|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
x11 forwarding over ssh not working
I cannot forward x11 from my openbsd 4.4. Not to other computers nor to myself via ssh to localhost. When I try xclock I get- Error: Can't open display.
in sshd_config I set X11UseLocalHost "no" and I log in with ssh -X. I also tried to change the X11DisplayOffset but nothing is working. I have tried to set the xauth location also but no difference. I have also tried the ssh -Y option. When I log in to the freebsd, where it works DISPLAY=localhost:10.0 but when I log in to openbsd, DISPLAY is not set, it does not work if I set it to localhost:10.0 either. ps. I can forward it from my Freebsd with the OpenBsd as the client. However on my Freebsd I cannot forward x11 from my jails. I followed the instructions in the freebsd handbook for the jails. |
|
|||
I get the same error- Error: Can't open display.
When you connect to your localhost with -X or -Y do you have DISPLAY set? It says that the default for X11DisplayOffset is defaulted to 10, is this supposed to set DISPLAY to something? When I am in a regular xterm with no ssh DISPLAY=:0.0, but it is nil in ssh. sshd(1) says Code:
X11 FORWARDING If the ForwardX11 variable is set to ``yes'' (or see the description of the -X, -x, and -Y options above) and the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is auto- matically forwarded to the remote side in such a way that any X11 pro- grams started from the shell (or command) will go through the encrypted channel, and the connection to the real X server will be made from the local machine. The user should not manually set DISPLAY. Forwarding of X11 connections can be configured on the command line or in configuration files. The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. This is normal, and happens because ssh creates a ``proxy'' X server on the server machine for forwarding the connections over the encrypted channel |
|
||||
On the server side
Code:
in sshd_config I set X11UseLocalHost "no" Code:
#AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes uncomment and put different value. On the client side the default values are Code:
# Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 To be perfectly honest with you I have not used it for a while so I would have to look man pages and few books to be able to give you precise answer. You can do configuration per user so you do not have to alter default values in ssh_config system wide. Last edited by Oko; 16th December 2008 at 11:20 PM. |
|
|||
Not that I that I have the faintest idea about what I am talking about, but if I set X11UseLocalHost="yes" would that not set the x11 forwarding to loopback. I guess that should work if I try it with connection to local host.
However even with this set to yes (default I guess), it does not work when I connect ssh -X localhost. The display is still not set and I get Error: Can't open display. Is this becaus opening it is not allowed or because it is not set? Sorry for asking this again but if you do ssh -X localhost and log in is your DISPLAY set? |
|
||||
X11UseLocalHost isn't the option that needs to be set.
X11Forwarding is the option that allows or prevents X11 forwarding via SSH. If this option is set to no than X11 forwarding is banned. If this option is set to yes, then X11 forwarding is allowed. It's not rocket science. |
|
|||
Yes it is working now with
X11Forwarding=Yes X11UseLocalHost=Yes I always that one or the other set to no. In order to run X11 applications in a Freebsd jail, that is accessed via ssh -X from the "jail host", must one install Xorg in the jail too? |
|
|||
Quote:
The process runs inside the jail.. only the X traffic is forwarded over the SSH session. |
|
|||
Thank you for your replies. I have xlock installed in the jail and I looked at http://lists.freebsd.org/pipermail/f...il/000476.html
but it does not help if I set X11UseLocalHost=no as they suggest there. Am I missing something else? |
|
||||
Why do you keep messing around with X11UseLocalhost???? Leave it as the default.
From my quick read of man sshd_config, that variable tells ssh (that is the local client) whether it should bind to the local X11 server on the ssh client, or forward the requests to some other X server on the local network. man sshd tells me that generally there is some scripting magic to set X11UseLocalHost based on what DISPLAY is set to on the local system anyway. Remove all references to X11UseLocalHost that you have added and leave it that way. Now, ssh -X remotemachine, and do echo $DISPLAY, Then try an X utility and post us everything that it returns. Also check the log files on the X server and see if the requests have been rejected locally.
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. |
|
|||
First of all I apologize and I hope that my behavior is not harmful to peoples blood pressure or the color of their hair. Secondly I hope that it is okay that this thread in a OpenBSD section, has now shifted to Freebsd questions, now that the OpenBSD problem was solved.
Moderators: I would appreciate a yellow card before an impending ban. ---------------------------------------------------------------------------------------------------------------- The reason I fiddled with the X11UseLocalHost was because, from my understanding, that was the resolution to the problems when you search for "x11 jails ssh". When I have X11UseLocalHost as the default=yes, and log in from my host 192.168.0.100 to a hosted jail at 192.168.0.105 with ssh -X user@192.168.0.105 and I try xclock, I get this in the jail: Code:
$ xclock X11 connection rejected because of wrong authentication. X connection to localhost:10.0 broken (explicit kill or server shutdown). $ echo $DISPLAY localhost:10.0 Finally about logs, I am not certain which log you refer to, but I could not see any errors in auth.log+messages on either system. |
|
||||
Quote:
With X11UseLocalhost set (the default), the proxy X server binds to 127.0.0.1:6010 and DISPLAY is set to localhost:10.0. With X11UseLocalhost disabled, the proxy X server binds to *:6010 (binds to port 6010 on all IPs) and the DISPLAY is set to :10.0. The first setting is more secure as only processes running on the system can use the forwarded X port. The second setting is less secure, and any process (local or remote) can (potentially) connect to the forwarded X port. |
|
||||
the log files I would be looking at are /var/log/Xorg.0.log, the console output of the X server, ([ctrl][alt][F1] should get you there, although I do not know where the console output goes if you are using a display manager (kdm, gdm or xdm)
the error messages suggest to me thta you are hitting the X server just fine, but are being rejected by the auth systems.
