Re: [Vserver] cannot x11 forward with suggested settings

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Tue 19 Sep 2006 - 14:29:56 BST
Message-ID: <20060919132956.GF10196@MAIL.13thfloor.at>

On Mon, Sep 18, 2006 at 09:44:24PM +0100, Konstantinos Pachopoulos wrote:
> --- Herbert Poetzl <herbert@13thfloor.at> wrote:
>
> > On Sun, Sep 17, 2006 at 09:39:51PM +0100,
> > Konstantinos Pachopoulos wrote:
> > > Hi,
> > > i cannot ssh forward, through my "ipcop" guest
> > > (10.0.0.6/24). In the host system i have made it
> > > "visible" via "ip addr add 10.0.0.6/24 broadcast +
> > dev
> > > eth0".
> > >
> > > Here's what i get when i try to run firestarter or
> > > nedit or xterm for example:
> > >
> > > --------------------
> > > ipcop:~# firestarter
> > > X11 connection rejected because of wrong
> > > authentication.
> > > The application 'firestarter' lost its connection
> > to
> > > the display localhost:10.0;
> > > most likely the X server was shut down or you
> > > killed/destroyed
> > > the application.
> > > ipcop:~# nedit
> > > X11 connection rejected because of wrong
> > > authentication.
> > > X connection to localhost:10.0 broken (explicit
> > kill
> > > or server shutdown).
> > > --------------------
> > >
> > > Here's the /etc/ssh/sshd_config of the "ipcop"
> > server:
> > > --------------------
> > > # Package generated configuration file
> > > # See the sshd(8) manpage for details
> > >
> > > # What ports, IPs and protocols we listen for
> > > Port 22
> > > # Use these options to restrict which
> > > interfaces/protocols sshd will bind to
> > > #ListenAddress ::
> > > #ListenAddress 0.0.0.0
> > > Protocol 2
> > > # HostKeys for protocol version 2
> > > HostKey /etc/ssh/ssh_host_rsa_key
> > > HostKey /etc/ssh/ssh_host_dsa_key
> > > #Privilege Separation is turned on for security
> > > UsePrivilegeSeparation yes
> > >
> > > # Lifetime and size of ephemeral version 1 server
> > key
> > > KeyRegenerationInterval 3600
> > > ServerKeyBits 768
> > >
> > > # Logging
> > > SyslogFacility AUTH
> > > LogLevel INFO
> > >
> > > # Authentication:
> > > LoginGraceTime 600
> > > PermitRootLogin yes
> > > StrictModes yes
> > >
> > > RSAAuthentication yes
> > > PubkeyAuthentication yes
> > > #AuthorizedKeysFile %h/.ssh/authorized_keys
> > >
> > > # Don't read the user's ~/.rhosts and ~/.shosts
> > files
> > > IgnoreRhosts yes
> > > # For this to work you will also need host keys in
> > > /etc/ssh_known_hosts
> > > RhostsRSAAuthentication no
> > > # similar for protocol version 2
> > > HostbasedAuthentication no
> > > # Uncomment if you don't trust ~/.ssh/known_hosts
> > for
> > > RhostsRSAAuthentication
> > > #IgnoreUserKnownHosts yes
> > >
> > > # To enable empty passwords, change to yes (NOT
> > > RECOMMENDED)
> > > PermitEmptyPasswords no
> > >
> > > # Change to no to disable s/key passwords
> > > #ChallengeResponseAuthentication yes
> > >
> > > # Change to yes to enable tunnelled clear text
> > > passwords
> > > PasswordAuthentication no
> > >
> > > # To change Kerberos options
> > > #KerberosAuthentication no
> > > #KerberosOrLocalPasswd yes
> > > #AFSTokenPassing no
> > > #KerberosTicketCleanup no
> > >
> > > # Kerberos TGT Passing does only work with the AFS
> > > kaserver
> > > #KerberosTgtPassing yes
> > >
> > > X11Forwarding yes
> > > X11DisplayOffset 10
> > > PrintMotd no
> > > PrintLastLog yes
> > > KeepAlive yes
> > > #UseLogin no
> > >
> > > #MaxStartups 10:30:60
> > > #Banner /etc/issue.net
> > >
> > > Subsystem sftp /usr/lib/sftp-server
> > >
> > > UsePAM yes
> > > X11UseLocalhost no #tried with as suggested and
> > > without
> > > --------------------
> > >
> > > Any ideas? I have been searching for a couple
> > days,
> > > but found nothing. Is this a routing, firewall
> > issue
> > > maybe? I do not know a lot about networking. I
> > hope i
> > > will learn through VServer :)
> >
> > check if $DISPLAY is set and what it contains,
> > also double check that your guest has mk/xauth
> > installed and the ssh client is not called with
> > -x (maybe explicitely specify -X for a test)
> >
> > check the ssh logon with the -v option to ssh,
> >
> > HTH,
> > Herbert
> >
> > > Thanks
> > >
> Hi,
> i cannot find mkxauth command in a Debian Etch amd64
> package. Is it the same with "xauth generate"? Anyway,
> xauth (of xbase-clients) is installed- in general i
> have the same package configuration both in the guest
> and the host, but the host X-forwards OK.
>
>
> Here are some outputs:
> -----------------------------
> fire-deb:~# echo $DISPLAY
> localhost:10.0

what does localhost resolve to?

