Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SUMMARY: All ports in use, but I don't think they are

from [Christopher L. Barnard] Network Security [Permanent Link]
Subject: SUMMARY: All ports in use, but I don't think they are
Date: Wed, 14 Dec 2005 13:57:27 -0600 (CST) 

I am cc-ing this summary to the secureshell@securityfocus.com mailing
list, since I posed the question and got several suggestions from there
as well.

I asked


I have several identically configured Solaris 9 servers running
OpenSsh 4.2p1.  Some let me do X forwarding, some do not.  All have the
ForwardX11 yes
in the ssh_config file and
X11Forwarding yes
X11UseLocalhost no
in the sshd_config file.  I have restarted ssh several times, so I am
comfortable that the config files are being read.

On servers that work, I ssh to them, start an X application like xclock,
and it appears on my screen.  On servers that do not work, when I try to
run an X application I am told
Error: Can't open display:
The .Xauthority in my homedir is *not* updated, btw.

After many rounds of testing to try and figure out the problem, which
involved running the daemon with three levels of debug (-ddd) I found
the underlying problem:

debug2: bind port 6260: Address already in use

repeated 999 times, for the 999 ports from 6000 to 6999.  Then the msg
Failed to allocate internet-domain X11 display socket.
debug1: x11_create_display_inet failed.

and I am ssh-ed in, but I do not have X.

netstat, ps, ndd /dev/tcp tcp_status show that the server is busy, but
not THAT busy.  There are about 200 ssh connections to the box, which
is no where near the 999 ports for X forwarding.  I believe the port idle
timeout on Solaris 9 boxes is 4 minutes, but I see no ports in TIME_WAIT
anyway.

Has anyone seen this before?  Do I need to somehow clean out connections to
the X ports?  Is there a limit of some sort on this box that I am bumping
against that I need to raise?  (ndd is powerful, but easy to misuse...)

Thanks, and I will summarize.


The solution

Its a bug in the interaction between Solaris and with SSH over the
implementation of IPv6 network addresses.  I don't fully understand why
this is the case, but by starting the daemon with the -4 flag (only use
IPv4 addresses) X is forwarded just fine.

My thanks to many many folks on both the sunmanagers and secureshell lists
who suggested things to try.  I used lsof and although ssh was reporting that
all 999 X ports were in use, they actually were not.  The sunsolve document
 http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-101834-1
points to some patches but were not the issue.  Thanks to Crist Clark who
pointed me to the IPv6 vs IPv4 bug.

+-----------------------------------------------------------------------+
| Christopher L. Barnard         O     When I was a boy I was told that |
| cbarnard@tsg.cbot.com         / \    anybody could become president.  |
| (312) 347-4901               O---O   Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard                --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • SUMMARY: All ports in use, but I don't think they are, Christopher L. Barnard <=
Previous by Date:  Openssh 4.2p1 and Openssh3.6.1 compatibility, Aidan Mcgrath L (AT/LMI)
Next by Date:  openssh password and public key auth, Ken Garland
Previous by Thread:  Openssh 4.2p1 and Openssh3.6.1 compatibility, Aidan Mcgrath L (AT/LMI)
Next by Thread:  openssh password and public key auth, Ken Garland
Indexes:  [Date] [Thread] [Top] [All Lists]