Lewis E. Randerson wrote:
Darren,
Those tests have been made and have come up negative.
Does "thathost.pppl.gov" resolve to the correct IP address?
Yes. Thishost was only a name for e-mail purposes. It's
real name and the reverse lookup resolve correctly.
I was more interested in the *forward* resolution in this case.
Are there any iptables rules that would apply to that connection?
No. This problem also occurs when iptables are turned off.
If you try to connect to the port with telnet (ie "telnet
thathost.pppl.gov 6013" in this example) what error does it give?
(This time 6011 is the relevant port number)
telnet <hostname> 6011
Trying <ipaddress>...
telnet: connect to address <ipaddress>: Connection refused
telnet: Unable to connect to remote host: Connection refused
Note: telnet <hostname> 22 works.
So I am heading towards the thought: X forwarding with X11UseLocalhost
has been turned off either by Openssh or by Red Hat. Whether a
feature or a bug I am unsure, there are warnings in the man page
about this being a potential security issue.
It's not by OpenSSH. The warning is just that; if you choose to to turn
it off then presumably have a good reason.
I would guess that you have IPv6 enabled, and that sshd is binding to
either ipv6 only and your X clients are connecting to the ipv4 address,
or vice versa. You can check this by running "netstat -an", looking for
the 60xx port and seeing if it's INET or INET6.
OpenSSH has a DONT_TRY_OTHER_AF hack (which is enabled on Linux) which
causes it listen only on the first AF returned by getaddrinfo. I don't
know the history of this but it's possible that it's a workaround for
something that's not present in modern versions.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
