Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

openssh 5.0p1: Solaris - Failed to allocate internet-domain X11 display socket.

650 views
Skip to first unread message

Pieter Bowman

unread,
Jul 16, 2008, 2:17:19 PM7/16/08
to
On Solaris 10 (SPARC & x86), I'm seeing the following error:

error: Failed to allocate internet-domain X11 display socket.


I tracked this down to this code change between openssh 4.7p1 and
5.0p1:

*** openssh-4.7p1/channels.c Mon Jun 25 03:04:47 2007
--- openssh-5.0p1/channels.c Wed Apr 2 15:43:57 2008
***************
*** 1,4 ****
! /* $OpenBSD: channels.c,v 1.270 2007/06/25 08:20:03 dtucker Exp $ */
/*
* Author: Tatu Ylonen <y...@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland
--- 1,4 ----
! /* $OpenBSD: channels.c,v 1.273 2008/04/02 21:36:51 markus Exp $ */
/*
* Author: Tatu Ylonen <y...@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland
***************
*** 2905,2913 ****
debug2("bind port %d: %.100s", port, strerror(errno));
close(sock);

- if (ai->ai_next)
- continue;
-
for (n = 0; n < num_socks; n++) {
close(socks[n]);
}
--- 2906,2911 ----


When those two lines are added back in, X11 forwarding is able to get
a port bound.

This is only the case on Solaris. On Linux, *BSD, IRIX systems the
current code works.

Thanks for looking into this.

Pieter
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Scott Neugroschl

unread,
Jul 16, 2008, 5:00:37 PM7/16/08
to

Weren't those two lines related to the fix between 4.9p1 and 5.0p1
ix-dev

Ben Lindstrom

unread,
Jul 16, 2008, 9:15:28 PM7/16/08
to

Ermm...

Revision 1.273 / (download) - annotate - [select for diffs] , Wed Apr 2
21:36:51 2008 UTC (3 months, 1 week ago) by markus
Branch: MAIN
Changes since 1.272: +1 -4 lines
Diff to previous 1.272 (colored)

avoid possible hijacking of x11-forwarded connections (back out 1.183)
CVE-2008-1483; ok djm@

--

Revision 1.183 / (download) - annotate - [select for diffs] , Tue Sep 17
07:47:02 2002 UTC (5 years, 10 months ago) by itojun
Branch: MAIN
CVS Tags: OPENBSD_3_2_BASE
Branch point for: OPENBSD_3_2
Changes since 1.182: +5 -1 lines
Diff to previous 1.182 (colored)

don't quit while creating X11 listening socket.

http://mail-index.netbsd.org/current-users/2002/09/16/0005.html
got from portable. markus ok

Removing it is the wrong solution... Not sure what the correct one, but I
figured I'd post why it was removed.

- Ben

Damien Miller

unread,
Jul 16, 2008, 11:26:42 PM7/16/08
to
On Wed, 16 Jul 2008, Ben Lindstrom wrote:

> Removing it is the wrong solution... Not sure what the correct one, but I
> figured I'd post why it was removed.

Removing it is the right solution, the problem is that Sun returns
unusable return codes from getaddrinfo(3) when IPv6 is installed on the
machine but no interfaces have IPv6 addresses configured.

Workaround: put "AddressFamily inet" in sshd_config.

-d

Damien Miller

unread,
Jul 17, 2008, 4:09:19 AM7/17/08
to

On Thu, 17 Jul 2008, Damien Miller wrote:

> On Wed, 16 Jul 2008, Ben Lindstrom wrote:
>
> > Removing it is the wrong solution... Not sure what the correct one, but I
> > figured I'd post why it was removed.
>
> Removing it is the right solution, the problem is that Sun returns

ugh, "not the right solution".

Pieter Bowman

unread,
Jul 17, 2008, 11:13:52 AM7/17/08
to

>> ...

>> Workaround: put "AddressFamily inet" in sshd_config.
>> ...

Thanks, that works for me (no IPV6 here, yet). Maybe a line or two in
README.platform would be a good idea.

Pieter

Spook

unread,
Aug 27, 2008, 2:39:58 PM8/27/08
to
> openssh-unix-...@mindrot.orghttps://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Bug ID

6704823


Product

Solaris 9 Operating System
Solaris 10 Operating System


Date of Workaround Release

20-Aug-2008


SA Document Body

A regression in the Secure Shell Daemon (sshd(1M)):
1. Impact

The Sun Secure Shell (SSH) patches listed in the "Contributing
Factors" section below break the Secure Shell X11 forwarding feature
on systems with only IPv4 interfaces configured.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Solaris 9 with patch 114356-14 or later
Solaris 10 with patch 126133-03 or later
x86 Platform

Solaris 9 with patch 114357-13 or later
Solaris 10 with patch 126134-03 or later
Note 1: Solaris 8 is not impacted by this issue.

Note 2 : Only OpenSolaris installations including the affected binary
" /usr/lib/ssh/sshd" are impacted by this issue.

Note 3: This issue only affects systems that have only IPv4 interfaces
configured.

To determine if a system has only IPv4 interfaces configured the
following command can be run:

$ ifconfig lo0 inet6 || echo "System is affected" ifconfig:
status: SIOCGLIFFLAGS: lo0: no such interface System is affected3.
Symptoms

If the described issue occurs, an error message similar to the
following will be seen on the console and in the syslog of the system
being logged into with ssh(1):

Aug 20 11:01:53 solaris sshd[1853]: [ID 800047 auth.error]
error: Failed to allocate internet-domain X11 display socket.Once
logged in, the $DISPLAY variable will not be set and X11 programs
will not display on the client system:

$ ssh -X solarishost $ /usr/openwin/bin/xclock Error: Can't
open display: $ echo $DISPLAY4. Workaround

To work around this issue, the following command can be executed as
root user:

# ifconfig lo0 inet6 plumb upUsers who are already connected to
the host must re-login to use X11 forwarding.

Binary Relief is available via normal support channels.

Note: Removal of the affected patches is not recommended as a
workaround as they resolve a security issue, bug 6684003, as described
in Sun Alert 237444.

5. Resolution

A final resolution is pending completion.

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.

Modification History

21-Aug-2008: Updated Product field and Contributing Factors section


Attachments
This solution has no attachment

Spook

unread,
Sep 3, 2008, 2:43:28 PM9/3/08
to
UPDATE:

To fix:

Change ListenAddress to 0.0.0.0 in /etc/ssh/sshd_config for IPV4 only

For Solaris 10 edit the file
# vi /lib/svc/method/sshd

and start "sshd" with -4 option .

0 new messages