Re: [debian@onerussian.com: /usr/sbin/sshd: wrong DISPLAY is due to hijacking someone other's one...]

[Ben Hutchings <ben@decadent.org.uk>]

On Mon, 2007-03-05 at 11:25 -0500, Yaroslav Halchenko wrote:
> Now that I am aware about openssh bsd vs openssh portable ( ;-) ), I looked at
> the CVS of portable SSH

Sorry, the OpenBSD version was the only version web-browseable and I
forgot to refer to the portable version before citing a commit.

>  (following [1]) to see what/when it really happened -
> so it wasn't a BSD specific patch, it was only adopted by bsd team in 2002 but
> was in portable ssh since  1.2.2p1 (Mar 2000). I am not sure on either I
> should ask for help from openssh-unix-dev@mindrot.org or let openssh maintainer
> to resolve the issue in the best way.
> 
> ,-----
> | revision 1.17
> | date: 2000/03/03 11:35:33;  author: damien;  state: Exp;  lines: +9 -1
> |  - Don't permanently fail on bind() if getaddrinfo has more choices left for
> |  us. Needed to work around messy IPv6 on Linux. Patch from Arkadiusz
> |  Miskiewicz <misiek@pld.org.pl>
> `---
> 
> So it IPv6 still messy?

As Russ pointed out this probably refers to the behaviour of binding
AF_INET6 sockets to both IPv6 and IPv4 ports by default.  This was later
dealt with properly:

revision 1.145
date: 2002/06/04 20:52:19;  author: stevesk;  state: Exp;  lines: +13 -1
 - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed
   setsockopt from debug to error for now).

diff -u -r1.144 -r1.145
--- channels.c  23 Apr 2002 11:09:46 -0000      1.144
+++ channels.c  4 Jun 2002 20:52:19 -0000       1.145
@@ -2374,6 +2374,13 @@
                                        continue;
                                }
                        }
+#ifdef IPV6_V6ONLY
+                       if (ai->ai_family == AF_INET6) {
+                               int on = 1;
+                               if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
+                                       error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));
+                       }
+#endif
                        if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
                                debug("bind port %d: %.100s", port, strerror(errno));
                                close(sock);
@@ -2392,7 +2399,12 @@
                        if (num_socks == NUM_SOCKS)
                                break;
 #else
-                       break;
+                       if (x11_use_localhost) {
+                               if (num_socks == NUM_SOCKS)
+                                       break;
+                       } else {
+                               break;
+                       }
 #endif
                }
                freeaddrinfo(aitop);
-- END --

> if not, then probably this patch indeed could be safely
> deapplied I guess ;-)

It might be better to do:

--- channels.c~	2007-03-04 21:01:58.000000000 +0000
+++ channels.c	2007-03-06 01:34:03.000000000 +0000
@@ -2807,8 +2807,10 @@
 				debug2("bind port %d: %.100s", port, strerror(errno));
 				close(sock);
 
+#ifndef IPV6_V6ONLY
 				if (ai->ai_next)
 					continue;
+#endif
 
 				for (n = 0; n < num_socks; n++) {
 					close(socks[n]);
-- END --

I expect this would be acceptable to upstream too.

Ben.

-- 
Ben Hutchings
The most exhausting thing in life is being insincere. - Anne Morrow Lindberg

Attachment: signature.asc
Description: This is a digitally signed message part