X11 connection rejected because of wrong authentication
Jon Armstrong
X11 forwarding over an ssh connection was working at one point.
I don't know exactly why, but now I'm getting the following
error:
X11 connection rejected because of wrong authentication.
I'll show first the sshd debug output and then the ssh output.
Note: Output of sshquery.pl is:
soccer:~$ sshquery.pl localhost
server protocol 1.5 (OpenSSH-1.2.2)
doing protocol 1
server ciphers: 3DES,blowfish
authentication methods: RSA,password
soccer:~$ uname -a
Linux soccer 2.2.16 #1 Thu Jun 15 23:00:34 EDT 2000 i686 unknown
=== sshd debug output ===
soccer:~$ sudo /usr/local/sbin/sshd -d
debug: sshd version OpenSSH-1.2.2
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 754
debug: Client protocol version 1.5; client software version OpenSSH-1.2.2
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Attempting authentication for userxxxx.
Accepted rsa for userxxxx from 127.0.0.1 port 754
debug: Allocating pty.
debug: Received request for X11 forwarding with auth spoofing.
debug: Socket family 10 not supported [X11 disp create]
debug: channel 0: new [X11 inet listener]
debug: Forking shell.
debug: Entering interactive session.
debug: Setting controlling tty using TIOCSCTTY.
debug: X11 connection requested.
debug: channel 1: new [X11 connection from localhost port 1550]
debug: Received channel open confirmation.
debug: Received channel close confirmation.
debug: channel 1: INPUT_OPEN -> INPUT_CLOSED [rvcd OCLOSE, send IEOF]
debug: channel 1: shutdown_read
debug: Received channel close.
debug: channel 1: OUTPUT_OPEN -> OUTPUT_WAIT_DRAIN [rvcd IEOF]
debug: channel 1: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [obuf empty, send OCLOSE]
debug: channel 1: shutdown_write
debug: channel 1: full closed
debug: Received SIGCHLD.
debug: End of interactive session; stdin 36, stdout (read 884, sent 884), stderr 0 bytes.
debug: Command exited with status 0.
debug: Received exit confirmation.
Closing connection to 127.0.0.1
soccer:~$
==============================
=== ssh debug output ===
soccer:~$ ssh-add
Need passphrase for /home/userxxxx/.ssh/identity
Enter passphrase for userxxxx@soccer:
Identity added: /home/userxxxx/.ssh/identity (userxxxx@soccer)
soccer:~$ ssh -v localhost
SSH Version OpenSSH-1.2.2, protocol version 1.5.
Compiled with SSL.
debug: Reading configuration data /usr/local/etc/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 1000 geteuid 0 anon 0
debug: Connecting to localhost [127.0.0.1] port 22.
debug: Allocated local port 754.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.2
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Forcing accepting of host key for loopback/localhost.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication via agent with 'userxxxx@soccer'
debug: Received RSA challenge from server.
debug: Sending response to RSA challenge.
debug: Remote: RSA authentication accepted.
debug: RSA authentication accepted by server.
debug: Requesting pty.
debug: Requesting X11 forwarding with authentication spoofing.
debug: Requesting shell.
debug: Entering interactive session.
Last login: Sun Sep 17 22:56:41 2000 from localhost
Linux 2.2.16.
Environment:
USER=userxxxx
LOGNAME=userxxxx
HOME=/home/userxxxx
PATH=/usr/bin:/bin:/usr/sbin:/sbin
MAIL=/var/spool/mail/userxxxx
SHELL=/bin/bash
TZ=America/New_York
SSH_CLIENT=127.0.0.1 754 22
SSH_TTY=/dev/pts/2
TERM=xterm-color
DISPLAY=soccer:10.0
XAUTHORITY=/tmp/XauthNw8111
Running /usr/X11R6/bin/xauth add soccer:10.0 MIT-MAGIC-COOKIE-1 7a46a1c4802bcd7f61bd2a17f8961468
(/etc/profile)
Bash start (~/.profile)
Bash start (~/.bashrc)
soccer:/homes/home3/userxxxx$ xterm
debug: Received X11 open request.
debug: channel 0: new [X11 connection from localhost port 1550]
debug: X11 connection uses different authentication protocol.
