SSH X forwarding going awry (Was: Why does Debian allow all incoming traffic by default)
- Date: Sun, 23 Sep 2018 11:35:41 +0200
- From: Étienne Mollier <etienne.mollier@xxxxxxxxxx>
- Subject: SSH X forwarding going awry (Was: Why does Debian allow all incoming traffic by default)
On 9/22/18 10:15 PM, Gene Heskett wrote:
> I would certainly hope so, AND give due consideration to just
> how big a headache any change means for the users.
That is an understatement, this headache thing.
> They have over the last two "upgrades" from wheezy to jessie
> and on to stretch, totally disabled any attempts to forward x
> to another machine, I suppose based on someones idea of
> security and my questions about fixing that pain in the arse,
> so it works once again, have been totally ignored. They HAVE
> been asked, but never acknowledged with the courtesy of even a
> reply with a link to a tut.
If this can help, since Debian Jessie, SSH server is configured
by default to listen to both IPv4 and v6 interfaces. When v6
links are unavailable, for /some reason/ (I don't recall the
details), X forwarding attempts are prevented, but normal SSH
continues as usual (with a warning about X11 forwarding having
failed to start).
To fix this, two different solutions are available:
- make IPv6 interfaces available on SSH server side (and
maybe on client side too, I haven't tested that solution
extensively, it just works as is at home);
- or simply configure sshd to listen only on IPv4 with the
following directive in “/etc/ssh/sshd_config”:
By default it is set to “any”, and X forwarding doesn't seem
to like not finding any IPv6 interface at all.
No idea if this is intelligent security design, or just a bug,
but that caused quite some headaches in IPv4 only networks
Maybe your problem is unrelated, especially if IPv6 is already
available in your network, yet I hope this helps.
Étienne Mollier <etienne.mollier@xxxxxxxxxx>
Or it is just xauth that is unavailable on server side, this
thing also happens sometimes...