Re: [Vserver] cannot x11 forward with suggested settings

From: Xavier Montagutelli <xavier.montagutelli_at_unilim.fr>
Date: Tue 19 Sep 2006 - 08:33:00 BST
Message-Id: <200609190933.01149.xavier.montagutelli@unilim.fr>

On Monday 18 September 2006 21:35, Konstantinos Pachopoulos wrote:
> --- Herbert Poetzl <herbert@13thfloor.at> wrote:
> > On Sun, Sep 17, 2006 at 09:39:51PM +0100,
> >
> > Konstantinos Pachopoulos wrote:
> > > Hi,
> > > i cannot ssh forward, through my "ipcop" guest
> > > (10.0.0.6/24). In the host system i have made it
> > > "visible" via "ip addr add 10.0.0.6/24 broadcast +
> >
> > dev
> >
> > > eth0".
> > >
> > > Here's what i get when i try to run firestarter or
> > > nedit or xterm for example:
> > >
> > > --------------------
> > > ipcop:~# firestarter
> > > X11 connection rejected because of wrong
> > > authentication.
> > > The application 'firestarter' lost its connection
> >
> > to
> >
> > > the display localhost:10.0;
> > > most likely the X server was shut down or you
> > > killed/destroyed
> > > the application.
> > > ipcop:~# nedit
> > > X11 connection rejected because of wrong
> > > authentication.
> > > X connection to localhost:10.0 broken (explicit
> >
> > kill
> >
> > > or server shutdown).
> > > --------------------
> > >
> > > Here's the /etc/ssh/sshd_config of the "ipcop"
> >
> > server:
> > > --------------------
> > > # Package generated configuration file
> > > # See the sshd(8) manpage for details
> > >
> > > # What ports, IPs and protocols we listen for
> > > Port 22
> > > # Use these options to restrict which
> > > interfaces/protocols sshd will bind to
> > > #ListenAddress ::
> > > #ListenAddress 0.0.0.0
> > > Protocol 2
> > > # HostKeys for protocol version 2
> > > HostKey /etc/ssh/ssh_host_rsa_key
> > > HostKey /etc/ssh/ssh_host_dsa_key
> > > #Privilege Separation is turned on for security
> > > UsePrivilegeSeparation yes
> > >
> > > # Lifetime and size of ephemeral version 1 server
> >
> > key
> >
> > > KeyRegenerationInterval 3600
> > > ServerKeyBits 768
> > >
> > > # Logging
> > > SyslogFacility AUTH
> > > LogLevel INFO
> > >
> > > # Authentication:
> > > LoginGraceTime 600
> > > PermitRootLogin yes
> > > StrictModes yes
> > >
> > > RSAAuthentication yes
> > > PubkeyAuthentication yes
> > > #AuthorizedKeysFile %h/.ssh/authorized_keys
> > >
> > > # Don't read the user's ~/.rhosts and ~/.shosts
> >
> > files
> >
> > > IgnoreRhosts yes
> > > # For this to work you will also need host keys in
> > > /etc/ssh_known_hosts
> > > RhostsRSAAuthentication no
> > > # similar for protocol version 2
> > > HostbasedAuthentication no
> > > # Uncomment if you don't trust ~/.ssh/known_hosts
> >
> > for
> >
> > > RhostsRSAAuthentication
> > > #IgnoreUserKnownHosts yes
> > >
> > > # To enable empty passwords, change to yes (NOT
> > > RECOMMENDED)
> > > PermitEmptyPasswords no
> > >
> > > # Change to no to disable s/key passwords
> > > #ChallengeResponseAuthentication yes
> > >
> > > # Change to yes to enable tunnelled clear text
> > > passwords
> > > PasswordAuthentication no
> > >
> > > # To change Kerberos options
> > > #KerberosAuthentication no
> > > #KerberosOrLocalPasswd yes
> > > #AFSTokenPassing no
> > > #KerberosTicketCleanup no
> > >
> > > # Kerberos TGT Passing does only work with the AFS
> > > kaserver
> > > #KerberosTgtPassing yes
> > >
> > > X11Forwarding yes
> > > X11DisplayOffset 10
> > > PrintMotd no
> > > PrintLastLog yes
> > > KeepAlive yes
> > > #UseLogin no
> > >
> > > #MaxStartups 10:30:60
> > > #Banner /etc/issue.net
> > >
> > > Subsystem sftp /usr/lib/sftp-server
> > >
> > > UsePAM yes
> > > X11UseLocalhost no #tried with as suggested and
> > > without

I confirm, to enable X11 forwarding in a vserver, you can add the following
parameter in sshd_config :

X11UseLocalhost no

You should read the security notes in the man pages, because it can weaken
your security. Just to be sure : after changing sshd_config, don't forget to
reload it (/etc/init.d/sshd reload).

After that, the DISPLAY variable in the vserver should be of the form
"name.dom.tld:10.0" instead of "localhost:10.0". You can also use the
foolowing command (if the X11 display is :10) :

netstat -apn | grep 6010

sshd should now be listening on the IP assigned to the vserver, on the TCP
port 6010.

