| 1 |
On Sun, Dec 21, 2014 at 1:17 AM, Harry Putnam <reader@×××××××.com> wrote: |
| 2 |
|
| 3 |
> This properly belongs on the ssh group, but posting there has not gotten |
| 4 |
> any responses... and the list is quite slow to boot. |
| 5 |
> |
| 6 |
> I like using ssh -X to other lan remotes but with new versions of openssh |
| 7 |
> or perhaps the configs, it only works 1 way. |
| 8 |
> |
| 9 |
> I can `ssh -X' to the gentoo host from a debian host but not the other |
| 10 |
> way round. |
| 11 |
> |
| 12 |
> Two different versions of openssh appear to be involved. But not sure |
| 13 |
> how different they are. |
| 14 |
> |
| 15 |
> RHOST=a debian HOST |
| 16 |
> LHOST= Gentoo HOST |
| 17 |
> |
| 18 |
> ssh -vN $RHOST 2>&1|grep "remote software version" |
| 19 |
> |
| 20 |
> [...] OpenSSH_6.7p1 Debian-3 |
| 21 |
> |
| 22 |
> ssh -vN $LHOST 2>&1|grep "remote software version" |
| 23 |
> |
| 24 |
> [...] OpenSSH_6.7p1-hpn14v5 |
| 25 |
> |
| 26 |
> |
| 27 |
> One thing I tried to do was to copy the RHOST sshd_config and ssh_config to |
| 28 |
> LHOST. Restart and try again... there were a few incompatible bits in |
| 29 |
> the files so after commenting a few out until no config errors. |
| 30 |
> |
| 31 |
> However ssh -X still displayed the error and would NOT work when: |
| 32 |
> ssh -X RHOST from LHOST |
| 33 |
> ({Note that plain ssh LHOST or RHOST works in any direction} |
| 34 |
> |
| 35 |
> Error outut with ssh -X $RHOST "xterm" |
| 36 |
> |
| 37 |
> ,---- |
| 38 |
> | Warning: untrusted X11 forwarding setup failed: xauth key data not |
| 39 |
> generated |
| 40 |
> | Warning: No xauth data; using fake authentication data for X11 |
| 41 |
> forwarding. |
| 42 |
> | Invalid MIT-MAGIC-COOKIE-1 keyxterm: Xt error: Can't open display: |
| 43 |
> localhost:10.0 |
| 44 |
> |
| 45 |
|
| 46 |
I believe you're looking for the "xhost" command and its archaic |
| 47 |
permissions setup settings. |
| 48 |
|
| 49 |
The idea is that the machine hosting the X server has an additional |
| 50 |
permissions setting that controls which |
| 51 |
hosts are allowed to use the X displays. |
| 52 |
|
| 53 |
Since you say that it's apparently the debian host that doesn't allow |
| 54 |
launching of X programs, |
| 55 |
what happens if, from the working GUI on the debian host, you run: |
| 56 |
xhost + |
| 57 |
|
| 58 |
Before you try connecting to it from the gentoo machine? It should say |
| 59 |
something like |
| 60 |
access control disabled, clients can connect from any host |
| 61 |
|
| 62 |
And you should be able to open your xterm using ssh -X. |
| 63 |
|
| 64 |
|
| 65 |
`---- |
| 66 |
> |
| 67 |
> [Full Error output with ssh -vv -X is very lengthy so is attached at the |
| 68 |
> end] |
| 69 |
> |
| 70 |
> I'm not seeing how to debug this further. So going back to the stock |
| 71 |
> version of sshd_config ssh_config on gentoo with two changes: |
| 72 |
> |
| 73 |
> commented out this line: |
| 74 |
> PasswordAuthentication no |
| 75 |
> |
| 76 |
> added this: |
| 77 |
> X11Forwarding yes |