X11 connection rejected because of wrong authentication.
debug: X11 rejected 0 i1/o16
debug: channel 0: INPUT_OPEN -> INPUT_WAIT_DRAIN [read failed]
debug: channel 0: shutdown_read
debug: channel 0: OUTPUT_OPEN -> OUTPUT_WAIT_IEOF [write failed]
debug: channel 0: shutdown_write
debug: X11 rejected 0 i2/o64
debug: channel 0: INPUT_WAIT_DRAIN -> INPUT_WAIT_OCLOSE [inbuf empty, send IEOF]
debug: channel 0: OUTPUT_WAIT_IEOF -> OUTPUT_CLOSED [rvcd IEOF]
debug: channel 0: INPUT_WAIT_OCLOSE -> INPUT_CLOSED [rcvd OCLOSE]
debug: channel 0: full closed
X connection to soccer:10.0 broken (explicit kill or server shutdown).
soccer:/homes/home3/userxxxx$ env | grep SSH
SSH_CLIENT=127.0.0.1 754 22
SSH_TTY=/dev/pts/2
soccer:/homes/home3/userxxxx$ env | grep AUTH
XAUTHORITY=/tmp/XauthNw8111
soccer:/homes/home3/userxxxx$ x
logout
Connection to localhost closed.
debug: Transferred: stdin 36, stdout 884, stderr 33 bytes in 31.0 seconds
debug: Bytes per second: stdin 1.2, stdout 28.5, stderr 1.1
debug: Exit status 0
soccer:~$
==============================
[End of Message]
Richard E. Silverman
On the remote host, do "echo $XAUTHORITY" and make sure it has not been
reset from what sshd set it to be (in this case, "/tmp/XauthNw8111").
Also do "echo $DISPLAY" and "xauth list", and make sure that the key sshd
added for the display is there on the remote side (in this case, it was
display "soccer:10.0" and key "MIT-MAGIC-COOKIE-1
7a46a1c4802bcd7f61bd2a17f8961468").
--
Richard Silverman
sl...@shore.net
Jon Armstrong
From another debug run:
XAUTHORITY=/tmp/XauthtQ8582
Running /usr/X11R6/bin/xauth add soccer:10.0 MIT-MAGIC-COOKIE-1 77293b1ff70b993f54b41104581fa230
Then on the remote host:
soccer:/homes/home3/userxxxx$ echo $XAUTHORITY
/tmp/XauthtQ8582
soccer:/homes/home3/userxxxx$ echo $DISPLAY
soccer:10.0
soccer:/homes/home3/userxxxx$ xauth list
localhost:10 MIT-MAGIC-COOKIE-1 77293b1ff70b993f54b41104581fa230
It all looks reasonable to me.
Regards... Jon
Jon Armstrong
> Here's the data you asked for:
> From another debug run:
> XAUTHORITY=/tmp/XauthtQ8582
> Running /usr/X11R6/bin/xauth add soccer:10.0 MIT-MAGIC-COOKIE-1 77293b1ff70b993f54b41104581fa230
> Then on the remote host:
> soccer:/homes/home3/userxxxx$ echo $XAUTHORITY
> /tmp/XauthtQ8582
> soccer:/homes/home3/userxxxx$ echo $DISPLAY
> soccer:10.0
> soccer:/homes/home3/userxxxx$ xauth list
> localhost:10 MIT-MAGIC-COOKIE-1 77293b1ff70b993f54b41104581fa230
Just to be clear, soccer and localhost are then same host.
Whether I use soccer or localhost does not matter. They are aliased
in the hosts file to the same ip (127.0.0.1).
Regards... Jon
Richard E. Silverman
>> soccer:/homes/home3/userxxxx$ echo $XAUTHORITY /tmp/XauthtQ8582
>> soccer:/homes/home3/userxxxx$ echo $DISPLAY soccer:10.0
>> soccer:/homes/home3/userxxxx$ xauth list localhost:10
>> MIT-MAGIC-COOKIE-1 77293b1ff70b993f54b41104581fa230
Jon> Just to be clear, soccer and localhost are then same host.
Jon> Whether I use soccer or localhost does not matter. They are
Jon> aliased in the hosts file to the same ip (127.0.0.1).
