[opensuse] connecting to a 13.1 server with X forwarding
Hello :-) I used to connect to my remote server with ssh -X or -Y to get Firefox (--no-remote), for some tests where I need it using: https://tr.opensuse.org/SDB:X_Client_Produces_%22Can't_open_display%22_Error since some (several month at least) month, I can't anymore. I get firefox --no-remote Error: no display specified same result with xeyes any idea? thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/19/2016 02:13 PM, jdd wrote:
same result with xeyes
Works here. Client, leap. Server, 13.1 (32b). -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 19/02/2016 15:11, Carlos E. R. a écrit :
On 02/19/2016 02:13 PM, jdd wrote:
same result with xeyes
Works here. Client, leap. Server, 13.1 (32b).
same for me, but both 64 bits server installed two years ago, and this worked until recently jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, 19 Feb 2016 15:30, jdd wrote:
Le 19/02/2016 15:11, Carlos E. R. a écrit :
On 02/19/2016 02:13 PM, jdd wrote:
same result with xeyes
Works here. Client, leap. Server, 13.1 (32b).
same for me, but both 64 bits
server installed two years ago, and this worked until recently
Missing "DISPLAY" variable in env on ssh target host? (Most often due to changed defaults in /etc/ssh/) - Yamaban
Le 19/02/2016 15:52, Yamaban a écrit :
Missing "DISPLAY" variable in env on ssh target host? (Most often due to changed defaults in /etc/ssh/)
maybe, echo $DISPLAY don't show anything but export DISPLAY=:0.0 ; yast2 y2controlcenter: cannot connect to X server :0.0 thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* jdd
Le 19/02/2016 15:52, Yamaban a écrit :
Missing "DISPLAY" variable in env on ssh target host? (Most often due to changed defaults in /etc/ssh/)
maybe,
echo $DISPLAY
don't show anything
but
export DISPLAY=:0.0 ; yast2 y2controlcenter: cannot connect to X server :0.0
iianm, :0 is local machine and you are probably on :10.x or :11.x ... -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 19/02/2016 16:35, Patrick Shanahan a écrit :
iianm, :0 is local machine and you are probably on :10.x or :11.x ...
I see no display anywhere well I found a way to have more infos (adding -v to ssh command): (...) debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = fr_FR.UTF-8 X11 forwarding request failed on channel 0 (...) after login: grep X11 /etc/ssh/sshd_config X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes # X11Forwarding no (notice the # in front of the 3 last line) adding X11UseLocalhost no then systemctl restart sshd.service solved the problem jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/19/2016 8:54 AM, jdd wrote:
adding
X11UseLocalhost no
then
systemctl restart sshd.service
solved the problem
There are a lot of google hits on this, and most of them suggest X11UseLocalhost NO is the WRONG solution. It prevents x11 from connecting to the ssh pipe via local host. But that is exactly what you want, so that your connection travels back over the ssh pipe. You want that in conjunction with DISPLAY=localhost:10.0 In long working installations, that is exactly what I have, and the problem revolves ONLY around the setting of DISPLAY on the CLIENT side before you connect. X11UseLocalhost NO, allows X connections from anywhere, even over non-encrypted links. Its dangerous. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/19/2016 11:47 AM, John Andersen wrote:
On 2/19/2016 8:54 AM, jdd wrote:
adding
X11UseLocalhost no
then
systemctl restart sshd.service
solved the problem
There are a lot of google hits on this, and most of them suggest X11UseLocalhost NO is the WRONG solution.
It prevents x11 from connecting to the ssh pipe via local host. But that is exactly what you want, so that your connection travels back over the ssh pipe.
You want that in conjunction with DISPLAY=localhost:10.0
In long working installations, that is exactly what I have, and the problem revolves ONLY around the setting of DISPLAY on the CLIENT side before you connect.
X11UseLocalhost NO, allows X connections from anywhere, even over non-encrypted links. Its dangerous.
Further: The problem is probably in your /etc/ssh/ssh_config not allowing forwareded X11 connections. It comes that way by default, and you have to change that. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/19/2016 08:57 PM, John Andersen wrote:
Further: The problem is probably in your /etc/ssh/ssh_config not allowing forwareded X11 connections. It comes that way by default, and you have to change that.
Local (client) or remote (server)? If it is local, I'm sure I have not modified it (new install), yet it works. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/19/2016 12:02 PM, Carlos E. R. wrote:
On 02/19/2016 08:57 PM, John Andersen wrote:
Further: The problem is probably in your /etc/ssh/ssh_config not allowing forwareded X11 connections. It comes that way by default, and you have to change that.
Local (client) or remote (server)?
If it is local, I'm sure I have not modified it (new install), yet it works.
