding X11 connections to S10 machines over
>> ssh after applying the latest sshd Security patch (126133-03 or
>> 126134-03).
>> This problem goes away when reverting to patch level -02.
>>
>> The following syslog message is generated on the server,
>> sshd[1433]: [ID 800047 auth.error] error: Failed to allocate
>> internet-domain
>> X11 display socket.
>>
>>
>> Is anyone else having this problem?
>>
>>
>> Thanks.
>>
>
> Same here. I noticed the following:
>
> 1) It does not happen on a machine that has IPv6 installed (though I
> have only one of those, might be coincidence)

After smpatch update on a couple of Solaris 10 machines (sparc) I am
seeing the exact same behaviour. Adding inet6 interfaces makes things
work. Other machines that have been smpatch update'd do, however,
forward X11 fine. They almost certainly got an interim update more
recently than the broken ones.

hth
t

Robert Lawhead

unread,
May 26, 2008, 2:07:15 PM5/26/08
to
Try adding "AddressFamily inet" to sshd_config, then restart the server.

Oscar del Rio

unread,
May 26, 2008, 2:34:38 PM5/26/08
to
Stuart Anderson wrote:
> sshd[1433]: [ID 800047 auth.error] error: Failed to allocate internet-domain
> X11 display socket.

bug 6704823

http://bugs.opensolaris.org/view_bug.do?bug_id=6704823

Description:
Looks like the fix for CR 6684003 breaks sshd's ability to bind to a local
socket for X forwarding. bind() returns EADDRNOTAVAIL for every bind call to ::1
for ports 6010->6999, but never tries IPv4 localhost addresses.

Workaround:
Add lo0 for IPv6:
# ifconfig lo0 inet6 plumb up
please try -4 option for ssh. I think that should be enough, without the need of
root privileges to create a loopback with IPv6 address.

Robert Lawhead

unread,
May 26, 2008, 2:53:35 PM5/26/08
to

"-4" does for client, what "AddressFamily inet" does for server, cohersing
IPv4. Seems silly not to first try same (v4/v6) for X-forwarding as that
used for connection.

Frank Giessler

unread,
May 27, 2008, 4:51:22 AM5/27/08
to

My version of ssh (Sun_SSH_1.1) does not have this keyword. S10 11/06.

delizi...@gmail.com

unread,
Jul 16, 2008, 4:20:13 AM7/16/08
to

Well I tried both and:

if I do ssh -4vAX remotehost
I do not get the display
if on the remote host I touch hostname6.lo0 I get the remote display.
I wonder why the -4 works in some cases and not others?

Frank Fegert

unread,
Jul 16, 2008, 7:16:31 AM7/16/08
to

If you have a support contract open a case with Sun, there is a
IDR available which solves the issue.

Regards,

Frank

Chris Ridd

unread,
Jul 17, 2008, 1:31:01 AM7/17/08
to

As the bug was introduced by patch 126133-03, consider just backing it
out. Obviously be aware that this patch fixes a security vulnerability
(CVE-2008-1483). 126133-04 also has the bug.

Cheers,

Chris

greg

unread,
Jul 17, 2008, 8:45:31 AM7/17/08
to
Chris Ridd wrote:
> As the bug was introduced by patch 126133-03, consider just backing it
> out. Obviously be aware that this patch fixes a security vulnerability
> (CVE-2008-1483). 126133-04 also has the bug.

and 122300 on solaris 9 also has it. My preferred solution is to add:

X11UseLocalHost no

into /etc/ssh/sshd_config and restart sshd.

>
> Cheers,
>
> Chris
>


--
Greg Matthews 01491 692445
Head of UNIX/Linux, iTSS Wallingford
------------ And now a word from our sponsor ------------------
For a quality usenet news server, try DNEWS, easy to install,
fast, efficient and reliable. For home servers or carrier class
installations with millions of users it will allow you to grow!
---- See http://netwinsite.com/sponsor/sponsor_dnews.htm ----

Rage Cosmos

unread,
Jul 18, 2008, 7:02:42 PM7/18/08
to

"greg" <gm...@nerc.ac.uk> wrote in message
news:487f3eeb$1...@news.nerc-wallingford.ac.uk...

I was looking at this last night and today on my server at home. My server
has 126133-04 installed. I researched and found that you could remove
patches 126133-04 and 126133-03. I didn't try this. I instead chose to
modify "/lib/svc/method/sshd" and change the line "/usr/lib/ssh/sshd" to
"/usr/lib/ssh/sshd -4". I had to change "/etc/ssh/sshd_config" and comment
out "ListenAddress ::" and uncomment "ListenAddress 0.0.0.0" and execute
"svcadm disable ssh;svcadm enable ssh".


Thomas Nau

unread,
Jul 21, 2008, 3:15:00 AM7/21/08
to
Rage Cosmos <mynews...@verizon.net> wrote:
> I was looking at this last night and today on my server at home. My server
> has 126133-04 installed. I researched and found that you could remove
> patches 126133-04 and 126133-03. I didn't try this. I instead chose to
> modify "/lib/svc/method/sshd" and change the line "/usr/lib/ssh/sshd" to
> "/usr/lib/ssh/sshd -4". I had to change "/etc/ssh/sshd_config" and comment
> out "ListenAddress ::" and uncomment "ListenAddress 0.0.0.0" and execute
> "svcadm disable ssh;svcadm enable ssh".

We did the same thing but had to find out that some patches
re-installed the original sshd starup-method so you may wanna
check after applying patches or patch-clusters

Thomas

-----------------------------------------------------------------
GPG fingerprint: B1 EE D2 39 2C 82 26 DA A5 4D E0 50 35 75 9E ED

Martin Paul

unread,
Jul 23, 2008, 9:56:54 AM7/23/08
to
Thomas Nau wrote:
> Rage Cosmos <mynews...@verizon.net> wrote:
>> I was looking at this last night and today on my server at home. My server
>> has 126133-04 installed. I researched and found that you could remove
>> patches 126133-04 and 126133-03. I didn't try this. I instead chose to
>> modify "/lib/svc/method/sshd" and change the line "/usr/lib/ssh/sshd" to
>> "/usr/lib/ssh/sshd -4".
>
> We did the same thing but had to find out that some patches
> re-installed the original sshd starup-method so you may wanna
> check after applying patches or patch-clusters

.. or install patches with pca and its "--safe" option, which will check
for locally modified files before installing a patch.

mp.
--
SysAdmin | Institute of Scientific Computing, University of Vienna
PCA | Analyze, download and install patches for Solaris
| http://www.par.univie.ac.at/solaris/pca/

0 new messages