Applies to: Centrify OpenSSH

Question:

How to configure Centrify OpenSSH for X11 forwarding?


Answer:

In order to configure ssh to do X11 forwarding, the following settings need to be applied in the ssh config files:

• In /etc/centrifydc/ssh/sshd_config
• Search for the following line:
  • #X11Forwarding no
• Change this to:
  • X11Forwarding yes

Add the following lines into be added in the ssh_config file on the client side:

• ForwardX11 yes
• ForwardX11Trusted yes

Save the configurations, then reload ssh and restart sshd.

After a restart, the $DISPLAY environment variable will be set and the needed .XAuthority files will be created.



Additional steps for Fedora Core 5 & higher / RHEL 5 & higher / CentOS 5 or higher:

Either create a link to /usr/bin/xauth by running:

• cd /usr/X11R6/bin
• ls
• ln -s /usr/bin/xauth xauth

Or add the following configuration:

• XAuthLocation /usr/bin/xauth

Additional steps for Solaris 9, 10:

1. Edit /etc/centrifydc/ssh/sshd_config and configure the line to listen on:
   • 0.0.0.0
2. In the startup script, change the startup line for 'ssh' to start with 'sshd -4'
3. Stop and restart the Centrify sshd service.
4. ssh -X should now work.

Additional Notes:

• This is a known issue with stock Solaris SSH as well.
• There is no official fix available at this time.
• Bug 6704823 Fix for 6684003 prevents ssh from X forwarding on IPv4-only system, was filed with Solaris/ssh:
  • http://bugs.opensolaris.org/view_bug.do?bug_id=6704823

Workaround for stock SSH (not Centrify)

• Add the lo0 interface for IPv6, for example:
  • ifconfig lo0 inet6 plumb up
• To make this change permanent, run:
  • touch /etc/hostname6.lo0
• Disable IPv6 ssh support and change ListenAddress to 0.0.0.0 in /etc/ssh/sshd_config, then restart sshd with the "-4" option. For example:
  • svcadm -v disable ssh
  • /usr/lib/ssh/sshd -4