[opensuse] X11 Forwarding issue
when ever I use ssh or rsync to my desktop I get the following error message" "X11 forwarding request failed on channel 0" I have X11 Forwarding enabled in the config files. ******************** Host * # ForwardAgent no # ForwardX11 no ForwardX11 yes # If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login. ForwardX11Trusted yes ********************************* Any help appreciated. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
To get this to work on my server, I had to add this: AddressFamily inet -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/23/2014 12:22 PM, Christopher Myers pecked at the keyboard and wrote:
To get this to work on my server, I had to add this:
AddressFamily inet
Changed the default to inet and still no go even after a network restart on both ends. BTW, both systems are fresh install of 13.1 (well fresh as of a couple of months ago). -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Does it give anything useful if you do ssh -vvv -X user@host.dom ? (that's v v v with no spaces.) Once you're connected to your remote box, you should be able to echo $DISPLAY and it should say something like localhost:10.0 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/23/2014 03:56 PM, Christopher Myers pecked at the keyboard and wrote:
Does it give anything useful if you do ssh -vvv -X user@host.dom ? (that's v v v with no spaces.)
Once you're connected to your remote box, you should be able to echo $DISPLAY and it should say something like localhost:10.0
It is not set as can be seen in the error" debug3: Ignored env DISPLAY -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hmm, mine has that as well, but forwarding works for me. Beneath it in the debugging, it lists: debug2: X11 forwarding request accepted on channel 0 And much higher up in the output, I get: debug2: x11_get_proto: /usr/bin/xauth list :0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 1 I remember now that I did install the xauth package in my troubleshooting steps, but I don't know if it's required or not. (My server runs 12.2 and desktop runs 12.3.) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ken Schneider - openSUSE wrote:
On 01/23/2014 03:56 PM, Christopher Myers pecked at the keyboard and wrote:
Does it give anything useful if you do ssh -vvv -X user@host.dom ? (that's v v v with no spaces.)
Once you're connected to your remote box, you should be able to echo $DISPLAY and it should say something like localhost:10.0
It is not set as can be seen in the error"
debug3: Ignored env DISPLAY ==============
If you are using your computer locally (vs. over the internet or where you are concerned about people tapping your I/O stream) you can get a noticeable speed jump ( by setting DISPLAY to your remote host value. They sorta go hand in hand -- the speed up and less need for security .. i.e. if you are @ 1Gb or faster on a local wired connection, then you can benefit by going direct. FWIW, this can be set in /etc/security/pam_env.so -- which will have the REMOTEHOST value in it on the first access to your system (auth time). pam doesn't have access to the remotehost value except at initial login, so if you call your pam_env.so on a per/session basis instead of per-login, you will lose your DISPLAY in the default settings for pam in suse 12.3 and later (12.2 and before was ok...but suse repurposed the login-env setting to per-session...so any remote vars (except for TERM) are lost). Haven't verified it but it should lose DISPLAY whether you use the direct-host name or not, as it zeros out the DISPLAY variable. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Sat, 25 Jan 2014 00:18:04 -0800
Linda Walsh
Ken Schneider - openSUSE wrote:
On 01/23/2014 03:56 PM, Christopher Myers pecked at the keyboard and wrote:
Does it give anything useful if you do ssh -vvv -X user@host.dom ? (that's v v v with no spaces.)
Once you're connected to your remote box, you should be able to echo $DISPLAY and it should say something like localhost:10.0
It is not set as can be seen in the error"
debug3: Ignored env DISPLAY ==============
If you are using your computer locally (vs. over the internet or where you are concerned about people tapping your I/O stream) you can get a noticeable speed jump ( by setting DISPLAY to your remote host value. They sorta go hand in hand -- the speed up and less need for security .. i.e. if you are @ 1Gb or faster on a local wired connection, then you can benefit by going direct.
FWIW, this can be set in /etc/security/pam_env.so -- which will have the REMOTEHOST value in it on the first access to your system (auth time).
Is it possible to also forward xauthority this way?
pam doesn't have access to the remotehost value except at initial login, so if you call your pam_env.so on a per/session basis instead of per-login, you will lose your DISPLAY in the default settings for pam in suse 12.3 and later (12.2 and before was ok...but suse repurposed the login-env setting to per-session...so any remote vars (except for TERM) are lost).
Haven't verified it but it should lose DISPLAY whether you use the direct-host name or not, as it zeros out the DISPLAY variable.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/23/2014 12:47 PM, Ken Schneider - openSUSE wrote:
On 01/23/2014 12:22 PM, Christopher Myers pecked at the keyboard and wrote:
To get this to work on my server, I had to add this:
AddressFamily inet
Changed the default to inet and still no go even after a network restart on both ends.