You probably don't want to do that -- you may have made your name/address
lookups inconsistent. What does this Perl program return when run on
"soccer":
use Socket;
use Net::hostent;
defined($info = gethostbyname("soccer")) ||
die "no addresses\n";
print $info->name, "\n";
foreach $address (@{$info->addr_list}) {
my $address_string = inet_ntoa($address);
print " $address_string\n";
}
If it returns your real IP address, then that's the problem -- Xlib
translates "soccer" to an address, and doesn't find an xauth key for it,
since it's stored under the loopback address instead.
--
Richard Silverman
sl...@shore.net
Jon Armstrong
soccer:~$ checklocaladdress.pl
soccer.rochester.rr.com
127.0.0.1
soccer:~$
As I said, X11 forwarding was working at some point. X itself has
never been a problem.
xterm -display soccer:0 and xterm -display localhost:0
work fine when not trying to go through an ssh connection. I'm just
trying the basics until I get this working again. I'm using ssh to
my local system and redirecting X back across the ssh link to my
local X server.
Just as a test, I changed hostname to localhost and removed the soccer
alias from /etc/hosts so that only localhost translates to 127.0.0.1.
The xauth entry seen in "ssh -v localhost" debug output is:
Running /usr/X11R6/bin/xauth add localhost:11.0 MIT-MAGIC-COOKIE-1 8f42c5506a591945a26854cf881b92f2
localhost:/homes/home3/userxxxx$ xauth list
localhost:11 MIT-MAGIC-COOKIE-1 8f42c5506a591945a26854cf881b92f2
soccer:~$ checklocaladdress.pl
localhost
127.0.0.1
I'm going to try a few more tests, like restarting the X server, now
that I've taken "soccer" out of the hosts file and changed hostname.
Regards... Jon
Jon Armstrong
> Jon> Just to be clear, soccer and localhost are then same host.
> Jon> Whether I use soccer or localhost does not matter. They are
> Jon> aliased in the hosts file to the same ip (127.0.0.1).
> You probably don't want to do that -- you may have made your name/address
> lookups inconsistent.
> If it returns your real IP address, then that's the problem -- Xlib
> translates "soccer" to an address, and doesn't find an xauth key for it,
> since it's stored under the loopback address instead.
I removed soccer completely from the hosts file and set hostname to
localhost to make sure everything was consistent. I restarted the
X server and reran my test with debug enabled for ssh and sshd.
The result was the same, but I'll show the debug output along with
a few other things you've asked to see, just to give a complete
picture of what we currently have.
I also regenerated my identity and identity.pub just for kicks, and
added identity.pub to authorized_keys.
I even regenerated my host-key.
Same results.
ssh works fine. I just can't redirect X over ssh anymore.
Regards... Jon
===
localhost:~$ uname -a
Linux localhost 2.2.16 #1 Thu Jun 15 23:00:34 EDT 2000 i686 unknown
localhost:~$ checklocaladdress.pl (your perl script)
localhost
127.0.0.1
localhost:~$ ssh -v localhost
SSH Version OpenSSH-1.2.2, protocol version 1.5.
Compiled with SSL.
debug: Reading configuration data /usr/local/etc/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 1000 geteuid 0 anon 0
debug: Connecting to localhost [127.0.0.1] port 22.
debug: Allocated local port 696.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.2
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Forcing accepting of host key for loopback/localhost.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: RSA authentication using agent refused.
debug: Trying RSA authentication with key 'userxxxx@localhost'
debug: Received RSA challenge from server.
Enter passphrase for RSA key 'userxxxx@localhost':
debug: Sending response to host key RSA challenge.
debug: Remote: RSA authentication accepted.
debug: RSA authentication accepted by server.
debug: Requesting pty.
debug: Requesting X11 forwarding with authentication spoofing.
debug: Requesting shell.
debug: Entering interactive session.
Last login: Mon Sep 18 09:26:29 2000 from localhost
Linux 2.2.16.
Environment:
USER=userxxxx
LOGNAME=userxxxx
HOME=/home/userxxxx
PATH=/usr/bin:/bin:/usr/sbin:/sbin
MAIL=/var/spool/mail/userxxxx
SHELL=/bin/bash
TZ=America/New_York
SSH_CLIENT=127.0.0.1 696 22
SSH_TTY=/dev/pts/4
TERM=xterm-color
DISPLAY=localhost:10.0
XAUTHORITY=/tmp/XauthoC9832
Running /usr/X11R6/bin/xauth add localhost:10.0 MIT-MAGIC-COOKIE-1 e99e9dc00e1fbbd255366b715d4a7231
(/etc/profile)
Bash start (~/.profile)
Bash start (~/.bashrc)
localhost:/homes/home3/userxxxx$ xterm
debug: Received X11 open request.
debug: channel 0: new [X11 connection from localhost port 1857]
debug: X11 connection uses different authentication protocol.
