Re: What does "X11UseLocalhost no" do?

In article <4TTxh.16606$ji1.12988@xxxxxxxxxxxxxxxxxxxxxxxxxx> Neil W
Rickert <phishing@xxxxxxxxxx> writes:
Randy Yates <yates@xxxxxxxx> writes:
Neil W Rickert <phishing@xxxxxxxxxx> writes:

$ xterm
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).

Checking "netstat" output should help. You should see a listener
on port 6010 for your DISPLAY value.

[dc_admin@uspsdata ~]$ netstat -an
netstat: kvm not available
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 200.46.204.173.6010 *.* LISTEN

Weird. Have you tried setting $DISPLAY to "200.46.204.173:10"?

Or does "localhost" resolve to "200.46.204.173" when you do an IP
address lookup on your system? Or were you using "X11UseLocalhost
no" when you did that "netstat"?

I believe the above is an effect of what Randy mentioned earlier:

However, host.dst is the host at my ISP where he runs "virtual
machines" under bsd. Could it be that this virtual machine is
causing the problem?

At least for FreeBSD's 'jail' functionality, the jail(2) man page
(http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=2) says:

All IP activity will be forced to happen to/from the IP number
specified, which should be an alias on one of the network interfaces.

I.e. it can be expected (I haven't verified this) that an attempt to
bind() a socket to any other specific address (including 127.0.0.1,
which would "belong" to the jail-hosting host) is transformed into a
bind() to the jail-specific address. It could possibly also explain the
failure of the connection - as I read the above, an attempt to connect
to 127.0.0.1 should proceed with the destination address unchanged, but
with the source address transformed to the jail-specific address.

Such a connection should definitely fail, and possibly not with the
"Connection refused" that would be expected on a "normal" host where
nothing was listening on a matching address/port - I can't see how it
could get as far as attempting authentication though, but maybe that's
just lack of precision in the error message from Xlib.

As an aside, calling a FreeBSD 'jail' a "virtual machine" is probably an
exaggeration - it's more like chroot on steroids. But most users of such
an ISP service are probably just interested in running a server or two
plus doing the up/downloads that may be needed in conjunction with that,
and for this it is a good match.

--Per Hedeland
per@xxxxxxxxxxxx
.

Relevant Pages

  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.os.linux.security)
  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.security.unix)
  • Re: VPN Authentication & Mapping Issue
    ... machines and are authenticated to a RSA Ace server that is a Member Server ... authentication has been previously tried and failed". ... >> Our users use their ethernet connection via highspeed to ... >> tried hard coding the IP address of the DNS server on our LAN into the ...
    (microsoft.public.windows.server.networking)
  • Re: Outgoing POP3 email missing/lost/not received
    ... Funny thing is that I have had this ISP for 8 years and it has always been ... It looks like when you last ran CEICW, you set the ISP's mail server to: ... Internet Connection Wizard. ... After the wizard completes, the following network connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot connect client to server 2003
    ... you need to reconfigure the IP schema of your SBS ... On the SBS 2003 Server open the Server Management console. ... On the Connection Type page, click Broadband, and then click Next. ... Alternate DNS server, type the IP addresses that are provided by your ISP ...
    (microsoft.public.windows.server.sbs)