Darren, Ssh is listening to IPv6 only. Here is the result of the "netstat -an" test. "tcp 0 0 :::6011 :::* LISTEN".
I'll have to fix that. Or else back out of "X11UseLocalhost no". Thanks for the analysis. --Lew -----Original Message----- From: Darren Tucker [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 03, 2007 7:53 AM To: Lewis E. Randerson Cc: [email protected] Subject: Re: Adding "X11UseLocalhost no" to /etc/ssh/sshd_config breaks x forwarding Lewis E. Randerson wrote: > Darren, > > Those tests have been made and have come up negative. > >> Does "thathost.pppl.gov" resolve to the correct IP address? > > Yes. Thishost was only a name for e-mail purposes. It's > real name and the reverse lookup resolve correctly. I was more interested in the *forward* resolution in this case. >> Are there any iptables rules that would apply to that connection? > > No. This problem also occurs when iptables are turned off. > >> If you try to connect to the port with telnet (ie "telnet > thathost.pppl.gov 6013" in this example) what error does it give? > > (This time 6011 is the relevant port number) > > telnet <hostname> 6011 > Trying <ipaddress>... > telnet: connect to address <ipaddress>: Connection refused > telnet: Unable to connect to remote host: Connection refused > > Note: telnet <hostname> 22 works. > > So I am heading towards the thought: X forwarding with X11UseLocalhost > has been turned off either by Openssh or by Red Hat. Whether a > feature or a bug I am unsure, there are warnings in the man page > about this being a potential security issue. It's not by OpenSSH. The warning is just that; if you choose to to turn it off then presumably have a good reason. I would guess that you have IPv6 enabled, and that sshd is binding to either ipv6 only and your X clients are connecting to the ipv4 address, or vice versa. You can check this by running "netstat -an", looking for the 60xx port and seeing if it's INET or INET6. OpenSSH has a DONT_TRY_OTHER_AF hack (which is enabled on Linux) which causes it listen only on the first AF returned by getaddrinfo. I don't know the history of this but it's possible that it's a workaround for something that's not present in modern versions. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
