Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] Updated openssh loads ipv6?
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Fri, 8 Dec 2000 02:18:41 +0100 (MET)
  • Message-id: <Pine.LNX.4.30.0012080213100.12433-100000@xxxxxxxxxxxx>
Hello Frank,

> Hi,
>
> after installing the new openssh package, the ipv6 module is suddenly
> loaded. And from time to time I find those warnings:
>
> Dec 6 11:47:06 listrac sshd[3195]: Accepted rsa for ROOT from 134.245.252.95 port 913
> Dec 6 11:47:06 listrac kernel: IPv6 v0.8 for NET4.0
> Dec 6 11:47:06 listrac kernel: IPv6 over IPv4 tunneling driver
> Dec 6 11:47:06 listrac sshd[3205]: Accepted rsa for ROOT from 134.245.252.95 port 702
> Dec 6 11:47:26 listrac kernel: eth0: no IPv6 routers present
> Dec 6 11:47:27 listrac kernel: eth0: no IPv6 routers present
>
> I'm using the latest 2.2.16 kernel from 7.0 on a SuSE 6.4 system
> and never explicitely changed any settings to activate ipv6.
>
> Should openssh load the ipv6? What's it needed for in this context?
> And why do I get the error messages about the non-existent routers?
>
> Sorry if this is maybe not a security issue, but as it seems to
> be caused by the new openssh, I first ask here :-)
>
> Best regards,
> Frank

That openssh package keeps bugging us (need a rebuild again). I've waisted
some minutes yesterday to see the reason why that thing nukes the
connection very soon after establishment. It turned out to be a problem
with binding to the ipv6 socket. In other words, openssh claims to be able
to do ipv6, but there are many problems with that (the kernel code is
subject to heavy changes from 2.2 -> 2.4).

Workaround:

See /etc/ssh/sshd_config and look at the lines
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment the first one but leave the second commented out, and it works.

Unfortunately, you can't unload the ipv6 kernel module any more once it's
loaded. Workaround for this:

$ grep net-pf-10 /etc/modules.conf
#alias net-pf-10 ipv6
alias net-pf-10 off
$

Thanks,
Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| N├╝rnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -


< Previous Next >
References