X11 connection rejected because of wrong authentication.
debug: X11 rejected 0 i1/o16
debug: channel 0: INPUT_OPEN -> INPUT_WAIT_DRAIN [read failed]
debug: channel 0: shutdown_read
debug: channel 0: OUTPUT_OPEN -> OUTPUT_WAIT_IEOF [write failed]
debug: channel 0: shutdown_write
debug: X11 rejected 0 i2/o64
debug: channel 0: INPUT_WAIT_DRAIN -> INPUT_WAIT_OCLOSE [inbuf empty, send IEOF]
debug: channel 0: OUTPUT_WAIT_IEOF -> OUTPUT_CLOSED [rvcd IEOF]
debug: channel 0: INPUT_WAIT_OCLOSE -> INPUT_CLOSED [rcvd OCLOSE]
debug: channel 0: full closed
X connection to localhost:10.0 broken (explicit kill or server shutdown).
localhost:/homes/home3/userxxxx$ xauth list
localhost:10 MIT-MAGIC-COOKIE-1 e99e9dc00e1fbbd255366b715d4a7231
localhost:/homes/home3/userxxxx$ echo $DISPLAY
localhost:10.0
localhost:/homes/home3/userxxxx$ echo $XAUTHORITY
/tmp/XauthoC9832
localhost:/homes/home3/userxxxx$ checklocaladdress.pl
localhost
127.0.0.1
localhost:/homes/home3/userxxxx$ x
logout
Connection to localhost closed.
debug: Transferred: stdin 57, stdout 1047, stderr 33 bytes in 203.8 seconds
debug: Bytes per second: stdin 0.3, stdout 5.1, stderr 0.2
debug: Exit status 0
localhost:~$
======================
localhost:/etc$ sudo /usr/local/sbin/sshd -d
debug: sshd version OpenSSH-1.2.2
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 696
debug: Client protocol version 1.5; client software version OpenSSH-1.2.2
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Attempting authentication for userxxxx.
Accepted rsa for userxxxx from 127.0.0.1 port 696
debug: Allocating pty.
debug: Received request for X11 forwarding with auth spoofing.
debug: Socket family 10 not supported [X11 disp create]
debug: channel 0: new [X11 inet listener]
debug: Forking shell.
debug: Entering interactive session.
debug: Setting controlling tty using TIOCSCTTY.
debug: X11 connection requested.
debug: channel 1: new [X11 connection from localhost port 1857]
debug: Received channel open confirmation.
debug: Received channel close confirmation.
debug: channel 1: INPUT_OPEN -> INPUT_CLOSED [rvcd OCLOSE, send IEOF]
debug: channel 1: shutdown_read
debug: Received channel close.
debug: channel 1: OUTPUT_OPEN -> OUTPUT_WAIT_DRAIN [rvcd IEOF]
debug: channel 1: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [obuf empty, send OCLOSE]
debug: channel 1: shutdown_write
debug: channel 1: full closed
debug: Received SIGCHLD.
debug: End of interactive session; stdin 57, stdout (read 1047, sent 1047), stderr 0 bytes.
debug: Command exited with status 0.
debug: Received exit confirmation.
Closing connection to 127.0.0.1
localhost:/etc$
==================
[End of Message]
Richard E. Silverman
There are lots of things that could be wrong. It really is not a good
idea to map your canonical hostname to the loopback when you have a real
network connection. What does your /etc/hosts say? How about
/etc/nsswitch.conf?
