X11 display forwarding


I'm having a bit of trouble with X11 display forwarding. This started
when I upgraded to OpenSSH 4.3p1. I've read the FAQ and I know about
the usual problem when upgrading involving ForwardX11Trusted. This is
how I have my config's set:

/etc/ssh/ssh_config: ForwardAgent yes
/etc/ssh/ssh_config: ForwardX11 yes
/etc/ssh/ssh_config: ForwardX11Trusted yes

/etc/ssh/sshd_config: X11Forwarding yes
/etc/ssh/sshd_config: X11UseLocalhost no

The error message I get is:

X11 connection rejected because of wrong authentication.
X connection to myfirewall.mydom.com:11.1 broken \
(explicit kill or server shutdown).

I launch apps in one of two ways.

ssh myfirewall.mydom.com -f 'ssh otherhost.mydom.com xterm'


ssh myfirewall.mydom.com -f xterm

After some trial and error I observed that the above commands
sometimes work and sometimes don't. It certainly involves
xauth stuff. At one point I killed my X servers, zeroed out
my .Xauthority files, and restarted the X servers. That move
got rid of a problem where I couldn't start new xterms from an
already connected remote xterm. Now once I've got a remote xterm
open, I can open other apps from within it.

I've noticed that my first remote application runs in DISPLAY
:10.1 (two headed display running the local command from :0.1)
and that makes sense to me. I've also noticed that sometimes
subsequent local commands will try to run remote applications
in DISPLAY :11.1. Before restarting my X servers, every new
application would increment the X display and I'd run into my
firewall restriction having only 10 ports open for X forwarding.
I haven't been able to completely describe to myself when or how
the DISPLAY will increment.

When I inspect my xauth stuff in a working condition I see this.


otherhost.mydom.com DISPLAY is otherhost.mydom.com:10.1

otherhost.mydom.com xauth list says

otherhost.mydom.com:10 MIT-MAGIC-COOKIE-1 597d13f5b61fd07b79c6d4e5942fd553
otherhost.mydom.com:10 MIT-MAGIC-COOKIE-1 afe3fd4603519360202ecbcc2ca02338
otherhost.mydom.com:11 MIT-MAGIC-COOKIE-1 3f0946d4fbcca2f7d08eb4befcef82d5
otherhost.mydom.com:11 MIT-MAGIC-COOKIE-1 6d3967fd9fd59df30250fc9ca38449a1
myfirewall.mydom.com:10 MIT-MAGIC-COOKIE-1 ee1623a886120aa4fcf708c814f6b793


myfirewall.mydom.com isn't running displayed app's now. DISPLAY isn't set.

myfirewall.mydom.com xauth list says

myfirewall.mydom.com:10 MIT-MAGIC-COOKIE-1 909822c0778498c82f3b64886ed6ceed
myfirewall.mydom.com:11 MIT-MAGIC-COOKIE-1 a87659f3c8a1d4d4eaae2effdeb29d46


local host (where I start everything) xauth list says

lwe125529.cse.tek.com:10 MIT-MAGIC-COOKIE-1 6543aba06e20e269e135158af740b2bf


Now that just doesn't make any sense! Shouldn't my at least a
pair of my MIT-MAGIC-COOKIEs match? That would seem to be why I
can't start a new application now from my local host. But, how
in the world did the applications currently open start? And,
why can I start a new xterm from my xterm currently running on
otherhost.mydom.com when no xauth cookies would seem to permit

For what it's worth, all this worked just fine with OpenSSH
3.7.1p2 for a long time. This also worked with OpenSSH 4.3p1 for
about a week, which *might* have been how long it was until I
finally rebooted myfirewall.mydom.com.

I'm really confused. Anyone got any ideas to start my sorting
this out?


PLEASE post a SUMMARY of the answer(s) to your question(s)!
Show Windows & Gates to the exit door.
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.