__________________
The only dumb question is a question not asked. The only dumb answer is an answer not given. |
|
|||
Quote:
Here is a list of netstat -an from the freebsd host system, connected to an openbsd computer with ssh -X running xclock fine, and connected to a jail 192.168.0.105 with ssh -X trying to run xclock with no success. Code:
Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.0.100.58068 192.168.0.103.22 ESTABLISHED tcp4 0 0 192.168.0.105.6010 *.* LISTEN tcp4 0 0 192.168.0.105.22 192.168.0.105.58498 ESTABLISHED tcp4 0 0 192.168.0.105.58498 192.168.0.105.22 ESTABLISHED tcp4 0 0 192.168.0.106.22 *.* LISTEN tcp4 0 0 192.168.0.100.57103 91.197.164.3.80 ESTABLISHED tcp6 0 0 *.* *.* CLOSED tcp6 0 0 *.* *.* CLOSED tcp6 0 0 *.* *.* CLOSED tcp4 0 0 192.168.0.105.25 *.* LISTEN tcp4 0 0 192.168.0.105.22 *.* LISTEN tcp4 0 0 192.168.0.104.25 *.* LISTEN tcp4 0 0 192.168.0.106.25 *.* LISTEN tcp4 0 0 127.0.0.1.25 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTEN tcp4 0 0 *.* *.* CLOSED tcp46 0 0 *.80 *.* LISTEN tcp46 0 0 *.3306 *.* LISTEN tcp4 0 0 *.6000 *.* LISTEN tcp6 0 0 *.6000 *.* LISTEN udp4 0 0 192.168.0.105.514 *.* udp4 0 0 192.168.0.104.514 *.* udp4 0 0 192.168.0.106.514 *.* udp4 0 0 *.514 *.* udp6 0 0 *.514 *.* Code:
Dell/unix:0 MIT-MAGIC-COOKIE-1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Dell/unix:10 MIT-MAGIC-COOKIE-1 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Code:
localhost.Barbar:10 MIT-MAGIC-COOKIE-1 ZZZZZZZZZZZZZZZZZZZZZZZZZZZ localhost:10 MIT-MAGIC-COOKIE-1 ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ Fujutsu.Barbar/unix:11 MIT-MAGIC-COOKIE-1 ZZZZZZZZZZZZZZZZZZZZZZZZZZ Fujutsu.Barbar/unix:12 MIT-MAGIC-COOKIE-1 ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ Fujutsu.Barbar/unix:0 MIT-MAGIC-COOKIE-1 ZZZZZZZZZZZZZZZZZZZZZZZZZZZ localhost.Barbar:0 MIT-MAGIC-COOKIE-1 ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ localhost:0 MIT-MAGIC-COOKIE-1 ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ Fujutsu.Barbar/unix:10 MIT-MAGIC-COOKIE-1 ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ Code:
mywww/unix:11 MIT-MAGIC-COOKIE-1 YYYYYYYYYYYYYYYYYYYYYYYYYYY mywww/unix:10 MIT-MAGIC-COOKIE-1 YYYYYYYYYYYYYYYYYYYYYYYYYYY Code:
Dec 23 10:27:29 mywww syslogd: kernel boot file is /boot/kernel/kernel Dec 23 10:27:30 mywww sm-mta[1488]: My unqualified host name (mywww) unknown; sleeping for retry Dec 23 10:28:30 mywww sm-mta[1488]: unable to qualify my own domain name (mywww) -- using short name Dec 23 10:28:30 mywww sm-msp-queue[1528]: My unqualified host name (mywww) unknown; sleeping for retry Dec 23 10:29:30 mywww sm-msp-queue[1528]: unable to qualify my own domain name (mywww) -- using short name |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Working with CVS? | Zmyrgel | OpenBSD General | 15 | 6th October 2009 01:32 PM |
OpenBSD, vpnc and packets forwarding problems | Tritone | OpenBSD General | 3 | 2nd July 2009 09:59 PM |
[ OpenBSD 4.5 ] apm -C not working | wraith0x2b | OpenBSD Installation and Upgrading | 17 | 6th May 2009 09:03 AM |
port forwarding | ikevmowe | OpenBSD Security | 13 | 21st November 2008 06:03 PM |
VNC port forwarding help | revzalot | OpenBSD Security | 3 | 10th September 2008 06:59 AM |