Re: X11 display forwarding

On 2006-04-10, Kevin the Drummer <nobody@xxxxxxx> wrote:
Darren Tucker <dtucker@xxxxxxxxxxxxxxxx> wrote:
On 2006-04-06, Kevin the Drummer <nobody@xxxxxxx> wrote:
I'm having a bit of trouble with X11 display forwarding. This started
when I upgraded to OpenSSH 4.3p1. I've read the FAQ and I know about
the usual problem when upgrading involving ForwardX11Trusted. This is
how I have my config's set:

/etc/ssh/ssh_config: ForwardAgent yes
/etc/ssh/ssh_config: ForwardX11 yes
/etc/ssh/ssh_config: ForwardX11Trusted yes

/etc/ssh/sshd_config: X11Forwarding yes
/etc/ssh/sshd_config: X11UseLocalhost no

Change X11UseLocalhost to "yes" and it will probably work.

This seems counterintuitive. Why should that work?

I suspect your problem stems from the fact that your hostname resolves
to more than one IP address, and xauth and sshd end up disagreeing
about which should be used. This probably won't be the case with
"localhost", and as long as you're using only ssh to make the next hop
(as opposed to pointing $DISPLAY at the firewall and munging xauth
yourself) it should still work.

Richard's solution is nicer, though.

Sorry to be dense
about this. On which host should I change to "yes"? The firewall host?
The remote client host? The local host, the one that initiates the ssh
commands?

The firewall.

Wild guess: the firewall's hostname resolves to two or more IP addresses?

Yes. The firewall is my VPN host. As such, it resolves to the VPN
client address as known by the company end, and it resolves to a
192.168.1.X number, as known by the home network.

Your reboot when the problems first started occuring didn't happen to
correspond to a change in hostname, name resolution (/etc/hosts or
DNS) or a change in system libraries?

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.

Relevant Pages

  • Re: X11 display forwarding
    ... the usual problem when upgrading involving ForwardX11Trusted. ... On which host should I change to "yes"? ... the firewall's hostname resolves to two or more IP addresses? ... The firewall is my VPN host. ...
    (comp.security.ssh)
  • Re: Host Computer with ICS cannot be accessed
    ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
    (microsoft.public.windowsxp.network_web)
  • Re: Host Computer with ICS cannot be accessed
    ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...
    (microsoft.public.windowsxp.network_web)
  • Re: One computer cant see the other.
    ... I'm not sure I'm doing this right Steve, but on the command prompt at my host ... command prompt on my host machine and my client machine when I ping the host. ... network of two computers. ... The most likely problem is that a firewall (Norton, McAfee, ZoneAlarm, ...
    (microsoft.public.windowsxp.network_web)
  • RE: [fw-wiz] Vulnerability Response
    ... >> management effort scales with the number of hosts. ... It scales non-linearly if the problem area is well-defined. ... Now - if you're gonna make a firewall policy for 10,000 desktops ... When someone talks about doing mitigation at the host level, ...
    (Firewall-Wizards)
Quantcast