I'm really scratching my head on this one. The server is running OpenSSH 5.1p1 on Solaris 9. The authentication is via PAM if that matters. # grep X11 sshd_config | sed '/^#/D' X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes # Now I attach to my 'master' sshd and follow all children to look for any evidence of "DISPLAY": # truss -f -a -e -p 14923 2>&1 | grep DISPLAY I then fire up ssh -X from a client machine, login, and truss reports nothing. If I perform the EXACT same test against stock Solaris 9 sshd (also authenticating against PAM), DISPLAY shows up (in truss and in the shell) and X11 forwarding works fine. Any ideas?
On Wed, 4 Feb 2009, Jeff Blaine wrote:> I'm really scratching my head on this one. The server > is running OpenSSH 5.1p1 on Solaris 9. The authentication > is via PAM if that matters. > > # grep X11 sshd_config | sed '/^#/D' > X11Forwarding yes > X11DisplayOffset 10 > X11UseLocalhost yes > # > > Now I attach to my 'master' sshd and follow all children > to look for any evidence of "DISPLAY": > > # truss -f -a -e -p 14923 2>&1 | grep DISPLAY > > I then fire up ssh -X from a client machine, login, and > truss reports nothing.truss is a really poor tool to diagnose ssh problems. Please post ssh and sshd debug traces. -d
"X11UseLocalhost no" just solved the problem. I noticed our 4.4p1 install used that (just now). Now to go off and figure out why. Xwin.exe (Cygwin) has full permission to accept connections from trusted and untrusted sources. Ben Lindstrom wrote:> On Feb 4, 2009, at 4:01 PM, Jeff Blaine wrote: > [..] > >> debug1: server_input_channel_req: channel 0 request x11-req reply 0 >> debug1: session_by_channel: session 0 channel 0 >> debug1: session_input_channel_req: session 0 req x11-req >> debug2: bind port 6010: Cannot assign requested address >> debug2: bind port 6011: Cannot assign requested address >> debug2: bind port 6012: Cannot assign requested address >> debug2: bind port 6013: Cannot assign requested address > [..] >> debug2: bind port 6999: Cannot assign requested address >> Failed to allocate internet-domain X11 display socket. >> debug1: x11_create_display_inet failed. > > This would imply to me an application firewall is running on your > windows box denying the port binding. > > - Ben > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Jeff Blaine wrote:> I should also point out that this worked fine > with 4.4p1 which we upgraded from (to 5.1p1)This sounds similar to a problem with IPv6 and X11 ports that we have seen on Solaris 10 when IPv6 was not fully configured for the local machine, i.e. at least a loopback. Try ListenAddress 0.0.0.0 to force IPv4 only or try adding to /etc/hosts: ::1 localhost> _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Thanks for the feedback everyone -- more below. Douglas E. Engert wrote:> > Jeff Blaine wrote: >> I should also point out that this worked fine >> with 4.4p1 which we upgraded from (to 5.1p1) > > This sounds similar to a problem with IPv6 > and X11 ports that we have seen on Solaris 10 > when IPv6 was not fully configured for the local > machine, i.e. at least a loopback. > > Try ListenAddress 0.0.0.0 to force IPv4 only or > try adding to /etc/hosts: > ::1 localhostThe following works: > X11UseLocalhost no OR the following: > AddressFamily inet # force IPv4 > X11UseLocalhost yes So I think your assessment is correct. ( ListenAddress 0.0.0.0 is the default and was already in the sshd_config )