Le 19/02/2016 15:11, Carlos E. R. a écrit :

On 02/19/2016 02:13 PM, jdd wrote:

...

same result with xeyes

Works here. Client, leap. Server, 13.1 (32b).

same for me, but both 64 bits server installed two years ago, and this worked until recently jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Le 19/02/2016 15:52, Yamaban a écrit :

Missing "DISPLAY" variable in env on ssh target host? (Most often due to changed defaults in /etc/ssh/)

maybe, echo $DISPLAY don't show anything but export DISPLAY=:0.0 ; yast2 y2controlcenter: cannot connect to X server :0.0 thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Le 19/02/2016 16:35, Patrick Shanahan a écrit :

iianm, :0 is local machine and you are probably on :10.x or :11.x ...

I see no display anywhere well I found a way to have more infos (adding -v to ssh command): (...) debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = fr_FR.UTF-8 X11 forwarding request failed on channel 0 (...) after login: grep X11 /etc/ssh/sshd_config X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes # X11Forwarding no (notice the # in front of the 3 last line) adding X11UseLocalhost no then systemctl restart sshd.service solved the problem jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2/19/2016 11:47 AM, John Andersen wrote:

On 2/19/2016 8:54 AM, jdd wrote:

...

adding

X11UseLocalhost no

then

systemctl restart sshd.service

solved the problem

There are a lot of google hits on this, and most of them suggest X11UseLocalhost NO is the WRONG solution.

It prevents x11 from connecting to the ssh pipe via local host. But that is exactly what you want, so that your connection travels back over the ssh pipe.

You want that in conjunction with DISPLAY=localhost:10.0

In long working installations, that is exactly what I have, and the problem revolves ONLY around the setting of DISPLAY on the CLIENT side before you connect.

X11UseLocalhost NO, allows X connections from anywhere, even over non-encrypted links. Its dangerous.

Further: The problem is probably in your /etc/ssh/ssh_config not allowing forwareded X11 connections. It comes that way by default, and you have to change that. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2/19/2016 12:02 PM, Carlos E. R. wrote:

On 02/19/2016 08:57 PM, John Andersen wrote:

...

Further: The problem is probably in your /etc/ssh/ssh_config not allowing forwareded X11 connections. It comes that way by default, and you have to change that.

Local (client) or remote (server)?

If it is local, I'm sure I have not modified it (new install), yet it works.

/etc/ssh/ssh_config on the local client needs to have the line: ForwardX11 yes Note: this is NOT sshd_config. Its ssh_config and is is the default ssh_config for outbound user connections, and there is no need to restart sshd on any machines after making this change. This is the clue to the ssh CLIENT SIDE to set up the DISPLAY variable for that connection. If yours still says "no" then your X11 is not comeing back via a the ssh tunnel, and that WILL work, and you will be none the wiser about it if your server side sshd_config says X11UseLocalhost NO --- And, folks, herein Client and Server refer to the ssh context, not the X11 context, in which things are back to front and a bit of a mind-F*** to get your head around. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 02/19/2016 02:06 PM, jdd wrote:

Le 19/02/2016 21:10, John Andersen a écrit :

...

/etc/ssh/ssh_config on the local client needs to have the line: ForwardX11 yes

Note: this is NOT sshd_config.

ah. I see. This was probably the problem

...

This is the clue to the ssh CLIENT SIDE to set up the DISPLAY variable for that connection.

I will try this, I guess I already have seen this a very long time ago

...

the ssh tunnel, and that WILL work, and you will be none the wiser about it if your server side sshd_config says X11UseLocalhost NO

found on the net as often, that's also why I asked here

...

And, folks, herein Client and Server refer to the ssh context, not the X11 context, in which things are back to front and a bit of a mind-F*** to get your head around.

yes, some time confusing

the ssh_config file says:

# ForwardX11 no

# If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login.

but neither changing it in ssh_config nor in .ssh/config client side makes it work

still X11 forwarding request failed on channel 0

Well changing that on 13.2 and also on Manjaro (arch) worked for me. My /etc/ssh/ssh_config file form 13.2 is listed below: (in total) (pasted as a quotation to prevent wrap

poulsbo:~ # cat /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $

# This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line.

# Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page.

Host * # ForwardAgent no ForwardX11 yes

# If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login. # ForwardX11Trusted no

# RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com

# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included # in this release. The use of 'gssapi' is deprecated due to the presence of # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. # GSSAPIEnableMITMAttack no

# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL

# RekeyLimit 1G 1h

My /etc/sshd_config from the target machine is (in part) #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes ---------------- So establish a connection, then do [jsa@ManjaroVM ~]$ set |grep DISPLAY DISPLAY=localhost:10.0 If you don't see localhost:10.0 then any X11 stream won't work at all or will work but the x11 stream will be coming back not in the ssh tunnel. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Sat, Feb 20, 2016 at 12:45 AM, jdd wrote:

I still have

8 X11 forwarding request failed on channel 0

I give up at least for today

thanks

Could you have an old issue with AddressFamily? I can't use X forwarding until I change AddressFamily to inet in sshd_config. IIRC this issue only occurs if you disable IPv6. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

I try to summarize the discussion here: http://dodin.info/wiki/pmwiki.php?n=Doc.X11Forwarding if you can proofread it and say if it's correct, after correction I may add it to the relevant openSUSE wiki page (or update the page) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Sat, Feb 20, 2016 at 10:24 AM, John Andersen wrote:

Crap, I now recall getting bit by this same thing (inet vs any) several years ago. I totally forgot about it.

One of these bugs that are never fixed. https://bugzilla.novell.com/show_bug.cgi?id=686477 And the whole bunch of duplicates. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On Sat, Feb 20, 2016 at 11:58 AM, jdd wrote:

don't know if it's a bug nor if it's related to openSUSE, this thread

http://www.gossamer-threads.com/lists/openssh/users/51998

do not say what is the distro

Well, I'd say it is a bug at least in the sense that there exists implicit dependency between different settings. So when you disbale IPv6 with YaST, you could expect it should handle such dependency. And you see how many users were bitten by this issue. The root cause might be not related to OS, I agree. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Le 20/02/2016 19:26, John Andersen a écrit :

(In my tests, if you don't have an X-server running on the client, there seems to be no way to trick SSH into setting DISPLAY on the target session).

seems pretty logical, how would graphical apps connect to an X server if there is none? jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Le 20/02/2016 09:24, John Andersen a écrit :

section 3. With ForwardX11 yes, you never need to add -X one the ssh command line. The -X should over-ride ForwardX11 no (the default).

the man page seemed to say this (and it's true), but I forgot to try, and so the config is even simpler. what is problematic with the man page is that there are no examples, so I didn't understand how I could ask for forwarding on the command line (I even tested to add X11Forwarding yes" on the command line :-(). jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Le 19/02/2016 18:50, Carlos E. R. a écrit :

# X11Forwarding no

having this options activated is really the key on my server. to try it one have to * change the option * systemctl restart sshd.service * exit *reconnect and see the change of course it may not be the only option to set (X11Forwarding being an obvious one) and may be it can be set elsewhere (?) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org