Darren, > Out of curiousity, why do you need X11UseLocalhost=no no anyway?
We are using PBS Pro a job queueing mechanism for our clusters. Interactive access to a cluster machine is not via ssh but by "qsub -I -V -X" or (something like that) where qsub is the submittal process -I is interactive -V is pass all environmental variables -X is X forwarding. The user is than put on a cluster machine which then accesses the DISPLAY passed by the -V option. Needless to say this breaks when DISPLAY is "localhost:60??" which is what DISPLAY looks like if "X11UseLocalhost no" is not used. We like to be secure so to resolve this, I plan to push PBS Pro. --Lew -----Original Message----- From: Darren Tucker [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 03, 2007 8:50 AM To: Lewis E. Randerson Cc: [email protected] Subject: Re: Adding "X11UseLocalhost no" to /etc/ssh/sshd_config breaks x forwarding On Tue, Apr 03, 2007 at 08:38:36AM -0400, Lewis E. Randerson wrote: > Darren, > > Ssh is listening to IPv6 only. Here is the result of > the "netstat -an" test. "tcp 0 0 :::6011 :::* LISTEN". > > I'll have to fix that. Or else back out of "X11UseLocalhost no". Out of curiousity, why do you need X11UseLocalhost=no no anyway? As to the fix, if you have access to config.h during the build you can just delete or comment out the "#define DONT_TRY_OTHER_AF" line. If you don't (easily, eg if you're building an RPM) then you can try the patch below. BTW the origin of the DONT_TRY_OTHER_AF hack was a bit over 7 years ago: configure.in revision 1.94: date: 2000/03/11 09:45:41; author: damien; state: Exp; lines: +22 -0 - IPv6 workarounds from Hideaki YOSHIFUJI Index: channels.c =================================================================== RCS file: /usr/local/src/security/openssh/cvs/openssh/channels.c,v retrieving revision 1.251 diff -u -p -r1.251 channels.c --- channels.c 28 Jan 2007 23:16:28 -0000 1.251 +++ channels.c 3 Apr 2007 12:45:47 -0000 @@ -2914,17 +2914,8 @@ x11_create_display_inet(int x11_display_ break; } socks[num_socks++] = sock; -#ifndef DONT_TRY_OTHER_AF if (num_socks == NUM_SOCKS) break; -#else - if (x11_use_localhost) { - if (num_socks == NUM_SOCKS) - break; - } else { - break; - } -#endif } freeaddrinfo(aitop); if (num_socks > 0) -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