/etc/ssh/ssh_config on the local client needs to have the line: ForwardX11 yes Note: this is NOT sshd_config. Its ssh_config and is is the default ssh_config for outbound user connections, and there is no need to restart sshd on any machines after making this change. This is the clue to the ssh CLIENT SIDE to set up the DISPLAY variable for that connection. If yours still says "no" then your X11 is not comeing back via a the ssh tunnel, and that WILL work, and you will be none the wiser about it if your server side sshd_config says X11UseLocalhost NO --- And, folks, herein Client and Server refer to the ssh context, not the X11 context, in which things are back to front and a bit of a mind-F*** to get your head around. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 19/02/2016 21:10, John Andersen a écrit :
/etc/ssh/ssh_config on the local client needs to have the line: ForwardX11 yes
Note: this is NOT sshd_config.
ah. I see. This was probably the problem
This is the clue to the ssh CLIENT SIDE to set up the DISPLAY variable for that connection.
I will try this, I guess I already have seen this a very long time ago
the ssh tunnel, and that WILL work, and you will be none the wiser about it if your server side sshd_config says X11UseLocalhost NO
found on the net as often, that's also why I asked here
And, folks, herein Client and Server refer to the ssh context, not the X11 context, in which things are back to front and a bit of a mind-F*** to get your head around.
yes, some time confusing the ssh_config file says: # ForwardX11 no # If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login. but neither changing it in ssh_config nor in .ssh/config client side makes it work still X11 forwarding request failed on channel 0 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/19/2016 02:06 PM, jdd wrote:
Le 19/02/2016 21:10, John Andersen a écrit :
/etc/ssh/ssh_config on the local client needs to have the line: ForwardX11 yes
Note: this is NOT sshd_config.
ah. I see. This was probably the problem
This is the clue to the ssh CLIENT SIDE to set up the DISPLAY variable for that connection.
I will try this, I guess I already have seen this a very long time ago
the ssh tunnel, and that WILL work, and you will be none the wiser about it if your server side sshd_config says X11UseLocalhost NO
found on the net as often, that's also why I asked here
And, folks, herein Client and Server refer to the ssh context, not the X11 context, in which things are back to front and a bit of a mind-F*** to get your head around.
yes, some time confusing
the ssh_config file says:
# ForwardX11 no
# If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login.
but neither changing it in ssh_config nor in .ssh/config client side makes it work
still X11 forwarding request failed on channel 0
Well changing that on 13.2 and also on Manjaro (arch) worked for me. My /etc/ssh/ssh_config file form 13.2 is listed below: (in total) (pasted as a quotation to prevent wrap
poulsbo:~ # cat /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
# This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line.
# Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page.
Host * # ForwardAgent no ForwardX11 yes
# If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login. # ForwardX11Trusted no
# RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 Protocol 2 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com
# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included # in this release. The use of 'gssapi' is deprecated due to the presence of # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. # GSSAPIEnableMITMAttack no
# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL
# RekeyLimit 1G 1h
My /etc/sshd_config from the target machine is (in part) #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes ---------------- So establish a connection, then do [jsa@ManjaroVM ~]$ set |grep DISPLAY DISPLAY=localhost:10.0 If you don't see localhost:10.0 then any X11 stream won't work at all or will work but the x11 stream will be coming back not in the ssh tunnel. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Host * # ForwardAgent no ForwardX11 yes
My /etc/sshd_config from the target machine is (in part)
o
X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes
same
[jsa@ManjaroVM ~]$ set |grep DISPLAY DISPLAY=localhost:10.0
gives nothing
If you don't see localhost:10.0 then any X11 stream won't work at all or will work but the x11 stream will be coming back not in the ssh tunnel.
I still have 8 X11 forwarding request failed on channel 0 I give up at least for today thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Feb 20, 2016 at 12:45 AM, jdd
I still have
8 X11 forwarding request failed on channel 0
I give up at least for today
thanks
Could you have an old issue with AddressFamily? I can't use X forwarding until I change AddressFamily to inet in sshd_config. IIRC this issue only occurs if you disable IPv6. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 20/02/2016 07:35, Mark Goldstein a écrit :
Could you have an old issue with AddressFamily? I can't use X forwarding until I change AddressFamily to inet in sshd_config. IIRC this issue only occurs if you disable IPv6.
I guess you found the problem. may be I disabled IPV6 - I don't remember, but I some time had problem with it and don't use it. it was on "any" now on inet and forwarding works and found it also here http://www.gossamer-threads.com/lists/openssh/users/51998 hope this do not have culprits :-( thanks again jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I try to summarize the discussion here: http://dodin.info/wiki/pmwiki.php?n=Doc.X11Forwarding if you can proofread it and say if it's correct, after correction I may add it to the relevant openSUSE wiki page (or update the page) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 12:08 AM, jdd wrote:
I try to summarize the discussion here:
http://dodin.info/wiki/pmwiki.php?n=Doc.X11Forwarding
if you can proofread it and say if it's correct, after correction I may add it to the relevant openSUSE wiki page (or update the page)
thanks jdd
Crap, I now recall getting bit by this same thing (inet vs any) several years ago. I totally forgot about it. Re: the above page: section 3. With ForwardX11 yes, you never need to add -X one the ssh command line. The -X should over-ride ForwardX11 no (the default). -- After all is said and done, more is said than doneT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Feb 20, 2016 at 10:24 AM, John Andersen
Crap, I now recall getting bit by this same thing (inet vs any) several years ago. I totally forgot about it.
