home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] ssh, X11 forwarding not working (CentOS 6.3) [SOLVED]

  • Subject: Re: [OCLUG-Tech] ssh, X11 forwarding not working (CentOS 6.3) [SOLVED]
  • From: Steve La Rocque <slarocque [ at ] gmail [ dot ] com>
  • Date: Tue, 02 Oct 2012 12:22:55 -0400
Solved.

Ultimately, I tried this from another machine running fedora 17 and
there was a different error message:

    X11 forwarding request failed on channel 0

This led me to https://gist.github.com/1324845 and
http://forums.fedoraforum.org/showthread.php?t=270333 which revealed
that for some reason, if you have IPv6 disabled, then sshd will have
this kind of symptom unless you explicitly tell sshd to only listen to IPv4.

This I did by adding the following line to /etc/ssh/sshd_config on dz
and restarting sshd:

    AddressFamily inet

(the default is "any").

I don't think sshd should have this effect on IPv4 connections just
because IPv6 is disabled on the machine, but perhaps there is some
subtle reason it must be so.

Cheers,
-Steve



On 02/10/12 11:58 AM, Steve La Rocque wrote:
> Yep, that's set.
>
>     [root@dz ~]# grep -i X11Forwarding /etc/ssh/sshd_config
>     #X11Forwarding no
>     X11Forwarding yes
>     #    X11Forwarding no
>     [root@dz ~]#
>
>
>
> On 02/10/12 11:57 AM, Martin Hicks wrote:
>> check that /etc/ssh/sshd_config has "X11Forwarding yes" set.
>>
>> mh
>>
>> On Tue, Oct 2, 2012 at 11:48 AM, Steve La Rocque <slarocque [ at ] gmail [ dot ] com
>> <mailto:slarocque [ at ] gmail [ dot ] com>> wrote:
>>
>>     Hi everyone.  For years, I've been using ssh -X just fine to
>>     connect to
>>     our various remote machines and interact with X applications on the
>>     remote machines via the display in front of me, but recently I
>>     installed
>>     a fresh CentOS 6.3 x64 on real hardware and it isn't working.  The
>>     DISPLAY environment variable is never populated on the connected
>>     session
>>     and even manually setting it fails.
>>
>>     "hope" is my local machine, "dy" is an established CentOS 5.x machine
>>     that works fine and "dz" is the problematic one.
>>
>>     dz was installed with "X Windows System" and indeed on the console, X
>>     works just fine and I have a Gnome desktop too.
>>
>>         [larocque@hope ~]$ echo $DISPLAY
>>         :0
>>         [larocque@hope ~]$
>>         [larocque@hope ~]$ ssh -Xvv root [ at ] dz [ dot ] cms [ dot ] math [ dot ] ca
>>     <mailto:root [ at ] dz [ dot ] cms [ dot ] math [ dot ] ca>
>>         OpenSSH_5.6p1, OpenSSL 1.0.0j-fips 10 May 2012
>>         debug1: Reading configuration data /home/larocque/.ssh/config
>>         debug1: Reading configuration data /etc/ssh/ssh_config
>>         debug1: Applying options for *
>>         debug2: ssh_connect: needpriv 0
>>         debug1: Connecting to dz.cms.math.ca <http://dz.cms.math.ca>
>>     [10.5.7.201] port 22.
>>         debug1: Connection established.
>>         debug1: identity file /home/larocque/.ssh/id_rsa type -1
>>         debug1: identity file /home/larocque/.ssh/id_rsa-cert type -1
>>         debug1: identity file /home/larocque/.ssh/id_dsa type -1
>>         debug1: identity file /home/larocque/.ssh/id_dsa-cert type -1
>>         debug1: Remote protocol version 2.0, remote software version
>>     OpenSSH_5.3
>>         debug1: match: OpenSSH_5.3 pat OpenSSH*
>>         debug1: Enabling compatibility mode for protocol 2.0
>>         debug1: Local version string SSH-2.0-OpenSSH_5.6
>>         debug2: fd 3 setting O_NONBLOCK
>>         debug1: SSH2_MSG_KEXINIT sent
