Re: 5.2p1 no longer sets DISPLAY



Parsons, Rick wrote:
Hi, I have Solaris 8+ systems with a working OpenSSH 3.9p1 build which
work perfectly. We set X11Forwarding to yes in the config and get
DISPLAY=localhost:10.0 allowing X tunnelling back.

I have just recently built OpenSSH 5.2p1 and installed sshd on some
machines and now the DISPLAY env variable is not set at all. As far as I
can tell, nothing else has changed (account dot files are the same,
client ssh is still 3.9p1 and sshd_config is the same). The only way I
can get DISPLAY to work is to set X11UseLocalhost to no in sshd_config
and then it gets <hostname>:10.0 and works just fine.

I have tried forcing X11DisplayOffset and XAuthLocation (and checked
that it was right). I have tried ssh -X (though that is the default) and
ssh -Y and none of these make any difference. The messages from -vv show
the two calls to xauth followed by "Requesting X11 forwarding with
authentication spoofing" and "channel 0: request x11-req confirm 0" just
the same as the working version.

I can only presume that I have done something wrong with the build but
can't see what. Any ideas please?

Try adding "AddressFamily inet" to sshd_config and restarting.

If that works: what's happening is that the OS is asked for a list of addresses for localhost and is returning a list that includes the inet6 address, however attempting to bind to it fails. Previously sshd would ignore this failure, but that allows third parties to bind to inet6 ports in the X11 forwarding range and potentially hijack X connections. For more detail see the 5.1 release notes (http://www.openssh.com/txt/release-5.1).


--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



Relevant Pages

  • Re: Net::SSH::Perl bind socket problem
    ... >> bind to), maybe the ssh object is not destroyed between the loops. ... > I did use netstat -neat during, and after the script launch. ... only to handle the "port already in use" case... ...
    (perl.beginners)
  • Re: Attacks against SSH?
    ... It would be interesting to know what version of BIND and SSH he was ... If he was running the latest versions of BIND and OpenSSH that RedHat ... I saw several things in the logs which gave me the ... Did you restart sshd after upggrading it? ...
    (Incidents)
  • Re: What happened to SSH?
    ... It's because:: is IPv6 address, and this is what SSH binds to when it first start's, being that IPv4 is also enabled, when it tries to bind to the IPv4 address, it find's that it is already being used. ... Possibly disable IPv6 support in kernel or use the ListenAddress option in your SSHD server config file. ... (or bind the ListenAddress to a specific IP) ...
    (Fedora)
  • Re: need rhosts rsa help
    ... >I'm having problems getting RhostsRSAAuthentication working on OpenSSH ... It appears from the client log that it's not even attempting ... Since you're using SSHv1 you need to make the "ssh" binary setuid root ... Good judgement comes with experience. ...
    (comp.security.ssh)
  • Re: sftp problems with 3.9 on HP
    ... >ChallengeResponseAuthentication also set to yes that ssh connects just ... $ ssh -v -s sshserver sftp ... against is not in the system's default library search path (ie ... Good judgement comes with experience. ...
    (comp.security.ssh)