GNOME Bugzilla – Bug 596190
Misleading message about reachability from public network
Last modified: 2019-09-29 18:18:53 UTC
Vino displays "Your desktop is only reachable over the local network." after performing a connectivity test. It appears the connectivity test doesn't try with IPv6, resulting in a misleading message. This may lead to someone thinking their installation is secure, when in fact it is open to IPv6 traffic. This could be considered a security issue.
Ubuntu bug report:
I can confirm this bug report. I have IPv6 functionality (both a site local and a global IPv6 address). In my case it tells me that vino can only be connected to from 172.16.0.35 or fennel.local, when in fact, it is also reachable by the following slightly redacted IPv6 numbers (the host portion is removed):
inet6 addr: fdf3:950f:4983:0:XXXX:XXXX:XXXX:XXXX/64 Scope:Global
inet6 addr: 2001:470:1f11:3f:XXXX:XXXX:XXXX:XXXX/64 Scope:Global
The system is in DNS but I see no need to actually publish its name since it is nonrelevant to the bug report save for the fact that it exists and properly resolves to the global address (the 2001:470:1f11:3f address, that is).
Note that the first address is roughly equivalent to 10/8, 172.16/12, and 192.168/16 in IPv4. These addresses are generated in response to RAs being sent on the network as part of stateless autoconfiguration, so the host is aware of its status being on the IPv6 network. Furthermore, the system is actually on the IPv6 Internet and can reach e.g., Google's IPv6 site at ipv6.google.com.
It doesn't need IPv6. It doesn't work right for Legacy IP either.
For example, my workstation has the public Legacy IP address 220.127.116.11, as well as a couple of bridges for virt-manager. Sometimes it picks the private IP address on a virt-manager bridge and tells me:
"Your desktop is only reachable over the local network. Others can access your
computer using the address 172.31.0.1 or i7.local."
Other times it *does* pick the right interface and tell me that the machine is globally reachable, but it screws up the reverse DNS lookup:
"Others can access your computer using the address 18.104.22.168 or i7.local."
Seriously, if you want to pick just one interface to check on global routing, then make a UDP socket and connect() to www.google.com or something, then use getsockname() to work out which local interface is used for that public-facing connection. And don't forget to do with IPv6 as well as Legacy IP. And get the reverse DNS right (and check that forward DNS matches the reverse, of course).
Adding 'security' keyword, since telling people that their VNC server is only reachable from the local network when that's not true is really quite a naughty thing to do. If it can't be fixed in short order, this 'feature' should be disabled completely.
*** Bug 604053 has been marked as a duplicate of this bug. ***
Vino 2.99.4 removes the network reachability message from the UI. I will add it back when a fix is available. This is highly unlikely before 3.0 is released, so expect the fix for 3.2, and a backport to 3.0 (and older).
So what's the status here?
Is this bug report OBSOLETE because the message is gone?
No reply; let's assume so.