For instance, your gethostbyname("soccer") returns soccer.rochester.rr.com
as the canonical name. If Xlib in turn looks that up, you will have a
problem. For one thing, if it ends up looking in the DNS for it, your DNS
is broken:
named[513]: Lame server on 'soccer.rochester.rr.com' (in 'rochester.RR.com'?): [24.92.226.172].53 'nns2-1.nyroc.rr.com'
named[513]: Lame server on 'soccer.rochester.rr.com' (in 'rochester.RR.com'?): [24.92.226.174].53 'nns4-1.nyroc.rr.com'
named[513]: Lame server on 'soccer.rochester.rr.com' (in 'rochester.RR.com'?): [24.92.226.12].53 'nns2-0.nyroc.rr.com'
named[513]: Lame server on 'soccer.rochester.rr.com' (in 'rochester.RR.com'?): [24.92.226.13].53 'nns3-0.nyroc.rr.com'
named[513]: Lame server on 'soccer.rochester.rr.com' (in 'rochester.RR.com'?): [24.92.226.173].53 'nns3-1.nyroc.rr.com'
named[513]: Lame server on 'soccer.rochester.rr.com' (in 'rochester.RR.com'?): [24.92.226.14].53 'nns4-0.nyroc.rr.com'
That name can't currently be looked up due to the lame delegations, so it
would fail. Even if it succeeded, though, the DNS name would have an A
record for your real IP address, not the loopback, and so would not match
what you've recorded for the SSH X proxy key.
--
Richard Silverman
sl...@shore.net
Jon Armstrong
Richard,
First, let me say I appreciate your attention to this news group.
I find your suggestions *very* helpful. I'm new to ssh, but not
to unix, X, or networking.
If any of my comments sound argumentative, they aren't meant to
be. All your suggestions are welcome, even if not all of them
hit the target, which I admit is a bit of a blind target from
where you sit.
> There are lots of things that could be wrong. It really is not a
> good idea to map your canonical hostname to the loopback when you
> have a real network connection. What does your /etc/hosts say?
> How about /etc/nsswitch.conf?
Well... Actually, I have no fixed hostname. It's assigned via dhcp,
so I can't depend on that. The host soccer.rochester.rr.com does
not exist (it's just an alias), but soccer was resolved to 127.0.0.1,
which is really what I want. I do not want local connections to be
dependent on my isp being up. Also, dhcp can reissue ip addresses
on the fly.
I avoid the entire mess by simply recognizing that no local connection
needs to care about the public ip address assigned via dhcp. The alias
in hosts takes care of that, along with proper ordering of arguments in:
/etc/nsswitch.conf
hosts: files dns
networks: files dns
/etc/hosts (is now)
# For loopback.
127.0.0.1 localhost
#127.0.0.1 soccer.rochester.rr.com (removed)
# other unrelated entries exist
# End of hosts.
$ hostname
localhost
$ echo $DISPLAY
localhost:13.0
and xauth list shows correct information.
localhost:13 MIT-MAGIC-COOKIE-1 40b05249fc30c980477c4c2c68dc2f6e
> For instance, your gethostbyname("soccer") returns
> soccer.rochester.rr.com as the canonical name.
No. This did not happen. soccer resolved to 127.0.0.1.
> That name can't currently be looked up due to the lame delegations,
> so it would fail. Even if it succeeded, though, the DNS name would
> have an A record for your real IP address, not the loopback, and so
> would not match what you've recorded for the SSH X proxy key.
Richard,
I don't think that is the problem. Taking out "soccer" and using
"localhost" should be fine, given the order of dns search in
nsswitch.conf.
In fact, either soccer or localhost (aliased to 127.0.0.1) should
be fine.
Think about it. I should be able to have several active interfaces
over which ip travels. The loopback interface is one such reasonable
choice.
If you check my logs, 127.0.0.1 is clearly being used.
There's got to be something else involved here.
Having said all that... I'm certainly willing to try your approach.
I'll change the hostname to that associated with the dhcp address
obtained. This shouldn't be necessary, but it's something to try.
Before I run off, let me ask a few general/basic ssh questions.
What is the accepted practice when using a dynamically assigned ip
address? Does ssh expect any generated keys to be updated/changed
every time the ip address of an interface changes? Should I really
need to set my hostname to that assigned to my public interface?
I realize that remote hosts may care that my ip address changed,
but is there something locally that is required (specifically for
ssh) when an interface is assigned a new ip address?
Best regards... Jon
Richard E. Silverman
>> For instance, your gethostbyname("soccer") returns
>> soccer.rochester.rr.com as the canonical name.
Jon> No. This did not happen. soccer resolved to 127.0.0.1.