BTW, both systems are fresh install of 13.1 (well fresh as of a couple of months ago).
Are all of these in sshd_conf on the target? X11Forwarding Yes X11DisplayOffset 10 X11UseLocalhost Yes -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/23/2014 04:00 PM, John Andersen pecked at the keyboard and wrote:
On 1/23/2014 12:47 PM, Ken Schneider - openSUSE wrote:
On 01/23/2014 12:22 PM, Christopher Myers pecked at the keyboard and wrote:
To get this to work on my server, I had to add this:
AddressFamily inet
Changed the default to inet and still no go even after a network restart on both ends.
BTW, both systems are fresh install of 13.1 (well fresh as of a couple of months ago).
Are all of these in sshd_conf on the target? X11Forwarding Yes X11DisplayOffset 10 X11UseLocalhost Yes
Thanks for all of the help. In the end I had to change the setting of X11UseLocalhost to YES. The default is NO and I missed the setting earlier. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1/23/2014 2:13 PM, Ken Schneider wrote:
On 01/23/2014 04:00 PM, John Andersen pecked at the keyboard and wrote:
On 1/23/2014 12:47 PM, Ken Schneider - openSUSE wrote:
On 01/23/2014 12:22 PM, Christopher Myers pecked at the keyboard and wrote:
To get this to work on my server, I had to add this:
AddressFamily inet
Changed the default to inet and still no go even after a network restart on both ends.
BTW, both systems are fresh install of 13.1 (well fresh as of a couple of months ago).
Are all of these in sshd_conf on the target? X11Forwarding Yes X11DisplayOffset 10 X11UseLocalhost Yes
Thanks for all of the help. In the end I had to change the setting of X11UseLocalhost to YES. The default is NO and I missed the setting earlier.
X11UseLocalhost Yes used to be the default. I can't remember when this changed, or why. But I have serveral sshd_config files on several different machines where #X11UseLocalhost yes appears in the default configuration file, indicating it is the default. I ran into this on Rasberry Pi lately too, so I doubt its just an opensuse change. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday, January 23, 2014 02:56:26 PM John Andersen wrote:
Thanks for all of the help. In the end I had to change the setting of X11UseLocalhost to YES. The default is NO and I missed the setting earlier.
Thanks for that! I have a 12.3 machine that also was not setting DISPLAY. When I set X11UseLocalhost to Yes (it is commented out in the config file that gets installed in /etc/ssh) all is better. It seems the default has changed. I would have expected the commented out value in the config file to be what the default is. -- Yours sincerely, Roger Oberholtzer Ramböll RST / Systems Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 roger.oberholtzer@ramboll.se ________________________________________ Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden www.rambollrst.se -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/24/2014 01:50 AM, Roger Oberholtzer pecked at the keyboard and wrote:
On Thursday, January 23, 2014 02:56:26 PM John Andersen wrote:
Thanks for all of the help. In the end I had to change the setting of X11UseLocalhost to YES. The default is NO and I missed the setting earlier.
Thanks for that! I have a 12.3 machine that also was not setting DISPLAY. When I set X11UseLocalhost to Yes (it is commented out in the config file that gets installed in /etc/ssh) all is better. It seems the default has changed. I would have expected the commented out value in the config file to be what the default is.
Whoa!! My bad. It may have been more of setting PermitUserEnvironment yes and setting AddressFamily inet. And also after making changes I wasn't restarting sshd. So finally after rebooting (which restarted sshd) it started to work. Just want to set the record straight. And by the way settings commented in /etc/ssh/sshd_config are commented with the *default* values. It's amazing what a good nights sleep will accomplish. :-) -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 23 Jan 2014 15:47:34 -0500
Ken Schneider - openSUSE
On 01/23/2014 12:22 PM, Christopher Myers pecked at the keyboard and wrote:
To get this to work on my server, I had to add this:
AddressFamily inet
Changed the default to inet and still no go even after a network restart on both ends.
You need to restart sshd, not network.
BTW, both systems are fresh install of 13.1 (well fresh as of a couple of months ago).
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
В Thu, 23 Jan 2014 12:17:23 -0500
Ken Schneider - openSUSE
when ever I use ssh or rsync to my desktop I get the following error message"
"X11 forwarding request failed on channel 0"
Disable IPv6 in sshd_config if you do not use it (AddressFamily inet) https://bugzilla.novell.com/show_bug.cgi?id=618068
I have X11 Forwarding enabled in the config files.
********************
Host * # ForwardAgent no # ForwardX11 no ForwardX11 yes
# If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login. ForwardX11Trusted yes
*********************************
Any help appreciated.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
Andrey Borzenkov -
Christopher Myers -
John Andersen -
Ken Schneider -
Ken Schneider - openSUSE
-
Linda Walsh -
Roger Oberholtzer