Web lists-archives.com

SSH X forwarding going awry (Was: Why does Debian allow all incoming traffic by default)




Good Day,

On 9/22/18 10:15 PM, Gene Heskett wrote:
> I would certainly hope so, AND give due consideration to just
> how big a headache any change means for the users.

That is an understatement, this headache thing.

> They have over the last two "upgrades" from wheezy to jessie
> and on to stretch, totally disabled any attempts to forward x
> to another machine, I suppose based on someones idea of
> security and my questions about fixing that pain in the arse,
> so it works once again, have been totally ignored.  They HAVE
> been asked, but never acknowledged with the courtesy of even a
> reply with a link to a tut.

If this can help, since Debian Jessie, SSH server is configured
by default to listen to both IPv4 and v6 interfaces.  When v6
links are unavailable, for /some reason/ (I don't recall the
details), X forwarding attempts are prevented, but normal SSH
continues as usual (with a warning about X11 forwarding having
failed to start).

To fix this, two different solutions are available:

- make IPv6 interfaces available on SSH server side (and
  maybe on client side too, I haven't tested that solution
  extensively, it just works as is at home);

- or simply configure sshd to listen only on IPv4 with the
  following directive in “/etc/ssh/sshd_config”:

	AddressFamiliy inet

  By default it is set to “any”, and X forwarding doesn't seem
  to like not finding any IPv6 interface at all.

No idea if this is intelligent security design, or just a bug,
but that caused quite some headaches in IPv4 only networks
indeed.

Maybe your problem is unrelated, especially if IPv6 is already
available in your network, yet I hope this helps.

Kind Regards,
-- 
Étienne Mollier <etienne.mollier@xxxxxxxxxx>

Or it is just xauth that is unavailable on server side, this
thing also happens sometimes...