Yes, it did happen, and your objection has nothing to do with what I said.
Recall from your previous message:
> soccer:~$ checklocaladdress.pl
> soccer.rochester.rr.com
> 127.0.0.1
The Perl program called gethostbyname("soccer"). gethostbyname returns
more information than just a list of addresses; it also returns the
canonical hostname. In this case, "soccer.rochester.rr.com". My point
was that Xlib might not immediately use the address returned by
gethostbyname(); rather, it might get the canonical name, then do a lookup
of that explicitly (it's a common thing to do). If it did this, and
looked in the DNS for addresses for that name, it would fail, either
because there is no A record for that domain (as there are not currently),
or because if there were one, it would not be the loopback address under
which your xauth key is stored.
Jon> Think about it. I should be able to have several active
Jon> interfaces over which ip travels. The loopback interface is one
Jon> such reasonable choice.
Jon> If you check my logs, 127.0.0.1 is clearly being used.
This is all true, but you're talking about IP. The lookup of your xauth
key is dependent upon naming, which is a separate issue.
Jon> There's got to be something else involved here.
Sure, as I said, there are lots of things that could be wrong; I'm just
trying to point out one common problem that I don't think you've
eliminated. Another one is Xlib implementations that do odd things when
interpreting xauth keys, such as assuming some IPC mechanism like Unix
domain sockets when talking to an X server on the local host, even when
the xauth key does not indicate such a mechanism. Have you reinstalled
your OS or updated X recently? I would run the X client under strace,
simultaneously using tcpdump to capture any nameserver traffic. Make sure
that Xlib is actually respecting the XAUTHORITY variable and reading the
OpenSSH xauth file, and get a picture of what names it's looking up and
why. If that doesn't make things clear, I would run the SSH client under
gdb and look at the behavior of the routine channels.c:x11_open_helper(),
where it receives the initial X connection packet and examines the xauth
key it finds.
--
Richard Silverman
sl...@shore.net
Jon Armstrong
> >> For instance, your gethostbyname("soccer") returns
> >> soccer.rochester.rr.com as the canonical name.
> Jon> No. This did not happen. soccer resolved to 127.0.0.1.
> Yes, it did happen, and your objection has nothing to do with what I said.
> Recall from your previous message:
>> soccer:~$ checklocaladdress.pl
>> soccer.rochester.rr.com
>> 127.0.0.1
> The Perl program called gethostbyname("soccer"). gethostbyname returns
> more information than just a list of addresses; it also returns the
> canonical hostname. In this case, "soccer.rochester.rr.com". My point
> was that Xlib might not immediately use the address returned by
> gethostbyname(); rather, it might get the canonical name, then do a lookup
> of that explicitly (it's a common thing to do). If it did this, and
> looked in the DNS for addresses for that name, it would fail, either
> because there is no A record for that domain (as there are not currently),
> or because if there were one, it would not be the loopback address under
> which your xauth key is stored.
Interesting. Bypassing nsswitch and deciding to ignore the hosts
file seems like that would cause problems, for those who really wish
to force name/ip mappings, like I've done.
Even so, I removed the soccer.rochester.rr.com entry from hosts and
changed the hostname to localhost. There is no reason for this to
fail (that I can think of), that wouldn't be due to questionable
causes.
ssh and X from localhost to localhost should be the most trivial case.
After seeing a fair amount of traffic on OpenSSH 2.2.0p1, I decided
to install it. The configure script needed a little help, but I
managed to get the newest OpenSSL and OpenSSH installed. I killed
my old sshd daemon and started the new one. ssh localhost works
fine and X forwarding is now working again.
Strange. It would be nice to know specifically why OpenSSH 1.x had
problems and 2.x now works.
The next interesting step is to check ssh from work to this machine
(with X forwarding back to work).
From an ssh point of view, should I be able to "ssh localhost" as
well as "ssh blahxxx.rochester.rr.com" ... assuming blahxxx.* is
assigned to my public interface? ssh spits out a spoofing error
when I try to ssh to the public IP address. Is there a reasonable
way to allow both (localhost and public IP)? ssh seems to now want
a host key for each.
Adding an alias in hosts seems to work, but I don't know if I like
that.
127.0.0.1 localhost
127.0.0.1 blahxxx.rochester.rr.com
Thanks again.... Jon