From: Christopher L. Barnard (cbar44@tsg.cbot.com)
Date: Wed Dec 14 2005 - 14:57:27 EST
I am cc-ing this summary to the secureshell@securityfocus.com mailing
list, since I posed the question and got several suggestions from there
as well.
I asked
> I have several identically configured Solaris 9 servers running
> OpenSsh 4.2p1. Some let me do X forwarding, some do not. All have the
> ForwardX11 yes
> in the ssh_config file and
> X11Forwarding yes
> X11UseLocalhost no
> in the sshd_config file. I have restarted ssh several times, so I am
> comfortable that the config files are being read.
>
> On servers that work, I ssh to them, start an X application like xclock,
> and it appears on my screen. On servers that do not work, when I try to
> run an X application I am told
> Error: Can't open display:
> The .Xauthority in my homedir is *not* updated, btw.
>
> After many rounds of testing to try and figure out the problem, which
> involved running the daemon with three levels of debug (-ddd) I found
> the underlying problem:
>
> debug2: bind port 6260: Address already in use
>
> repeated 999 times, for the 999 ports from 6000 to 6999. Then the msg
> Failed to allocate internet-domain X11 display socket.
> debug1: x11_create_display_inet failed.
>
> and I am ssh-ed in, but I do not have X.
>
> netstat, ps, ndd /dev/tcp tcp_status show that the server is busy, but
> not THAT busy. There are about 200 ssh connections to the box, which
> is no where near the 999 ports for X forwarding. I believe the port idle
> timeout on Solaris 9 boxes is 4 minutes, but I see no ports in TIME_WAIT
> anyway.
>
> Has anyone seen this before? Do I need to somehow clean out connections to
> the X ports? Is there a limit of some sort on this box that I am bumping
> against that I need to raise? (ndd is powerful, but easy to misuse...)
>
> Thanks, and I will summarize.
The solution
Its a bug in the interaction between Solaris and with SSH over the
implementation of IPv6 network addresses. I don't fully understand why
this is the case, but by starting the daemon with the -4 flag (only use
IPv4 addresses) X is forwarded just fine.
My thanks to many many folks on both the sunmanagers and secureshell lists
who suggested things to try. I used lsof and although ssh was reporting that
all 999 X ports were in use, they actually were not. The sunsolve document
http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-101834-1
points to some patches but were not the issue. Thanks to Crist Clark who
pointed me to the IPv6 vs IPv4 bug.
+-----------------------------------------------------------------------+
| Christopher L. Barnard O When I was a boy I was told that |
| cbarnard@tsg.cbot.com / \ anybody could become president. |
| (312) 347-4901 O---O Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:37:38 EDT