Arch Linux

Winkie

Member

Registered: 2004-09-30

Posts: 59

Help me fix x11 forwarding over SSH

Right, bit of a long topic so i'll state the problem at the top. Despite all indications of a correctly configured pair of SSH servers, and a working X server, X clients do not display on the remote server, they simply sit there and do nothing, as if they were displaying but without the actual displaying

Now for more in depth, first here are quotes from the configs:

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes

The only relevant section being that it's fine with X11Forwarding.

Host nec1-forwardx
HostName 172.16.0.34
User paul
ForwardX11 yes

Now, if I connect and manually forward the remote port 6010 to the local port 6000 and enable 127.0.0.1 through xhost, then set the remote envrionment variable (DISPLAY) it works flawlessly. It's simply using SSH's built in X forwarding that's the problem.

Here are the results of a 'ssh -vvvX 172.16.0.34' that matter:

debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-liYXwz3899/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null
debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-liYXwz3899/xauthfile list :0.0 . 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 0
debug2: client_session2_setup: id 0

[paul@nec-1 ~]$ xclock
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 32879
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11

Now, whilst xclock is running, i get a clear connection to the appropriate display if I check lsof

xclock  5826 paul    3u  IPv4  27022       TCP localhost.localdomain:32880->localhost.localdomain:6010 (ESTABLISHED)

However, locally I get NO connection to port 6000, suggesting either SSH is using some magic connection method that lsof doesn't know about, or that it's not connecting to my X server

X         2688   root    1u  IPv6  11145       TCP *:6000 (LISTEN)
X         2688   root    3u  IPv4  11146       TCP *:6000 (LISTEN)
ssh       3310 paul    3u  IPv4  12749       TCP 172.16.0.27:32956->term03.isher:22 (ESTABLISHED)
ssh       3944 paul    3u  IPv4  16424       TCP 172.16.0.27:33331->term03.isher:22 (ESTABLISHED)

Yeah, that's pretty much it, manually it works, automatically it seems to fail to make a connection locally, but /var/log/Xorg.0.log shows nothing, neither does /var/log/messages, errors, everything, daemon or auth

If you help me i'll do whatever I can in return, no money for now but still

Winkie

Member

Registered: 2004-09-30

Posts: 59

Re: Help me fix x11 forwarding over SSH

I should also mention I have the exact same problem with SSHing to localhost, so i'm 99.9% sure nec-1 isn't at fault.

I've also tried `xhost +127.0.0.1'. It works perfectly when forwarding manually but not through the automatic (It was a longshot anyway)

colnago

Member

From: Victoria, BC

Registered: 2004-03-25

Posts: 438

Re: Help me fix x11 forwarding over SSH

Maybe try with this in your .ssh/config

ForwardX11Trusted yes

I don't thinkk so though, as there would be a message.

Winkie

Member

Registered: 2004-09-30

Posts: 59

Re: Help me fix x11 forwarding over SSH

Maybe try with this in your .ssh/config

ForwardX11Trusted yes

I don't thinkk so though, as there would be a message.

Haha, holy shit that worked

Thank you very much.

cactus

Taco Eater

From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰

Registered: 2004-05-25

Posts: 4,622

Website

Re: Help me fix x11 forwarding over SSH

Haha, holy shit that worked

this should go under "quotes of the week".

---

"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Winkie

Member

Registered: 2004-09-30

Posts: 59

Re: Help me fix x11 forwarding over SSH

Haha, holy shit that worked

this should go under "quotes of the week".

Perhaps yeah, to elaborate on why it worked, ForwardX11 only allows for a small subset of X11 to be forwarded, ForwardX11Trusted allows for everything. The reason being that the client > server model has some inherant security flaws that need to be cleaned.

Luckily for me this is beign used to offload processing from a users desktop box because they're about 800mhz in speed.

Shofs

Member

From: Central Illinois

Registered: 2004-12-15

Posts: 184

Re: Help me fix x11 forwarding over SSH

This is nice, but I want to completely disallow X11 forwarding. How do I stop the X server, not just disable ssh X forwarding. I read the wiki, but it seems like there should be a more permenant solution in a config file or something...

---

Last.FM

colnago

Member

From: Victoria, BC

Registered: 2004-03-25

Posts: 438

Re: Help me fix x11 forwarding over SSH

There are two places to check to stop the x server. Either it is in /etc/inittab or /etc/rc.conf.  For inittab, look for a line like this:

x:5:respawn:/opt/kde/bin/kdm -nodaemon

Comment it out with a #. If it is in /etc/rc.conf in the DAEMONS=( ... kdm ...) line change that to DAEMONS=( ... !kdm ...).

Shofs

Member

From: Central Illinois

Registered: 2004-12-15

Posts: 184

Re: Help me fix x11 forwarding over SSH

Thanks

---

Last.FM

soloport

Member

Registered: 2005-03-01

Posts: 442

Re: Help me fix x11 forwarding over SSH

I realize this thread is old, but I wanted to point out a couple of things, for the sake of simplicity.  (I like simple.)  The .ssh/config file appears to be not necessary.  Should be able to forward X by making the following changes to a fresh install:

/etc/ssh/sshd_config (remote system):
SyslogFacility AUTHPRIV # uncomment and change 'AUTH' to 'AUTHPRIV'

/etc/ssh/ssh_config (local system):
Host * # uncomment
    ForwardX11 yes # uncomment and change 'no' to 'yes'

That's it.  Adjust to suit your sense of security, of course.

Winkie

Member

Registered: 2004-09-30

Posts: 59

Re: Help me fix x11 forwarding over SSH

That's because /etc/ssh/ssh_config is the global SSH client config, what you are proposing will automatically forward X across all SSH connections, which may not be what you want to do.