X11 forwarding with “X11UseLocalhost no”

Just a quick tip. If you’ve ever tried to run sshd with the option X11UseLocalhost set to no (e.g. in a cluster environment where interactive jobs running not on the login node should be able to display something), you might have observed that X11 forwarding suddenly stops working. And although the DISPLAY variable is set accordingly and xauth list shows that authentication tokens are present, X clients still can’t connect:

hristo@cn001:~$ echo $DISPLAY
cn001:10.0
hristo@cn001:~$ xauth list
cn001.local:10 MIT-MAGIC-COOKIE-1 0123...
hristo@cn001:~$ xterm
xterm Xt error: Can't open display: cn001:10.0

And it’s even worse:

hristo@cn001:~$ telnet cn001 6010
Trying 10.1.1.1...
telnet: Unable to connect to remote host: Connection refused

The root of the problem stems from the fact that sshd usually binds only to the first address family it finds in the system and if your system has IPv6 enabled (e.g. the default on Ubuntu Server 7.10) it ends up binding only a tcp6 socket (and the X11 client library tries to establish a regular TCP connection):

hristo@cn001:~$ netstat -an | grep 6010
tcp6 0 0 :::6010 :::* LISTEN

In order to fix this you can either disable IPv6 in the kernel or simply add the following option to /etc/ssh/sshd_config:

AddressFamily inet

After you restart the SSH server it will no longer use IPv6 and will start binding its X11 proxy listeners to the usual IPv4 INADDR_ANY of 0.0.0.0.

Comments