did you change the localhost entry inside the guest
to point to the first ip assigned to the guest as
suggested on the wiki? (if not, please try that :)

> -----------------------------
> kostas@vakhos:~$ ssh -vX root@10.0.0.8
> OpenSSH_4.3p2 Debian-3, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to 10.0.0.8 [10.0.0.8] port 22.
> debug1: Connection established.
> debug1: identity file /home/kostas/.ssh/identity type
> -1
> debug1: identity file /home/kostas/.ssh/id_rsa type -1
> debug1: identity file /home/kostas/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software
> version OpenSSH_4.3p2 Debian-3
> debug1: match: OpenSSH_4.3p2 Debian-3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3p2
> Debian-3
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host '10.0.0.8' is known and matches the RSA
> host key.
> debug1: Found key in /home/kostas/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/kostas/.ssh/identity
> debug1: Trying private key: /home/kostas/.ssh/id_rsa
> debug1: Trying private key: /home/kostas/.ssh/id_dsa
> debug1: Next authentication method: password
> root@10.0.0.8's password:
> debug1: Authentication succeeded (password).
> debug1: channel 0: new [client-session]
> debug1: Entering interactive session.
> debug1: Requesting X11 forwarding with authentication
> spoofing.
> debug1: Requesting authentication agent forwarding.
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Last login: Mon Sep 18 22:46:32 2006 from 10.0.0.1
> fire-deb:~# xterm
> _X11TransSocketINETConnect() can't get address for
> localhost:6010: Name or service not known
> Warning: This program is an suid-root program or is
> being run by the root user.
> The full text of the error or warning message cannot
> be safely formatted
> in this environment. You may get a more descriptive
> message by running the
> program as a non-root user or by removing the suid bit
> on the executable.
> xterm Xt error: Can't open display: %s
> fire-deb:~#
> --------------------------------
> kostas@vakhos:~$ ssh -vY root@10.0.0.8
> OpenSSH_4.3p2 Debian-3, OpenSSL 0.9.8b 04 May 2006
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to 10.0.0.8 [10.0.0.8] port 22.
> debug1: Connection established.
> debug1: identity file /home/kostas/.ssh/identity type
> -1
> debug1: identity file /home/kostas/.ssh/id_rsa type -1
> debug1: identity file /home/kostas/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software
> version OpenSSH_4.3p2 Debian-3
> debug1: match: OpenSSH_4.3p2 Debian-3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3p2
> Debian-3
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host '10.0.0.8' is known and matches the RSA
> host key.
> debug1: Found key in /home/kostas/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/kostas/.ssh/identity
> debug1: Trying private key: /home/kostas/.ssh/id_rsa
> debug1: Trying private key: /home/kostas/.ssh/id_dsa
> debug1: Next authentication method: password
> root@10.0.0.8's password:
> debug1: Authentication succeeded (password).
> debug1: channel 0: new [client-session]
> debug1: Entering interactive session.
> debug1: Requesting X11 forwarding with authentication
> spoofing.
> debug1: Requesting authentication agent forwarding.
> debug1: Sending environment.
> debug1: Sending env LANG = en_US.UTF-8
> Last login: Mon Sep 18 22:56:55 2006 from 10.0.0.1
> fire-deb:~# xterm
> _X11TransSocketINETConnect() can't get address for
> localhost:6010: Name or service not known
> Warning: This program is an suid-root program or is
> being run by the root user.
> The full text of the error or warning message cannot
> be safely formatted
> in this environment. You may get a more descriptive
> message by running the
> program as a non-root user or by removing the suid bit
> on the executable.
> xterm Xt error: Can't open display: %s
> fire-deb:~#
> ---------------------------------

what does 'xauth list' show inside the guest
(after you logged in via ssh)

TIA,
Herbert

> Thanks,
> Kostas
>
>
>
>
>
>
>
>
> ___________________________________________________________
>
> All new Yahoo! Mail "The new Interface is stunning in
> its simplicity and ease of use." - PC Magazine
> http://uk.docs.yahoo.com/nowyoucan.html
>
>
>
>
>
> ___________________________________________________________
> All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine
> http://uk.docs.yahoo.com/nowyoucan.html
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Tue Sep 19 14:31:21 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 19 Sep 2006 - 14:31:25 BST by hypermail 2.1.8