> > > --------------------
> > >
> > > Any ideas? I have been searching for a couple
> >
> > days,
> >
> > > but found nothing. Is this a routing, firewall
> >
> > issue
> >
> > > maybe? I do not know a lot about networking. I
> >
> > hope i
> >
> > > will learn through VServer :)
> >
> > check if $DISPLAY is set and what it contains,
> > also double check that your guest has mk/xauth
> > installed and the ssh client is not called with
> > -x (maybe explicitely specify -X for a test)
> >
> > check the ssh logon with the -v option to ssh,
> >
> > HTH,
> > Herbert
>
> Hi,
> i cannot find mkxauth command in a Debian Etch amd64
> package. Is it the same with "xauth generate"? Anyway,
> xauth (of xbase-clients) is installed- in general i
> have the same package configuration both in the guest
> and the host, but the host X-forwards OK.
>
>
> Here are some outputs:
> -----------------------------
> fire-deb:~# echo $DISPLAY
> localhost:10.0
> -----------------------------
> kostas@vakhos:~$ ssh -vX root@10.0.0.8
> OpenSSH_4.3p2 Debian-3, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to 10.0.0.8 [10.0.0.8] port 22.
> debug1: Connection established.
> debug1: identity file /home/kostas/.ssh/identity type
> -1
> debug1: identity file /home/kostas/.ssh/id_rsa type -1
> debug1: identity file /home/kostas/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software
> version OpenSSH_4.3p2 Debian-3
> debug1: match: OpenSSH_4.3p2 Debian-3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3p2
> Debian-3
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host '10.0.0.8' is known and matches the RSA
> host key.
> debug1: Found key in /home/kostas/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/kostas/.ssh/identity
> debug1: Trying private key: /home/kostas/.ssh/id_rsa
> debug1: Trying private key: /home/kostas/.ssh/id_dsa
> debug1: Next authentication method: password
> root@10.0.0.8's password:
> debug1: Authentication succeeded (password).
> debug1: channel 0: new [client-session]
> debug1: Entering interactive session.
> debug1: Requesting X11 forwarding with authentication
> spoofing.
> debug1: Requesting authentication agent forwarding.
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Last login: Mon Sep 18 22:46:32 2006 from 10.0.0.1
> fire-deb:~# xterm
> _X11TransSocketINETConnect() can't get address for
> localhost:6010: Name or service not known
> Warning: This program is an suid-root program or is
> being run by the root user.
> The full text of the error or warning message cannot
> be safely formatted
> in this environment. You may get a more descriptive
> message by running the
> program as a non-root user or by removing the suid bit
> on the executable.
> xterm Xt error: Can't open display: %s
> fire-deb:~#
> --------------------------------
> kostas@vakhos:~$ ssh -vY root@10.0.0.8
> OpenSSH_4.3p2 Debian-3, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to 10.0.0.8 [10.0.0.8] port 22.
> debug1: Connection established.
> debug1: identity file /home/kostas/.ssh/identity type
> -1
> debug1: identity file /home/kostas/.ssh/id_rsa type -1
> debug1: identity file /home/kostas/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software
> version OpenSSH_4.3p2 Debian-3
> debug1: match: OpenSSH_4.3p2 Debian-3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3p2
> Debian-3
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host '10.0.0.8' is known and matches the RSA
> host key.
> debug1: Found key in /home/kostas/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/kostas/.ssh/identity
> debug1: Trying private key: /home/kostas/.ssh/id_rsa
> debug1: Trying private key: /home/kostas/.ssh/id_dsa
> debug1: Next authentication method: password
> root@10.0.0.8's password:
> debug1: Authentication succeeded (password).
> debug1: channel 0: new [client-session]
> debug1: Entering interactive session.
> debug1: Requesting X11 forwarding with authentication
> spoofing.
> debug1: Requesting authentication agent forwarding.
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Last login: Mon Sep 18 22:56:55 2006 from 10.0.0.1
> fire-deb:~# xterm
> _X11TransSocketINETConnect() can't get address for
> localhost:6010: Name or service not known
> Warning: This program is an suid-root program or is
> being run by the root user.
> The full text of the error or warning message cannot
> be safely formatted
> in this environment. You may get a more descriptive
> message by running the
> program as a non-root user or by removing the suid bit
> on the executable.
> xterm Xt error: Can't open display: %s
> fire-deb:~#
> ---------------------------------
>
> Thanks,
> Kostas
>
>
>
> ___________________________________________________________
> The all-new Yahoo! Mail goes wherever you go - free your email address from
> your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver

-- 
Xavier Montagutelli                      Tel : +33 (0)5 55 45 77 20
Service Commun Informatique              Fax : +33 (0)5 55 45 75 95
Universite de Limoges
123, avenue Albert Thomas
87060 Limoges cedex
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Tue Sep 19 09:07:00 2006
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 19 Sep 2006 - 09:07:06 BST by hypermail 2.1.8