Re: Adding "X11UseLocalhost no" to /etc/ssh/sshd_config breaks x forwarding



Lewis E. Randerson wrote:
Darren,

Those tests have been made and have come up negative.

Does "thathost.pppl.gov" resolve to the correct IP address?

Yes. Thishost was only a name for e-mail purposes. It's
real name and the reverse lookup resolve correctly.

I was more interested in the *forward* resolution in this case.

Are there any iptables rules that would apply to that connection?

No. This problem also occurs when iptables are turned off.

If you try to connect to the port with telnet (ie "telnet
thathost.pppl.gov 6013" in this example) what error does it give?

(This time 6011 is the relevant port number)

telnet <hostname> 6011
Trying <ipaddress>...
telnet: connect to address <ipaddress>: Connection refused
telnet: Unable to connect to remote host: Connection refused

Note: telnet <hostname> 22 works.

So I am heading towards the thought: X forwarding with X11UseLocalhost
has been turned off either by Openssh or by Red Hat. Whether a
feature or a bug I am unsure, there are warnings in the man page
about this being a potential security issue.

It's not by OpenSSH. The warning is just that; if you choose to to turn
it off then presumably have a good reason.

I would guess that you have IPv6 enabled, and that sshd is binding to
either ipv6 only and your X clients are connecting to the ipv4 address,
or vice versa. You can check this by running "netstat -an", looking for
the 60xx port and seeing if it's INET or INET6.

OpenSSH has a DONT_TRY_OTHER_AF hack (which is enabled on Linux) which
causes it listen only on the first AF returned by getaddrinfo. I don't
know the history of this but it's possible that it's a workaround for
something that's not present in modern versions.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



Relevant Pages

  • Re: How safe am I?
    ... >>clients, let's say ANY Openssh. ... >>spoofed by a hacker, and if successful, would said hacker ... >>to telnet instead of openssh - would also require a hacker ...
    (comp.security.ssh)
  • Re: How safe am I?
    ... >>clients, let's say ANY Openssh. ... >>spoofed by a hacker, and if successful, would said hacker ... >>to telnet instead of openssh - would also require a hacker ...
    (comp.security.ssh)
  • Re: tcsetpgrp()
    ... Which SSH implementation and version thereof are you running? ... On QNX the pty allocation process apparently ... In the next release of OpenSSH, ... Good judgement comes with experience. ...
    (comp.security.ssh)
  • OpenSSH 3.1p1 upgrade problem: cant connect
    ... These are both Red Hat 6.2 machines, with openssh and openssl ... It configured and built fine, and telnet shows it's running: ... not load host key ...
    (comp.security.ssh)
  • Re: telnet vs Openssh
    ... Make a dialup connection to your server and check the differences, ... telnet is just fine. ... >>This may be why I am seeing a slow down in screen drawing with Openssh. ...
    (comp.unix.sco.misc)