One of these bugs that are never fixed. https://bugzilla.novell.com/show_bug.cgi?id=686477 And the whole bunch of duplicates. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 20/02/2016 10:00, Mark Goldstein a écrit :
On Sat, Feb 20, 2016 at 10:24 AM, John Andersen
wrote: Crap, I now recall getting bit by this same thing (inet vs any) several years ago. I totally forgot about it.
One of these bugs that are never fixed.
https://bugzilla.novell.com/show_bug.cgi?id=686477 And the whole bunch of duplicates.
don't know if it's a bug nor if it's related to openSUSE, this thread http://www.gossamer-threads.com/lists/openssh/users/51998 do not say what is the distro jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Feb 20, 2016 at 11:58 AM, jdd
don't know if it's a bug nor if it's related to openSUSE, this thread
http://www.gossamer-threads.com/lists/openssh/users/51998
do not say what is the distro
Well, I'd say it is a bug at least in the sense that there exists implicit dependency between different settings. So when you disbale IPv6 with YaST, you could expect it should handle such dependency. And you see how many users were bitten by this issue. The root cause might be not related to OS, I agree. -- Mark Goldstein -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 02:09 AM, Mark Goldstein wrote:
On Sat, Feb 20, 2016 at 11:58 AM, jdd
wrote: don't know if it's a bug nor if it's related to openSUSE, this thread
http://www.gossamer-threads.com/lists/openssh/users/51998
do not say what is the distro
Well, I'd say it is a bug at least in the sense that there exists implicit dependency between different settings. So when you disbale IPv6 with YaST, you could expect it should handle such dependency. And you see how many users were bitten by this issue. The root cause might be not related to OS, I agree.
Agreed, there is no reason that the transport should affect this issue. I think this has something to do with the client side SSH command looking for a listening X-server (on itself) and trying to connect to it prior to establishing the ssh connection. If it sees a ipv6 interface, it tries that first, and if it can't connect with that it just assumes there is no X server running and refuses to set DISPLAY upon establishing the connection. (In my tests, if you don't have an X-server running on the client, there seems to be no way to trick SSH into setting DISPLAY on the target session). The bug appears to be purely in the SSH package. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 20/02/2016 19:26, John Andersen a écrit :
(In my tests, if you don't have an X-server running on the client, there seems to be no way to trick SSH into setting DISPLAY on the target session).
seems pretty logical, how would graphical apps connect to an X server if there is none? jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 01:00 AM, Mark Goldstein wrote:
On Sat, Feb 20, 2016 at 10:24 AM, John Andersen
wrote: Crap, I now recall getting bit by this same thing (inet vs any) several years ago. I totally forgot about it. One of these bugs that are never fixed.
https://bugzilla.novell.com/show_bug.cgi?id=686477 And the whole bunch of duplicates.
I've been doing "AddressFamily inet" for years, but for a slightly different reason. I have a customer with a dual-stacked v4-v6 network who requires that all connected hosts are also dual-stacked. I would see failed ssh connections that would just "freeze" when first trying a v6 address. I eventually determined that Windows boxes were sending out v6 router advertisements if they had two or more Ethernet ports. They were mistakenly configured for Internet Connection Sharing (ICS) and announced to their neighbors that they were routers. v6 rogue router advertisements aren't a ssh issue, but "inet" fixed the problem. Anyway, how could rogue routers not be a significant security issue? Is IPv6 broken by design? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 20/02/2016 09:24, John Andersen a écrit :
section 3. With ForwardX11 yes, you never need to add -X one the ssh command line. The -X should over-ride ForwardX11 no (the default).
the man page seemed to say this (and it's true), but I forgot to try, and so the config is even simpler. what is problematic with the man page is that there are no examples, so I didn't understand how I could ask for forwarding on the command line (I even tested to add X11Forwarding yes" on the command line :-(). jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/19/2016 04:24 PM, jdd wrote:
maybe,
echo $DISPLAY
don't show anything
cer@Gestor:~> ssh cer@AmonLanc Password: Last login: Fri Feb 19 15:10:33 2016 from linux-apaq Have a lot of fun... cer@AmonLanc:~> echo $DISPLAY cer@AmonLanc:~> xeyes Error: Can't open display: cer@AmonLanc:~> but: er@Gestor:~> ssh -X cer@AmonLanc Password: Last login: Fri Feb 19 18:45:11 2016 from linux-apaq Have a lot of fun... cer@AmonLanc:~> echo $DISPLAY localhost:11.0 cer@AmonLanc:~> xeyes (works) ^C cer@AmonLanc:~> cer@AmonLanc:~> grep X11 /etc/ssh/sshd_config X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes # X11Forwarding no cer@AmonLanc:~> -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 19/02/2016 18:50, Carlos E. R. a écrit :
# X11Forwarding no
having this options activated is really the key on my server. to try it one have to * change the option * systemctl restart sshd.service * exit *reconnect and see the change of course it may not be the only option to set (X11Forwarding being an obvious one) and may be it can be set elsewhere (?) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
Carlos E. R.
-
jdd
-
John Andersen
-
Lew Wolfgang
-
Mark Goldstein
-
Patrick Shanahan
-
Yamaban