Lewis E. Randerson wrote:
> Darren,
>
> Those tests have been made and have come up negative.
>
>> Does "thathost.pppl.gov" resolve to the correct IP address?
>
> Yes. Thishost was only a name for e-mail purposes. It's
> real name and the reverse lookup resolve correctly.
I was more interested in the *forward* resolution in this case.
>> Are there any iptables rules that would apply to that connection?
>
> No. This problem also occurs when iptables are turned off.
>
>> If you try to connect to the port with telnet (ie "telnet
> thathost.pppl.gov 6013" in this example) what error does it give?
>
> (This time 6011 is the relevant port number)
>
> telnet <hostname> 6011
> Trying <ipaddress>...
> telnet: connect to address <ipaddress>: Connection refused
> telnet: Unable to connect to remote host: Connection refused
>
> Note: telnet <hostname> 22 works.
>
> So I am heading towards the thought: X forwarding with X11UseLocalhost
> has been turned off either by Openssh or by Red Hat. Whether a
> feature or a bug I am unsure, there are warnings in the man page
> about this being a potential security issue.
It's not by OpenSSH. The warning is just that; if you choose to to turn
it off then presumably have a good reason.
I would guess that you have IPv6 enabled, and that sshd is binding to
either ipv6 only and your X clients are connecting to the ipv4 address,
or vice versa. You can check this by running "netstat -an", looking for
the 60xx port and seeing if it's INET or INET6.
OpenSSH has a DONT_TRY_OTHER_AF hack (which is enabled on Linux) which
causes it listen only on the first AF returned by getaddrinfo. I don't
know the history of this but it's possible that it's a workaround for
something that's not present in modern versions.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