| 78 |
> |
| 79 |
> ------- ------- ---=--- ------- ------- |
| 80 |
> Full sshd_config on LHOST: sudo grep ^[^#] /etc/ssh/sshd_config |
| 81 |
> ------- ------- ---=--- ------- ------- |
| 82 |
> UsePAM yes |
| 83 |
> X11Forwarding yes |
| 84 |
> PrintMotd no |
| 85 |
> PrintLastLog no |
| 86 |
> UsePrivilegeSeparation sandbox # Default for new |
| 87 |
> installations. |
| 88 |
> Subsystem sftp /usr/lib/misc/sftp-server |
| 89 |
> AcceptEnv LANG LC_* |
| 90 |
> |
| 91 |
> ------- Config END ------- |
| 92 |
> |
| 93 |
> |
| 94 |
> ------- ------- ---=--- ------- ------- |
| 95 |
> Full ssh_config on LHOST: sudo grep ^[^#] /etc/ssh/ssh_config |
| 96 |
> ------- ------- ---=--- ------- ------- |
| 97 |
> |
| 98 |
> ForwardX11 yes |
| 99 |
> SendEnv LANG LC_* |
| 100 |
> |
| 101 |
> ------- Config END ------- |
| 102 |
> |
| 103 |
> ####################################################### |
| 104 |
> |
| 105 |
> Now the same info for RHOST |
| 106 |
> |
| 107 |
> ------- ------- ---=--- ------- ------- |
| 108 |
> Full sshd_config on RHOST: ssh root@RHOST "grep ^[^#] |
| 109 |
> /etc/ssh/sshd_config" |
| 110 |
> ------- ------- ---=--- ------- ------- |
| 111 |
> |
| 112 |
> HostKey /etc/ssh/ssh_host_rsa_key |
| 113 |
> HostKey /etc/ssh/ssh_host_dsa_key |
| 114 |
> HostKey /etc/ssh/ssh_host_ed25519_key |
| 115 |
> AcceptEnv LANG LC_* |
| 116 |
> ChallengeResponseAuthentication no |
| 117 |
> IgnoreRhosts yes |
| 118 |
> HostbasedAuthentication no |
| 119 |
> KeyRegenerationInterval 3600 |
| 120 |
> LogLevel INFO |
| 121 |
> LoginGraceTime 120 |
| 122 |
> PermitEmptyPasswords no |
| 123 |
> PermitRootLogin yes |
| 124 |
> Port 22 |
| 125 |
> PrintLastLog yes |
| 126 |
> PrintMotd no |
| 127 |
> Protocol 2 |
| 128 |
> PubkeyAuthentication yes |
| 129 |
> RSAAuthentication yes |
| 130 |
> RhostsRSAAuthentication no |
| 131 |
> ServerKeyBits 1024 |
| 132 |
> SyslogFacility AUTH |
| 133 |
> StrictModes yes |
| 134 |
> Subsystem sftp /usr/lib/misc/sftp-server |
| 135 |
> TCPKeepAlive yes |
| 136 |
> UsePAM yes |
| 137 |
> UsePrivilegeSeparation sandbox |
| 138 |
> X11Forwarding yes |
| 139 |
> |
| 140 |
> ------- Config END ------- |
| 141 |
> |
| 142 |
> |
| 143 |
> ------- ------- ---=--- ------- ------- |
| 144 |
> Full ssh_config on RHOST: ssh root@RHOST "grep ^[^#] /etc/ssh/ssh_config" |
| 145 |
> ------- ------- ---=--- ------- ------- |
| 146 |
> Host * |
| 147 |
> ForwardX11 yes |
| 148 |
> SendEnv LANG LC_* |
| 149 |
> HashKnownHosts yes |
| 150 |
> |
| 151 |
> ------- Config END ------- |
| 152 |
> |
| 153 |
> ############################################ |
| 154 |
> ############################################ |
| 155 |
> |
| 156 |
> The only thing more I can think to include is the full lengthy output of |
| 157 |
> ssh -vv -X |
| 158 |
> |
| 159 |
> |
| 160 |
|
| 161 |
|
| 162 |
-- |
| 163 |
This email is: [ ] actionable [ ] fyi [ ] social |
| 164 |
Response needed: [ ] yes [ ] up to you [ ] no |
| 165 |
Time-sensitive: [ ] immediate [ ] soon [ ] none |
Archives