>>         debug1: SSH2_MSG_KEXINIT received
>>         debug2: kex_parse_kexinit:
>>        
>>     diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>         debug2: kex_parse_kexinit:
>>         ssh-rsa-cert-v01 [ at ] openssh [ dot ] com
>>     <mailto:ssh-rsa-cert-v01 [ at ] openssh [ dot ] com>,ssh-dss-cert-v01 [ at ] openssh [ dot ] com <mailto:ssh-dss-cert-v01 [ at ] openssh [ dot ] com>,ssh-rsa-cert-v00 [ at ] openssh [ dot ] com
>>     <mailto:ssh-rsa-cert-v00 [ at ] openssh [ dot ] com>,ssh-dss-cert-v00 [ at ] openssh [ dot ] com <mailto:ssh-dss-cert-v00 [ at ] openssh [ dot ] com>,ssh-rsa,ssh-dss
>>         debug2: kex_parse_kexinit:
>>        
>>     aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc [ at ] lysator [ dot ] liu [ dot ] se
>>     <mailto:rijndael-cbc [ at ] lysator [ dot ] liu [ dot ] se>
>>         debug2: kex_parse_kexinit:
>>        
>>     aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc [ at ] lysator [ dot ] liu [ dot ] se
>>     <mailto:rijndael-cbc [ at ] lysator [ dot ] liu [ dot ] se>
>>         debug2: kex_parse_kexinit:
>>         hmac-md5,hmac-sha1,umac-64 [ at ] openssh [ dot ] com
>>     <mailto:umac-64 [ at ] openssh [ dot ] com>,hmac-ripemd160,hmac-ripemd160 [ at ] openssh [ dot ] com
>>     <mailto:hmac-ripemd160 [ at ] openssh [ dot ] com>,hmac-sha1-96,hmac-md5-96
>>         debug2: kex_parse_kexinit:
>>         hmac-md5,hmac-sha1,umac-64 [ at ] openssh [ dot ] com
>>     <mailto:umac-64 [ at ] openssh [ dot ] com>,hmac-ripemd160,hmac-ripemd160 [ at ] openssh [ dot ] com
>>     <mailto:hmac-ripemd160 [ at ] openssh [ dot ] com>,hmac-sha1-96,hmac-md5-96
>>         debug2: kex_parse_kexinit: none,zlib [ at ] openssh [ dot ] com
>>     <mailto:zlib [ at ] openssh [ dot ] com>,zlib
>>         debug2: kex_parse_kexinit: none,zlib [ at ] openssh [ dot ] com
>>     <mailto:zlib [ at ] openssh [ dot ] com>,zlib
>>         debug2: kex_parse_kexinit:
>>         debug2: kex_parse_kexinit:
>>         debug2: kex_parse_kexinit: first_kex_follows 0
>>         debug2: kex_parse_kexinit: reserved 0
>>         debug2: kex_parse_kexinit:
>>        
>>     diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>>         debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>         debug2: kex_parse_kexinit:
>>        
>>     aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc [ at ] lysator [ dot ] liu [ dot ] se
>>     <mailto:rijndael-cbc [ at ] lysator [ dot ] liu [ dot ] se>
>>         debug2: kex_parse_kexinit:
>>        
>>     aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc [ at ] lysator [ dot ] liu [ dot ] se
>>     <mailto:rijndael-cbc [ at ] lysator [ dot ] liu [ dot ] se>
>>         debug2: kex_parse_kexinit:
>>         hmac-md5,hmac-sha1,umac-64 [ at ] openssh [ dot ] com
>>     <mailto:umac-64 [ at ] openssh [ dot ] com>,hmac-ripemd160,hmac-ripemd160 [ at ] openssh [ dot ] com
>>     <mailto:hmac-ripemd160 [ at ] openssh [ dot ] com>,hmac-sha1-96,hmac-md5-96
>>         debug2: kex_parse_kexinit:
>>         hmac-md5,hmac-sha1,umac-64 [ at ] openssh [ dot ] com
>>     <mailto:umac-64 [ at ] openssh [ dot ] com>,hmac-ripemd160,hmac-ripemd160 [ at ] openssh [ dot ] com
>>     <mailto:hmac-ripemd160 [ at ] openssh [ dot ] com>,hmac-sha1-96,hmac-md5-96
>>         debug2: kex_parse_kexinit: none,zlib [ at ] openssh [ dot ] com
>>     <mailto:zlib [ at ] openssh [ dot ] com>
>>         debug2: kex_parse_kexinit: none,zlib [ at ] openssh [ dot ] com
>>     <mailto:zlib [ at ] openssh [ dot ] com>
>>         debug2: kex_parse_kexinit:
>>         debug2: kex_parse_kexinit:
>>         debug2: kex_parse_kexinit: first_kex_follows 0
>>         debug2: kex_parse_kexinit: reserved 0
>>         debug2: mac_setup: found hmac-md5
>>         debug1: kex: server->client aes128-ctr hmac-md5 none
>>         debug2: mac_setup: found hmac-md5
>>         debug1: kex: client->server aes128-ctr hmac-md5 none
>>         debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>>         debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>         debug2: dh_gen_key: priv key bits set: 129/256
>>         debug2: bits set: 513/1024
>>         debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>         debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>         debug1: Host 'dz.cms.math.ca <http://dz.cms.math.ca>' is
>>     known and matches the RSA host key.
>>         debug1: Found key in /home/larocque/.ssh/known_hosts:153
>>         debug2: bits set: 533/1024
>>         debug1: ssh_rsa_verify: signature correct
>>         debug2: kex_derive_keys
>>         debug2: set_newkeys: mode 1
>>         debug1: SSH2_MSG_NEWKEYS sent
>>         debug1: expecting SSH2_MSG_NEWKEYS
>>         debug2: set_newkeys: mode 0
>>         debug1: SSH2_MSG_NEWKEYS received
>>         debug1: Roaming not allowed by server
>>         debug1: SSH2_MSG_SERVICE_REQUEST sent
>>         debug2: service_accept: ssh-userauth
>>         debug1: SSH2_MSG_SERVICE_ACCEPT received
>>         debug2: key: general ssh key for larocque at CMS
>>         (larocque [ at ] cms [ dot ] math [ dot ] ca <mailto:larocque [ at ] cms [ dot ] math [ dot ] ca>)
>>     (0x7f599d07efb0)
>>         debug2: key: /home/larocque/.ssh/id_rsa ((nil))
>>         debug2: key: /home/larocque/.ssh/id_dsa ((nil))
>>         debug1: Authentications that can continue:
>>         publickey,gssapi-keyex,gssapi-with-mic,password
>>         debug1: Next authentication method: gssapi-keyex
>>         debug1: No valid Key exchange context
>>         debug2: we did not send a packet, disable method
>>         debug1: Next authentication method: gssapi-with-mic
>>         debug1: Unspecified GSS failure.  Minor code may provide more
>>         information
>>         Credentials cache file '/tmp/krb5cc_500' not found
>>
>>         debug1: Unspecified GSS failure.  Minor code may provide more
>>         information
>>         Credentials cache file '/tmp/krb5cc_500' not found
>>
>>         debug1: Unspecified GSS failure.  Minor code may provide more
>>         information
>>
>>
>>         debug1: Unspecified GSS failure.  Minor code may provide more
>>         information
>>
>>
>>         debug2: we did not send a packet, disable method
>>         debug1: Next authentication method: publickey
>>         debug1: Offering RSA public key: general ssh key for larocque
>>     at CMS
>>         (larocque [ at ] cms [ dot ] math [ dot ] ca <mailto:larocque [ at ] cms [ dot ] math [ dot ] ca>)
>>         debug2: we sent a publickey packet, wait for reply
>>         debug1: Server accepts key: pkalg ssh-rsa blen 646
>>         debug2: input_userauth_pk_ok: SHA1 fp
>>         9c:0c:da:c8:f0:4f:64:cd:59:27:d3:3f:a4:72:c2:fd:cc:63:9b:83
>>         debug1: Authentication succeeded (publickey).
>>         Authenticated to dz.cms.math.ca <http://dz.cms.math.ca>
>>     ([10.5.7.201]:22).
>>         debug1: channel 0: new [client-session]
>>         debug2: channel 0: send open
>>         debug1: Requesting no-more-sessions [ at ] openssh [ dot ] com
>>     <mailto:no-more-sessions [ at ] openssh [ dot ] com>
>>         debug1: Entering interactive session.
