Bug 1309

Summary: X11 forwarding doesn't work with X11UseLocalhost=no
Product: Portable OpenSSH Reporter: Josselin Mouette <joss>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm
Priority: P2    
Version: 4.3p2   
Hardware: All   
OS: Linux   
Bug Depends on:    
Bug Blocks: 1452    
Attachments:
Description Flags
This is what we use in current Fedora openssh package none

Description Josselin Mouette 2007-04-25 00:13:54 AEST 
When setting "X11UseLocalhost no" in the configuration file - which is necessary for our clusters - X11 forwarding stops working entirely. Trying to connect to the TCP port it opens leads to "connection refused".

The problem seems to be caused by IPv6 support: when forcing the server to use only IPv4 addresses with "AddressFamily inet", X11 forwarding works as expected.

With X11UseLocalhost=yes, the X11 tunnel binds itself to e.g. ::1:6014 in IPv6 and 127.0.0.1:6014 in IPv4 (for display :14.0). With X11UseLocalhost=no, it binds to :::6014 in IPv6 and 0.0.0.0:6014 in IPv4. I don't know IPv6 enough to tell, but I guess only the IPv4 version is correct.

I can reproduce this bug with RHEL4 (OpenSSH 3.9p1, Linux 2.6.9), SLES9 (OpenSSH 4.1, Linux 2.6.5) and Debian 4.0 (OpenSSH 4.3p2, Linux 2.6.18).
Comment 1 Darren Tucker 2007-04-25 00:35:18 AEST 
This has been discussed on the list recently:
http://marc.info/?l=openssh-unix-dev&m=114672761011331

Summary: Try recompiling after removing DONT_TRY_OTHER_AF from config.h.

I had looked into the history of DONT_TRY_OTHER_AF and it goes back something like 7 years.  I'm wondering if it still serves a purpose in modern Linux version.
Comment 2 Damien Miller 2007-04-26 14:59:33 AEST 
Doing the "setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, ...)" might be sufficient now that Linux's IPv6 stack is sane (it wasn't when portable OpenSSH was young).
Comment 3 Tomas Mraz 2007-04-26 21:21:08 AEST 
Created attachment 1266 [details]
This is what we use in current Fedora openssh package
Comment 4 Damien Miller 2008-06-12 18:17:47 AEST 
DONT_TRY_OTHER_AF has been removed in the CVS version and will be gone in the openssh-5.1 release.

FYI it was for the utterly broken pre-USAGI Linux IPv6 stack, which had many bugs that needed working around.
Comment 5 Damien Miller 2008-07-22 12:12:54 AEST 
Mass update RESOLVED->CLOSED after release of openssh-5.1