用Xmanager连接HP-UX时弹出如下提示信息:
The X11 forwarding request was rejected!
to solve this problem,please turn on the X11 forwarding feather of the remote SSH server
Show reply messages 信息如下:
[11:51:51] Connecting to '172.31.0.131'...
[11:51:51] Connected.
[11:51:51] Version exchange initiated...
.
.
.
[11:52:08] Sent X11 forwarding request...
[11:52:08] Failed.
一, 一般论坛上都是以下类似的解决办法:
将sshd_config中 设置 X11Forwarding yes
重启sshd服务。
但是我找遍了我5台机器的设定, X11Forwarding 的默认值都是 yes ! 既然这样了,我还改什么啊? 但还是徒劳的将默认选项删除再手动敲入, 无果:(
二, 登陆Xmanager官方网站(http://www.netsarang.com/products/xmg_faq.html), 在对应版本OS位置找到对应的解决办法如下:
For XDMCP connection to HP-UX 11.X
1. XDM Configuration
# /usr/dt/bin/dtconfig -e [Enable]
2. Firewall (TCP/UDP Ports) Configuration
Open UDP port 177 from the PC to the remote host direction.
Open incoming TCP ports 6000~6010 from the remote host to your PC.
3. Reboot the remote host and start Xmanager
以上经过测试, 对于我来说完全不适用:(
三, 在HP官方网站上查到个针对HP-UX的解决办法:
修改文件 /etc/rc.config.d/xfs
RUN_X_FONT_SERVER=0 <<---改成 RUN_X_FONT_SERVER=1
然后重新启动xfs . 经过测试发现还是不行.
四, 没有其他办法了,自己对/opt/ssh/etc/sshd_config 配置文件一个一个选项的测试, 终于发现只用改动下面的这一个选项设定就可以了:
X11UseLocalhostyes
默认情况下,该设定是被注释(关闭)的. 此办法,在我其他4台机器上测试过, 完全管用. 当然改完后要重启动sshd服务 !
sshd restart :
备注: 1. 我的客户端与服务器之间的Firewall没有特别管控. 所以不存在UDP端口的问题.
2. 不明白网上的解决办法为什么这么多种,缺解决不了我的问题:( ,只能解释为不同的机器环境需要区别对待.
--------2008.8.5----更新
为什么X11UseLocalhost 一定要设定为yes, 最近在网络上找到了可能的原因: HP-UX 11iv2 2008版本使用的sshd好像是4.X, 有一个bug存在. 必须设定为这样才可以被Xmanager连接使用. 我旧版本的机器是3.9版的sshd, 不存在这个问题.
OpenSSH “X11UseLocalhost” X11 Forwarding Security Issue
SECUNIA ADVISORY ID: SA31179
VERIFY ADVISORY: http://secunia.com/advisories/31179/
CRITICAL: Not critical
IMPACT: Exposure of sensitive information
WHERE: Local system
SOFTWARE: OpenSSH 4.x http://secunia.com/product/5653/ OpenSSH 5.x http://secunia.com/product/19347/
DESCRIPTION: A security issue has been reported in OpenSSH, which can be exploited by malicious, local users to disclose sensitive information.
The security issue is caused due to the sshd server setting the SO_REUSEADDR option for the listening socket used by the X11 forwarding server. This can be exploited to intercept an X11 forwarding session by binding a socket to the X11 forwarding port.
Successful exploitation requires that “X11UseLocalhost” is disabled (enabled by default) and that the underlying operating system allows the re-binding of a port without checking the effective user id or the overlapping of addresses (e.g. HP/UX).
The security issue is reported in versions prior to 5.1.
SOLUTION: Update to version 5.1 or 5.1p1.
PROVIDED AND/OR DISCOVERED BY: The vendor credits sway2004009.
ORIGINAL ADVISORY: http://www.openssh.com/txt/release-5.1