RE: Adding "X11UseLocalhost no" to /etc/ssh/sshd_config breaks x forwarding

Darren,

> Out of curiousity, why do you need X11UseLocalhost=no no anyway?

We are using PBS Pro a job queueing mechanism for our clusters.  
Interactive access to a cluster machine is not via ssh but by
"qsub -I -V -X" or (something like that) where 
  qsub is the submittal process
  -I is interactive
  -V is pass all environmental variables
  -X is X forwarding.
The user is than put on a cluster machine which 
then accesses the DISPLAY passed by the -V option.
Needless to say this breaks when DISPLAY is "localhost:60??"
which is what DISPLAY looks like if "X11UseLocalhost no" is not
used.

We like to be secure so to resolve this, I plan to push PBS Pro.

--Lew

-----Original Message-----
From: Darren Tucker [mailto:dtucker@zip.com.au] 
Sent: Tuesday, April 03, 2007 8:50 AM
To: Lewis E. Randerson
Cc: secureshell@securityfocus.com
Subject: Re: Adding "X11UseLocalhost no" to /etc/ssh/sshd_config breaks x
forwarding

On Tue, Apr 03, 2007 at 08:38:36AM -0400, Lewis E. Randerson wrote:
> Darren,
>
> Ssh is listening to IPv6 only.  Here is the result of 
> the "netstat -an" test. "tcp 0 0 :::6011 :::* LISTEN". 
>
> I'll have to fix that.  Or else back out of "X11UseLocalhost no".

Out of curiousity, why do you need X11UseLocalhost=no no anyway?

As to the fix, if you have access to config.h during the build you can
just delete or comment out the "#define DONT_TRY_OTHER_AF" line.

If you don't (easily, eg if you're building an RPM) then you can try
the patch below.

BTW the origin of the DONT_TRY_OTHER_AF hack was a bit over 7 years
ago:

configure.in revision 1.94:
date: 2000/03/11 09:45:41;  author: damien;  state: Exp;  lines: +22 -0
 - IPv6 workarounds from Hideaki YOSHIFUJI

Index: channels.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh/channels.c,v
retrieving revision 1.251
diff -u -p -r1.251 channels.c
--- channels.c  28 Jan 2007 23:16:28 -0000      1.251
+++ channels.c  3 Apr 2007 12:45:47 -0000
@@ -2914,17 +2914,8 @@ x11_create_display_inet(int x11_display_
                                break;
                        }
                        socks[num_socks++] = sock;
-#ifndef DONT_TRY_OTHER_AF
                        if (num_socks == NUM_SOCKS)
                                break;
-#else
-                       if (x11_use_localhost) {
-                               if (num_socks == NUM_SOCKS)
-                                       break;
-                       } else {
-                               break;
-                       }
-#endif
                }
                freeaddrinfo(aitop);
                if (num_socks > 0)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.