When setting "X11UseLocalhost no" in the configuration file - which is necessary for our clusters - X11 forwarding stops working entirely. Trying to connect to the TCP port it opens leads to "connection refused". The problem seems to be caused by IPv6 support: when forcing the server to use only IPv4 addresses with "AddressFamily inet", X11 forwarding works as expected. With X11UseLocalhost=yes, the X11 tunnel binds itself to e.g. ::1:6014 in IPv6 and 127.0.0.1:6014 in IPv4 (for display :14.0). With X11UseLocalhost=no, it binds to :::6014 in IPv6 and 0.0.0.0:6014 in IPv4. I don't know IPv6 enough to tell, but I guess only the IPv4 version is correct. I can reproduce this bug with RHEL4 (OpenSSH 3.9p1, Linux 2.6.9), SLES9 (OpenSSH 4.1, Linux 2.6.5) and Debian 4.0 (OpenSSH 4.3p2, Linux 2.6.18).
This has been discussed on the list recently: http://marc.info/?l=openssh-unix-dev&m=114672761011331 Summary: Try recompiling after removing DONT_TRY_OTHER_AF from config.h. I had looked into the history of DONT_TRY_OTHER_AF and it goes back something like 7 years. I'm wondering if it still serves a purpose in modern Linux version.
Doing the "setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, ...)" might be sufficient now that Linux's IPv6 stack is sane (it wasn't when portable OpenSSH was young).
Created attachment 1266 [details] This is what we use in current Fedora openssh package
DONT_TRY_OTHER_AF has been removed in the CVS version and will be gone in the openssh-5.1 release. FYI it was for the utterly broken pre-USAGI Linux IPv6 stack, which had many bugs that needed working around.
Mass update RESOLVED->CLOSED after release of openssh-5.1