connecting to a 13.1 server with X forwarding

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

connecting to a 13.1 server with X forwarding

jdd@dodin.org
Hello :-)

I used to connect to my remote server with ssh -X or -Y to get Firefox
(--no-remote), for some tests where I need it

using:

https://tr.opensuse.org/SDB:X_Client_Produces_%22Can't_open_display%22_Error

since some (several month at least) month, I can't anymore. I get

firefox --no-remote
Error: no display specified

same result with xeyes

any idea?

thanks
jdd
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

Carlos E. R.-2
On 02/19/2016 02:13 PM, jdd wrote:

> same result with xeyes

Works here. Client, leap. Server, 13.1 (32b).

--
Cheers / Saludos,

                Carlos E. R.

  (from openSUSE Leap 42.1 x86_64 (test))
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

jdd@dodin.org
Le 19/02/2016 15:11, Carlos E. R. a écrit :
> On 02/19/2016 02:13 PM, jdd wrote:
>
>> same result with xeyes
>
> Works here. Client, leap. Server, 13.1 (32b).
>
same for me, but both 64 bits

server installed two years ago, and this worked until recently

jdd
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

Yamaban
On Fri, 19 Feb 2016 15:30, jdd wrote:

> Le 19/02/2016 15:11, Carlos E. R. a écrit :
>>  On 02/19/2016 02:13 PM, jdd wrote:
>>
>> >  same result with xeyes
>>
>>  Works here. Client, leap. Server, 13.1 (32b).
>
> same for me, but both 64 bits
>
> server installed two years ago, and this worked until recently
Missing "DISPLAY" variable in env on ssh target host?
(Most often due to changed defaults in /etc/ssh/)

  - Yamaban
Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

jdd@dodin.org
Le 19/02/2016 15:52, Yamaban a écrit :

> Missing "DISPLAY" variable in env on ssh target host?
> (Most often due to changed defaults in /etc/ssh/)
>

maybe,

echo $DISPLAY

don't show anything

but

export DISPLAY=:0.0 ; yast2
y2controlcenter: cannot connect to X server :0.0



thanks
jdd
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

Patrick Shanahan-2
* jdd <[hidden email]> [02-19-16 10:26]:

> Le 19/02/2016 15:52, Yamaban a écrit :
>
> >Missing "DISPLAY" variable in env on ssh target host?
> >(Most often due to changed defaults in /etc/ssh/)
> >
>
> maybe,
>
> echo $DISPLAY
>
> don't show anything
>
> but
>
> export DISPLAY=:0.0 ; yast2
> y2controlcenter: cannot connect to X server :0.0

iianm, :0 is local machine and you are probably on :10.x or :11.x ...
--
(paka)Patrick Shanahan       Plainfield, Indiana, USA          @ptilopteri
http://en.opensuse.org    openSUSE Community Member    facebook/ptilopteri
http://wahoo.no-ip.org        Photo Album: http://wahoo.no-ip.org/gallery2
Registered Linux User #207535                    @ http://linuxcounter.net
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

jdd@dodin.org
Le 19/02/2016 16:35, Patrick Shanahan a écrit :

> iianm, :0 is local machine and you are probably on :10.x or :11.x ...
>
I see no display anywhere

well I found a way to have more infos (adding -v to ssh command):

(...)
debug1: Requesting X11 forwarding with authentication spoofing.

debug1: Sending environment.

debug1: Sending env LANG = fr_FR.UTF-8

X11 forwarding request failed on channel 0
(...)

after login:

grep X11 /etc/ssh/sshd_config
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#       X11Forwarding no

(notice the # in front of the 3 last line)


adding

X11UseLocalhost no

then

systemctl restart sshd.service

solved the problem

jdd
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

Carlos E. R.-2
In reply to this post by jdd@dodin.org
On 02/19/2016 04:24 PM, jdd wrote:

> maybe,
>
> echo $DISPLAY
>
> don't show anything

cer@Gestor:~> ssh cer@AmonLanc
Password:
Last login: Fri Feb 19 15:10:33 2016 from linux-apaq
Have a lot of fun...
cer@AmonLanc:~> echo $DISPLAY

cer@AmonLanc:~> xeyes
Error: Can't open display:
cer@AmonLanc:~>

but:

er@Gestor:~> ssh -X cer@AmonLanc
Password:
Last login: Fri Feb 19 18:45:11 2016 from linux-apaq
Have a lot of fun...
cer@AmonLanc:~> echo $DISPLAY
localhost:11.0
cer@AmonLanc:~> xeyes    (works)
^C
cer@AmonLanc:~>

cer@AmonLanc:~> grep X11 /etc/ssh/sshd_config
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
# X11Forwarding no
cer@AmonLanc:~>

--
Cheers / Saludos,

                Carlos E. R.

  (from openSUSE Leap 42.1 x86_64 (test))
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

jdd@dodin.org
Le 19/02/2016 18:50, Carlos E. R. a écrit :

> # X11Forwarding no

having this options activated is really the key on my server.

to try it one have to

* change the option
* systemctl restart sshd.service
* exit

*reconnect and see the change

of course it may not be the only option to set (X11Forwarding being an
obvious one) and may be it can be set elsewhere (?)

jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

John Andersen-2
In reply to this post by jdd@dodin.org
On 2/19/2016 8:54 AM, jdd wrote:
> adding
>
> X11UseLocalhost no
>
> then
>
> systemctl restart sshd.service
>
> solved the problem

There are a lot of google hits on this, and most of them suggest
X11UseLocalhost NO
is the WRONG solution.

It prevents x11 from connecting to the ssh pipe via local host.
But that is exactly what you want, so that your connection travels
back over the ssh pipe.

You want that in conjunction with
DISPLAY=localhost:10.0

In long working installations, that is exactly what I have, and
the problem revolves ONLY around the setting of DISPLAY
on the CLIENT side before you connect.

X11UseLocalhost NO, allows X connections from anywhere, even
over non-encrypted links.  Its dangerous.




--
_____________________________________
---This space for rent---
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

John Andersen-2
On 2/19/2016 11:47 AM, John Andersen wrote:

> On 2/19/2016 8:54 AM, jdd wrote:
>> adding
>>
>> X11UseLocalhost no
>>
>> then
>>
>> systemctl restart sshd.service
>>
>> solved the problem
>
> There are a lot of google hits on this, and most of them suggest
> X11UseLocalhost NO
> is the WRONG solution.
>
> It prevents x11 from connecting to the ssh pipe via local host.
> But that is exactly what you want, so that your connection travels
> back over the ssh pipe.
>
> You want that in conjunction with
> DISPLAY=localhost:10.0
>
> In long working installations, that is exactly what I have, and
> the problem revolves ONLY around the setting of DISPLAY
> on the CLIENT side before you connect.
>
> X11UseLocalhost NO, allows X connections from anywhere, even
> over non-encrypted links.  Its dangerous.
>
>
>
>

Further:
The problem is probably in your /etc/ssh/ssh_config not
allowing forwareded X11 connections.
It comes that way by default, and you have to change that.


--
_____________________________________
---This space for rent---
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

Carlos E. R.-2
On 02/19/2016 08:57 PM, John Andersen wrote:

> Further:
> The problem is probably in your /etc/ssh/ssh_config not
> allowing forwareded X11 connections.
> It comes that way by default, and you have to change that.

Local (client) or remote (server)?

If it is local, I'm sure I have not modified it (new install), yet it works.

--
Cheers / Saludos,

                Carlos E. R.

  (from openSUSE Leap 42.1 x86_64 (test))
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

John Andersen-2
On 2/19/2016 12:02 PM, Carlos E. R. wrote:

> On 02/19/2016 08:57 PM, John Andersen wrote:
>
>> Further:
>> The problem is probably in your /etc/ssh/ssh_config not
>> allowing forwareded X11 connections.
>> It comes that way by default, and you have to change that.
>
> Local (client) or remote (server)?
>
> If it is local, I'm sure I have not modified it (new install), yet it works.
>

/etc/ssh/ssh_config on the local client needs to have
the line:
   ForwardX11 yes

Note: this is NOT sshd_config.  Its ssh_config and is is the default
ssh_config for outbound user connections, and there is no need to
restart sshd on any machines after making this change.

This is the clue to the ssh CLIENT SIDE to set up the DISPLAY variable
for that connection.

If yours still says "no" then your X11 is not comeing back via a
the ssh tunnel, and that WILL work, and you will be none the wiser
about it if your server side sshd_config says
X11UseLocalhost NO



---
And, folks, herein Client and Server refer to the ssh context,
not the X11 context, in which things are back to front and a bit
of a mind-F*** to get your head around.



--
_____________________________________
---This space for rent---
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

jdd@dodin.org
Le 19/02/2016 21:10, John Andersen a écrit :

> /etc/ssh/ssh_config on the local client needs to have
> the line:
>     ForwardX11 yes
>
> Note: this is NOT sshd_config.

ah. I see. This was probably the problem

> This is the clue to the ssh CLIENT SIDE to set up the DISPLAY variable
> for that connection.

I will try this, I guess I already have seen this a very long time ago

> the ssh tunnel, and that WILL work, and you will be none the wiser
> about it if your server side sshd_config says
> X11UseLocalhost NO

found on the net as often, that's also why I asked here

> And, folks, herein Client and Server refer to the ssh context,
> not the X11 context, in which things are back to front and a bit
> of a mind-F*** to get your head around.
>
>
>
yes, some time confusing

the ssh_config file says:

#   ForwardX11 no

# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
# keystrokes as you type, just like any other X11 client could do.
# Set this to "no" here for global effect or in your own ~/.ssh/config
# file if you want to have the remote X11 authentification data to
# expire after two minutes after remote login.


but neither changing it in ssh_config nor in .ssh/config client side
makes it work

still
X11 forwarding request failed on channel 0



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

John Andersen-2
On 02/19/2016 02:06 PM, jdd wrote:

> Le 19/02/2016 21:10, John Andersen a écrit :
>
>> /etc/ssh/ssh_config on the local client needs to have
>> the line:
>>     ForwardX11 yes
>>
>> Note: this is NOT sshd_config.
>
> ah. I see. This was probably the problem
>
>> This is the clue to the ssh CLIENT SIDE to set up the DISPLAY variable
>> for that connection.
>
> I will try this, I guess I already have seen this a very long time ago
>
>> the ssh tunnel, and that WILL work, and you will be none the wiser
>> about it if your server side sshd_config says
>> X11UseLocalhost NO
>
> found on the net as often, that's also why I asked here
>
>> And, folks, herein Client and Server refer to the ssh context,
>> not the X11 context, in which things are back to front and a bit
>> of a mind-F*** to get your head around.
>>
>>
>>
> yes, some time confusing
>
> the ssh_config file says:
>
> #   ForwardX11 no
>
> # If you do not trust your remote host (or its administrator), you
> # should not forward X11 connections to your local X11-display for
> # security reasons: Someone stealing the authentification data on the
> # remote side (the "spoofed" X-server by the remote sshd) can read your
> # keystrokes as you type, just like any other X11 client could do.
> # Set this to "no" here for global effect or in your own ~/.ssh/config
> # file if you want to have the remote X11 authentification data to
> # expire after two minutes after remote login.
>
>
> but neither changing it in ssh_config nor in .ssh/config client side makes it work
>
> still
> X11 forwarding request failed on channel 0
>
>
>

Well changing that on 13.2 and also on Manjaro (arch) worked for me.

My /etc/ssh/ssh_config file form 13.2 is listed below: (in total) (pasted as a quotation to prevent wrap

> poulsbo:~ # cat /etc/ssh/ssh_config
> #       $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
>
> # This is the ssh client system-wide configuration file.  See
> # ssh_config(5) for more information.  This file provides defaults for
> # users, and the values can be changed in per-user configuration files
> # or on the command line.
>
> # Configuration data is parsed as follows:
> #  1. command line options
> #  2. user-specific file
> #  3. system-wide file
> # Any configuration value is only changed the first time it is set.
> # Thus, host-specific definitions should be at the beginning of the
> # configuration file, and defaults at the end.
>
> # Site-wide defaults for some commonly used options.  For a comprehensive
> # list of available options, their meanings and defaults, please see the
> # ssh_config(5) man page.
>
> Host *
> #   ForwardAgent no
>    ForwardX11 yes
>
> # If you do not trust your remote host (or its administrator), you
> # should not forward X11 connections to your local X11-display for
> # security reasons: Someone stealing the authentification data on the
> # remote side (the "spoofed" X-server by the remote sshd) can read your
> # keystrokes as you type, just like any other X11 client could do.
> # Set this to "no" here for global effect or in your own ~/.ssh/config
> # file if you want to have the remote X11 authentification data to
> # expire after two minutes after remote login.
> # ForwardX11Trusted no
>
> #   RhostsRSAAuthentication no
> #   RSAAuthentication yes
> #   PasswordAuthentication yes
> #   HostbasedAuthentication no
> #   GSSAPIAuthentication no
> #   GSSAPIDelegateCredentials no
> #   GSSAPIKeyExchange no
> #   GSSAPITrustDNS no
> #   BatchMode no
> #   CheckHostIP yes
> #   AddressFamily any
> #   ConnectTimeout 0
> #   StrictHostKeyChecking ask
> #   IdentityFile ~/.ssh/identity
> #   IdentityFile ~/.ssh/id_rsa
> #   IdentityFile ~/.ssh/id_dsa
> #   Port 22
> Protocol 2
> #   Cipher 3des
> #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
> #   MACs hmac-md5,hmac-sha1,[hidden email],hmac-ripemd160
> #   EscapeChar ~
> #   Tunnel no
> #   TunnelDevice any:any
> #   PermitLocalCommand no
> #   VisualHostKey no
> #   ProxyCommand ssh -q -W %h:%p gateway.example.com
>
> # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
> # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
> # in this release. The use of 'gssapi' is deprecated due to the presence of
> # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
> #   GSSAPIEnableMITMAttack no
>
> # This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
> SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> SendEnv LC_IDENTIFICATION LC_ALL
>
> #   RekeyLimit 1G 1h


My /etc/sshd_config from the target machine is (in part)

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

----------------
So establish a connection, then do
[jsa@ManjaroVM ~]$ set |grep DISPLAY
DISPLAY=localhost:10.0

If you don't see localhost:10.0 then any X11 stream won't work at all
or will work but the x11 stream will be coming back not in the ssh tunnel.



--
After all is said and done, more is said than done.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

jdd@dodin.org

>> Host *
>> #   ForwardAgent no
>>     ForwardX11 yes
>>


> My /etc/sshd_config from the target machine is (in part)

o
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes

same

> [jsa@ManjaroVM ~]$ set |grep DISPLAY
> DISPLAY=localhost:10.0
>
gives nothing

> If you don't see localhost:10.0 then any X11 stream won't work at all
> or will work but the x11 stream will be coming back not in the ssh tunnel.
>
>
>
I still have

8
X11 forwarding request failed on channel 0

I give up at least for today

thanks
jdd
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

Mark Goldstein
On Sat, Feb 20, 2016 at 12:45 AM, jdd <[hidden email]> wrote:
> I still have
>
> 8
> X11 forwarding request failed on channel 0
>
> I give up at least for today
>
> thanks


Could you have an old issue with AddressFamily?
I can't use X forwarding until I change AddressFamily to inet in
sshd_config. IIRC this issue only occurs if you disable IPv6.

--
Mark Goldstein
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

jdd@dodin.org
Le 20/02/2016 07:35, Mark Goldstein a écrit :
> Could you have an old issue with AddressFamily?
> I can't use X forwarding until I change AddressFamily to inet in
> sshd_config. IIRC this issue only occurs if you disable IPv6.

I guess you found the problem. may be I disabled IPV6 - I don't
remember, but I some time had problem with it and don't use it.

it was on "any" now on inet and forwarding works

and found it also here

http://www.gossamer-threads.com/lists/openssh/users/51998

hope this do not have culprits :-(

thanks again

jdd
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

jdd@dodin.org
I try to summarize the discussion here:

http://dodin.info/wiki/pmwiki.php?n=Doc.X11Forwarding

if you can proofread it and say if it's correct, after correction I may
add it to the relevant openSUSE wiki page (or update the page)

thanks
jdd
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: connecting to a 13.1 server with X forwarding

John Andersen-2
On 02/20/2016 12:08 AM, jdd wrote:
> I try to summarize the discussion here:
>
> http://dodin.info/wiki/pmwiki.php?n=Doc.X11Forwarding
>
> if you can proofread it and say if it's correct, after correction I may add it to the relevant
> openSUSE wiki page (or update the page)
>
> thanks
> jdd

Crap, I now recall getting bit by this same thing (inet vs any) several years ago.
I totally forgot about it.


Re: the above page:

section 3.
With ForwardX11 yes, you never need to add -X one the ssh command line.
The -X should over-ride ForwardX11 no (the default).







--
After all is said and done, more is said than doneT
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

12