Please login or register. December 12, 2019, 06:44:47 AM

Author Topic: OPENSSH 7.2 X11 DISPLAY forwarding  (Read 3977 times)

0 Members and 1 Guest are viewing this topic.

dbabault

  • New Member
  • *
  • Posts: 4
  • Karma: +0/-0
OPENSSH 7.2 X11 DISPLAY forwarding
« on: July 28, 2016, 03:45:42 PM »
Hello,

Since I've install OpenSSH_7.2p2 I'm unable to forward X11 display whithin users in same host

When I do "ssh   -Y -o ControlPath=none root@localhost" I obtain an error durint connection :
    ==> Warning: No xauth data; using fake authentication data for X11 forwarding.

when I lanch xclock I obtain :
  ==> Xlib: connection to "localhost:11.0" refused by server
  ==> Xlib: PuTTY X11 proxy: Authorisation not recognised
  ==> Error: Can't open display: localhost:11.0

DISPLAY value have change, stil not working after setting good DISPLAY value.

This work before whith OpenSSH_6.8p1, sshd_config file dont change :

...
X11DisplayOffset 10
X11Forwarding yes
X11UseLocalhost yes
XauthLocation /usr/bin/xauth

Have you seen that, any idea ?

Thanks

Daniel

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1188
  • Karma: +0/-0
Re: OPENSSH 7.2 X11 DISPLAY forwarding
« Reply #1 on: July 29, 2016, 09:25:43 AM »
No idea yet. I rarely use X11.

Need to see if I get the same problem. So, just to be sure - I assume you are using ssh to connect and then want to start X11 sessions with your "local" (i.e., that you logged in from, e.g., a PC running Windows Linux) - not 'local' on the AIX host.

I would recommend checking (and please give feedback if you find something!) the OpenSSH documentation. I learned, also the hardway, that some the configuration variables have changed.

Michael

p.s. Also a bit surprised by the connection values (localhost:11.0), from memory localhost:10.0 was used previously.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1188
  • Karma: +0/-0
Re: OPENSSH 7.2 X11 DISPLAY forwarding
« Reply #2 on: July 29, 2016, 11:07:56 AM »
SHORT VERSION:
Once I added

XAuthLocation /usr/bin/X11/xauth

to sshd_config on servers running either openssh-6.8p1 or openssh-7.2p1 I could start xclock and have the display appear on my PC screen.
Further, when I stopped my Xserver program on my PC and tried to connect I got

Xlib: connection to "localhost:10.0" refused by server - from my first login session (laptop)
Xlib: connection to "localhost:11.0" refused by server from my second login session (PC)

So, my guess atm is that you need to verify the location/availability of the xauth program.

DETAILS:
root@x072:[/]ssh -V
OpenSSH_7.2p1, OpenSSL 1.0.1e 11 Feb 2013
root@x072:[/]ssh   -Y -o ControlPath=none root@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:pJMRs0K9s55u5ZkSiH+94R24KKX0Mu10ScStpBHfL6Q.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied (publickey,password,keyboard-interactive).

This has to do with the changes on whether root can connect using a password - different issue (I normally use PKI-only for connection as root, normally I login as regular user and use RBAC and 'su' as needed.


Here is my listing of /var/openssh/etc/sshd_config* on an AIX server that first had (only)
AIX openssh.

-rw-r--r--    1 root     system         4591 May 25 10:13 sshd_config
-rw-r--r--    1 bin      bin            3691 May 25 09:48 sshd_config.7.2p1
-rw-r--r--    1 bin      bin            3691 May 25 10:13 sshd_config.openSSH
-rw-r--r--    1 root     system         4591 May 25 09:48 sshd_config.save

root@x072:[/var/openssh/etc]grep X sshd_config.openSSH sshd_config
sshd_config.openSSH:#X11Forwarding no
sshd_config.openSSH:#X11DisplayOffset 10
sshd_config.openSSH:#X11UseLocalhost yes
sshd_config.openSSH:#   X11Forwarding no
sshd_config:X11Forwarding yes
sshd_config:#X11DisplayOffset 10
sshd_config:#X11UseLocalhost yes


My configuration, re: X11 is - effectively - the same as yours. However, I had never previously Xauthlocation.
This is a new 'must have' setting (starting with 6.8, guessing)

Note: On my systems the xauth program is coming from X11.app.config and is installed at /usr/bin/X11/xauth - not at /usr/bin/xauth

dbabault

  • New Member
  • *
  • Posts: 4
  • Karma: +0/-0
Re: OPENSSH 7.2 X11 DISPLAY forwarding
« Reply #3 on: August 10, 2016, 12:00:22 PM »
I've found the problem, I have XAuthLocation /usr/bin/xauth

/usr/bin/xauth is a link to /usr/bin/X11/xauth

when I make a ssh -vvv ..., a message tell me xauth is not found.

I try XAuthLocation /usr/bin/X11/xauth, restart sshd  whithout success

I see in sshd-config manul that XAuthLocation  default is /usr/X11R6/bin/xauth

I made a link /usr/X11R6/bin/xauth to /usr/bin/X11/xauth, I comment XAuthLocation and everything is working after restarting sshd

    putty from my PC to acount1
    acount1: xclock ==> a clock is displayed
    account1: ssh -X -Y  acount2@localhost  (or acount2@<hostname>)
    account2: xclock ==> a clock is displayed


Daniel

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1188
  • Karma: +0/-0
Re: OPENSSH 7.2 X11 DISPLAY forwarding
« Reply #4 on: August 11, 2016, 04:03:44 PM »
Thanks for the feedback.

I shall consider submitting a bug - specific to portable version (and AIX) that the default path should be:

/usr/lpp/X11/bin/xauth                      X11.apps.config       File

michael@x071:[/home/michael]find /usr -name xauth -ls
13577   53 -rwxr-xr-x  1 bin       bin          53838 Mar 12  2013 /usr/lpp/X11/bin/xauth

Personally, not happy that X11.apps.config does not create - better copy - a link from /usr/lpp/* BUT maybe something thinks security by obscurity is a great thing.

Again, thanks for the feedback/update!