I am cc-ing this summary to the secureshell@securityfocus.com mailing list, since I posed the question and got several suggestions from there as well. I asked > I have several identically configured Solaris 9 servers running > OpenSsh 4.2p1. Some let me do X forwarding, some do not. All have the > ForwardX11 yes > in the ssh_config file and > X11Forwarding yes > X11UseLocalhost no > in the sshd_config file. I have restarted ssh several times, so I am > comfortable that the config files are being read. > > On servers that work, I ssh to them, start an X application like xclock, > and it appears on my screen. On servers that do not work, when I try to > run an X application I am told > Error: Can't open display: > The .Xauthority in my homedir is *not* updated, btw. > > After many rounds of testing to try and figure out the problem, which > involved running the daemon with three levels of debug (-ddd) I found > the underlying problem: > > debug2: bind port 6260: Address already in use > > repeated 999 times, for the 999 ports from 6000 to 6999. Then the msg > Failed to allocate internet-domain X11 display socket. > debug1: x11_create_display_inet failed. > > and I am ssh-ed in, but I do not have X. > > netstat, ps, ndd /dev/tcp tcp_status show that the server is busy, but > not THAT busy. There are about 200 ssh connections to the box, which > is no where near the 999 ports for X forwarding. I believe the port idle > timeout on Solaris 9 boxes is 4 minutes, but I see no ports in TIME_WAIT > anyway. > > Has anyone seen this before? Do I need to somehow clean out connections to > the X ports? Is there a limit of some sort on this box that I am bumping > against that I need to raise? (ndd is powerful, but easy to misuse...) > > Thanks, and I will summarize. The solution Its a bug in the interaction between Solaris and with SSH over the implementation of IPv6 network addresses. I don't fully understand why this is the case, but by starting the daemon with the -4 flag (only use IPv4 addresses) X is forwarded just fine. My thanks to many many folks on both the sunmanagers and secureshell lists who suggested things to try. I used lsof and although ssh was reporting that all 999 X ports were in use, they actually were not. The sunsolve document http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-101834-1 points to some patches but were not the issue. Thanks to Crist Clark who pointed me to the IPv6 vs IPv4 bug. +-----------------------------------------------------------------------+ | Christopher L. Barnard O When I was a boy I was told that | | cbarnard@tsg.cbot.com / \ anybody could become president. | | (312) 347-4901 O---O Now I'm beginning to believe it. | | http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow | +----------PGP public key available via finger or PGP keyserver---------+ _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Dec 14 14:58:06 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:54 EST