On 03/31/2017 04:34 AM, L. A. Walsh wrote:
Jakub Jelen wrote:
Hello all,
one more (ever-returning) bug [1] reported recently caught my eye. The
problem is that disabling IPv6 in kernel leads to OpenSSH failing to
bind localhost IPv6 address and after the fix for CVE-2008-1483 [2]
leads to the whole X11 forwarding fail.
---
I can see the user-friendliness issue being possibly a
good thing, but have some questions that might
support current behavior (as you describe):
1) Why would openssh be configured to try IPV6 on a system
where it doesn't exist? Or -- wouldn't it be an error to
try to configure a transport that doesn't exist on that system?
(why not just fix the global defaults?)
Probably because enabling both of stacks is a default configuration of
all standard OSes these days.
3) I'm not sure that expecting an application (like openssh
or others), upon failing some random proto's open, should
fall back to IPv4. Should IPv4 always be expected to be "the"
fallback if any other proto fails?
It is not about random proto and fallback to IPv4. It is more about
handling common use case in a fail-proof way. The proposed solution
would work also the other way round in case IPv4 is not enabled/configured.
Maybe I'm wondering how a non-existent protocol should be
dealt with and whether or not any such non-existent proto should
fall back to "something" and if that something should be ipv4?
This is pretty common practice in all the other cases (connecting from
ssh client is handled correctly) and in all the other tools (browsers,
...) so I don't see a reason why it should not be handled in the X11
forwarding initialization code.
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev