I've been making heavy use of X11 xauth forwarding.
However, I'm finding that while I can (mostly?) reliably forward xauth data and $DISPLAY from an RHEL 3 host to AIX 5.1, Solaris 8 and others, it only works with Fedora Core 2 and Fedora Core 3 -some- of the time.
In general, if I ssh -X enough times with an FC[23] system, eventually I get good X11 forwarding (it seems to help to leave previous, failed sessions open), but it seems to take from 2 to 6 iterations to get it to forward - doing the -same- thing each time.
I tried turning off iptables on the FC[23] sshd servers, but that didn't help.
I'm using "ssh -X -A". RHEL 3's ssh client doesn't appear to support -Y yet.
Any suggestions for me?
Thanks!
On Wed, 08 Dec 2004 10:14:08 -0800, Dan Stromberg strombrg@dcs.nac.uci.edu wrote:
However, I'm finding that while I can (mostly?) reliably forward xauth data and $DISPLAY from an RHEL 3 host to AIX 5.1, Solaris 8 and others, it only works with Fedora Core 2 and Fedora Core 3 -some- of the time.
Is your FC3 system the ssh client or the ssh server?
Have your tried using the -v option to ssh? Or multiple -v -v -v options to get even more verbose output.
In what manner does it "not work". Does the ssh itself fail to connect? Is the DISPLAY not getting set? Do the windows just never appear? Or is there an actual X11 protocol error someplace? Please provide more details.
I tried turning off iptables on the FC[23] sshd servers, but that didn't help.
Typically, X forwarding uses Unix domain sockets on the ssh-server side. That of course depends upon the OS and the sshd.config options. And the X messages are themselved tunneled through the ssh connection (port 22). On the client (X server) side you just need to allow loopback traffic.
I'm using "ssh -X -A". RHEL 3's ssh client doesn't appear to support -Y yet.
The -Y (ForwardX11Trusted) option is only needed on the ssh client (the box running the X server). And then it's only needed if the X server supports untrusted cookie authentication. I don't think that RHEL 3 needs that; and so -Y should not be needed there.
You may be interested in looking at bug 138617 for some more insight into -Y and what it means: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=138617
Of course you could always try compiling a new ssh from the official sources (see http://www.openssh.org/).
On Wed, 2004-12-08 at 21:47 -0500, Deron Meranda wrote:
On Wed, 08 Dec 2004 10:14:08 -0800, Dan Stromberg strombrg@dcs.nac.uci.edu wrote:
However, I'm finding that while I can (mostly?) reliably forward xauth data and $DISPLAY from an RHEL 3 host to AIX 5.1, Solaris 8 and others, it only works with Fedora Core 2 and Fedora Core 3 -some- of the time.
Is your FC3 system the ssh client or the ssh server?
The FC3 host is the sshd server. Same for FC2: the sshd server.
Have your tried using the -v option to ssh? Or multiple -v -v -v options to get even more verbose output.
Yes. It seems to say everything is fine, but then it still doesn't work most of the time.
In what manner does it "not work". Does the ssh itself fail to connect? Is the DISPLAY not getting set? Do the windows just never appear? Or is there an actual X11 protocol error someplace? Please provide more details.
As suggested above:
$DISPLAY is set.
xauth in some form or other is getting passed.
I didn't previously mention:
I can telnet to the port that $DISPLAY indicates: n+6000. The connection is accepted.
However over half the time:
tesuji-strombrg> xterm X connection to tesuji.nac.uci.edu:12.0 broken (explicit kill or server shutdown).
Yes, I have X11UseLocalhost=no. This makes it easier to pass xauth creds across su/gsu/sudo.
Thanks!
On Wed, 2004-12-08 at 21:49 -0800, Dan Stromberg wrote:
The FC3 host is the sshd server. Same for FC2: the sshd server.
<snip>
Yes. It seems to say everything is fine, but then it still doesn't work most of the time.
<snip>
tesuji-strombrg> xterm X connection to tesuji.nac.uci.edu:12.0 broken (explicit kill or server shutdown).
I'm late to this thread, so maybe I missed this but are you sure X forwarding is enabled for the FC3 server? the default behavior changed from FC2 to FC3 WRT X forwarding in openssh.
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/RELEASE-NO...
HTH,
On Thu, 2004-12-09 at 09:29 -0500, Craig Thomas wrote:
On Wed, 2004-12-08 at 21:49 -0800, Dan Stromberg wrote:
The FC3 host is the sshd server. Same for FC2: the sshd server.
<snip>
Yes. It seems to say everything is fine, but then it still doesn't work most of the time.
<snip>
tesuji-strombrg> xterm X connection to tesuji.nac.uci.edu:12.0 broken (explicit kill or server shutdown).
I'm late to this thread, so maybe I missed this but are you sure X forwarding is enabled for the FC3 server? the default behavior changed from FC2 to FC3 WRT X forwarding in openssh.
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/RELEASE-NO...
Thanks for the tip. Does it appear that this is saying that FC3's client-side ssh behavior changed?
I'm ssh'ing from RHEL 3 to FC2 and FC3, and having problems with that. RHEL 3 doesn't seem to have the new -X behavior yet
HTH,
-- Craig Thomas cjtinhp@optonline.net
I finally got annoyed enough with that "X tunneling doesn't work with an FC[23] ssh server -sometimes-" problem to track down its source.
It appears that sometimes FC3's (and probably FC2's) sshd will only attempt to set up X11 tunneling on IPV6, instead of both IPV[46].
This seems to work around it well enough for the time being:
1) Put "OPTIONS=-4" in /etc/sysconfig/sshd 2) Run "service restart sshd"
A more long-term solution -might- be to rebuild sshd with "--with-4in6".
On Mon, 2004-12-13 at 14:07 -0800, Dan Stromberg wrote:
On Thu, 2004-12-09 at 09:29 -0500, Craig Thomas wrote:
On Wed, 2004-12-08 at 21:49 -0800, Dan Stromberg wrote:
The FC3 host is the sshd server. Same for FC2: the sshd server.
<snip>
Yes. It seems to say everything is fine, but then it still doesn't work most of the time.
<snip>
tesuji-strombrg> xterm X connection to tesuji.nac.uci.edu:12.0 broken (explicit kill or server shutdown).
I'm late to this thread, so maybe I missed this but are you sure X forwarding is enabled for the FC3 server? the default behavior changed from FC2 to FC3 WRT X forwarding in openssh.
http://download.fedora.redhat.com/pub/fedora/linux/core/3/i386/os/RELEASE-NO...
Thanks for the tip. Does it appear that this is saying that FC3's client-side ssh behavior changed?
I'm ssh'ing from RHEL 3 to FC2 and FC3, and having problems with that. RHEL 3 doesn't seem to have the new -X behavior yet
HTH,
-- Craig Thomas cjtinhp@optonline.net
-
Craig Thomas -
Dan Stromberg -
Deron Meranda