Troubleshouting X11 Forwarding with SSH

kozaki · 2015-09-07 00:27:01

Hi, are you X11 forwarding over SSH? Hopefully you'll find a minute to share your knowledge.

Getting X11 Forwarding to work, between two machines with Arch, has got me crying. I thought I'd share my checklist, and request your input to improve it as we can. So that we make it better, avoiding some of us to scratch most of their hair, or the later to grow up to making them look like Starsky or (young) Joan Baez while they postpone the hair dresser to get X11Forwarding to work

Setting up SSH X11 forwarding
1) On the SSH side

Does the client connect to the SSH server (console)
Note: If using systemd, the port defined in sshd.socket overrides sshd_config, na.
/etc/ssh/sshd_config:
1. verify that AllowTcpForwarding and X11UseLocalhost options are set to yes, and that X11DisplayOffset is set to 10 (those are the default values if nothing has been changed, see man sshd_config)
2. set X11Forwarding to yes
```
$ grep X11 /etc/ssh/sshd_config 
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
```
then restart the sshd daemon.
```
systemctl restart sshd.socket
```

2) On the X server side

Make sure you have xauth installed on server.
```
which xauth
/usr/bin/xauth
```

The X server must also be running on the remote system.

:~SSH$ ps aux|grep X
kozaki     727  0.0  0.0  15928  1940 tty1     S+   sept.05   0:00 xinit /home/USER/.xinitrc -- /etc/X11/xinit/xserverrc :0 vt1 -auth /tmp/serverauth.Yva3FKUMyr
kozaki     728  0.2  1.0 197172 39676 tty1     S<l  sept.05   4:40 /usr/lib/xorg-server/Xorg -nolisten tcp :0 vt1 -auth /tmp/serverauth.Yva3FKUMyr

On the client's side, enable the ForwardX11 option by either specifying the -X switch on the command line for opportunistic connections, or by setting ForwardX11 to yes in openSSH client's configuration file.

Confirm that ssh is forwarding X11, check for a line containing Requesting X11 forwarding in the ssh -v -X output
```
debug1: Requesting X11 forwarding with authentication spoofing.
```

You can now start any X program on the remote server, the output will be forwarded to your local session.

Well, unless you get the dreaded 'Can't open $DISPLAY' message:

$ ssh -Xv user@server
<SNIP SNIP>                                                                
~SSH$ xclock                                                               
debug1: client_input_channel_open: ctype x11 rchan 2 win 65536 max 16384   
debug1: client_request_x11: request from 127.0.0.1 45404                   
debug1: channel 2: new [x11]                                               
debug1: confirm x11                                                        
X11 connection rejected because of wrong authentication.                   
debug1: channel 2: free: x11, nchannels 3                                  
Error: Can't open display: localhost:10.0                                  
~SSH$ echo $DISPLAY                                                        
localhost:10.0

Same with <any graphical app>: "Error: Can't open display: localhost:XX.XX".

3) Further steps

If you receive errors trying to run graphical applications, try ForwardX11Trusted instead:

$ ssh -Y user@host
debug1: client_request_x11: request from 127.0.0.1 42984  
debug1: channel 2: new [x11]
debug1: confirm x11         
X11 connection rejected because of wrong authentication.  
debug1: channel 2: free: x11, nchannels 3  
Error: Can't open display: localhost:10.0

Make sure you delete ~/.ssh/known_host after you make changes to your sshd_config file for the daemon.
Done.

Is there an entry for localhost in [local? server?] /etc/hosts?

$ grep localhost /etc/hosts
127.0.0.1		localhost.localdomain	localhost HOSTNAME
127.0.0.1 localhost

If an old [local? server?] ~/.Xauthority is present it can have the wrong $DISPLAY value.
Check the datestamp of the file. If it not recent, try deleting ~/.Xauthority before logging in again so
```
$ rm ~/.Xauthority && exit && ssh -X HOST
```
Try with /etc/ssh/sshd_config 'X11UseLocalhost no' (on the server).
Same output
Try to ssh on localhost (on the client) with X11 Forwarding activated; does it work?
Yeap
Have you disabled the "--nolisten tcp" option on your laptop? (check /etc/X11/xinit/xserverrc)
Client: exec /usr/bin/X -nolisten tcp "$@"
Server: ibid
Is that true (just found)? As I understand this option from 'man Xserver', this option disables any TCP/IP based access to the X server. Or not: X Over SSH2 - A Tutorial #4 #-|

Check for 'xhost +*' in your user's and X11 config files

~SSH$ grep xhost ~/.Xclients* ~/.xinitrc ~/.xsession
grep: /home/kozaki/.Xclients*: Aucun fichier ou dossier de ce type
/home/USER/.xinitrc:xhost +local: &		    # GUI ($DISPLAY) for users who do not start X themselves
/home/USER/.xsession:xhost +local: &		    # GUI ($DISPLAY) for users who do not start X themselves

Same thing for /usr/X11R6/{bin/startx,lib/X11/xdm/Xsession} (not present on my machines running Arch).

Even while

$ ssh -t HOST 'xclock'

works beautifuly, between the same two machines.

Some more refs:
how-to-forward-x-over-ssh
Enabling X11 Access Control (Fixing xhost +)
[SOLVED] Trouble with X forwarding

kozaki · 2015-09-09 23:39:43

Anyone on this? it's uneasy to stay with a broken X11Forwarding setup with all troubleshouting tests I know passed :-|
I'm thinking taht it might be profile related; will test ASAP.

R00KIE · 2015-09-10 12:25:51

Try 'ssh -Xvvv user@server' and check all the messages, there may be some hint there as to why it doesn't work.

kpiche · 2015-09-20 01:50:08

An X server does not need to be running on the remote end or even be installed. The whole point is to have remote X programs using the local client X server.

Arch Linux

#1 2015-09-07 00:27:01

Troubleshouting X11 Forwarding with SSH

#2 2015-09-09 23:39:43

Re: Troubleshouting X11 Forwarding with SSH

#3 2015-09-10 12:25:51

Re: Troubleshouting X11 Forwarding with SSH

#4 2015-09-20 01:50:08

Re: Troubleshouting X11 Forwarding with SSH

Board footer