>>         debug2: callback start
>>         debug2: x11_get_proto: /usr/bin/xauth  list :0 2>/dev/null
>>         debug1: Requesting X11 forwarding with authentication spoofing.
>>         debug2: channel 0: request x11-req confirm 0
>>         debug2: client_session2_setup: id 0
>>         debug2: channel 0: request pty-req confirm 1
>>         debug1: Sending environment.
>>         debug1: Sending env XMODIFIERS = @im=none
>>         debug2: channel 0: request env confirm 0
>>         debug1: Sending env LANG = en_CA.utf8
>>         debug2: channel 0: request env confirm 0
>>         debug2: channel 0: request shell confirm 1
>>         debug2: fd 3 setting TCP_NODELAY
>>         debug2: callback done
>>         debug2: channel 0: open confirm rwindow 0 rmax 32768
>>         debug2: channel_input_status_confirm: type 99 id 0
>>         debug2: PTY allocation request accepted on channel 0
>>         debug2: channel 0: rcvd adjust 2097152
>>         debug2: channel_input_status_confirm: type 99 id 0
>>         debug2: shell request accepted on channel 0
>>         Last login: Tue Oct  2 11:40:38 2012 from hope.ott.cms
>>         [root@dz ~]#
>>         [root@dz ~]#
>>         [root@dz ~]#
>>         [root@dz ~]#
>>         [root@dz ~]# echo $DISPLAY
>>
>>         [root@dz ~]# xclock
>>         Error: Can't open display:
>>         [root@dz ~]#
>>         [root@dz ~]#
>>         [root@dz ~]#
>>         [root@dz ~]#
>>         [root@dz ~]# grep X /etc/ssh/*_config
>>         /etc/ssh/ssh_config:#   ForwardX11 no
>>         /etc/ssh/ssh_config:# If this option is set to yes then
>>     remote X11
>>         clients will have full access
>>         /etc/ssh/ssh_config:# to the original X11 display. As
>>     virtually no
>>         X11 client supports the untrusted
>>         /etc/ssh/ssh_config:    ForwardX11Trusted yes
>>         /etc/ssh/ssh_config:    SendEnv XMODIFIERS
>>         /etc/ssh/sshd_config:AcceptEnv XMODIFIERS
>>         /etc/ssh/sshd_config:#X11Forwarding no
>>         /etc/ssh/sshd_config:X11Forwarding yes
>>         /etc/ssh/sshd_config:#X11DisplayOffset 10
>>         /etc/ssh/sshd_config:#X11UseLocalhost yes
>>         /etc/ssh/sshd_config:#    X11Forwarding no
>>         [root@dz ~]#
>>         [root@dz ~]#
>>         [root@dz ~]#
>>         [root@dz ~]# rpm -qa|grep -i x11|sort
>>         ConsoleKit-x11-0.4.1-3.el6.x86_64
>>         dbus-x11-1.2.24-7.el6_3.x86_64
>>         libX11-1.3-2.el6.x86_64
>>         libX11-common-1.3-2.el6.noarch
>>         pulseaudio-module-x11-0.9.21-14.el6_3.x86_64
>>         qt-x11-4.6.2-24.el6.x86_64
>>         xorg-x11-apps-7.4-10.el6.x86_64
>>         xorg-x11-drivers-7.3-13.3.el6.x86_64
>>         xorg-x11-drv-acecad-1.5.0-3.el6.x86_64
>>         xorg-x11-drv-aiptek-1.4.1-2.el6.x86_64
>>         xorg-x11-drv-apm-1.2.3-2.el6.x86_64
>>         xorg-x11-drv-ast-0.91.10-1.el6.x86_64
>>         xorg-x11-drv-ati-6.14.2-9.el6.x86_64
>>         xorg-x11-drv-ati-firmware-6.14.2-9.el6.noarch
>>         xorg-x11-drv-cirrus-1.3.2-2.el6.x86_64
>>         xorg-x11-drv-dummy-0.3.4-1.el6.x86_64
>>         xorg-x11-drv-elographics-1.3.0-2.el6.x86_64
>>         xorg-x11-drv-evdev-2.6.0-2.el6.x86_64
>>         xorg-x11-drv-fbdev-0.4.2-2.el6.x86_64
>>         xorg-x11-drv-fpit-1.4.0-2.el6.x86_64
>>         xorg-x11-drv-glint-1.2.5-1.el6.x86_64
>>         xorg-x11-drv-hyperpen-1.4.1-2.el6.x86_64
>>         xorg-x11-drv-i128-1.3.4-1.el6.x86_64
>>         xorg-x11-drv-i740-1.3.2-2.el6.x86_64
>>         xorg-x11-drv-intel-2.16.0-4.el6.x86_64
>>         xorg-x11-drv-keyboard-1.6.0-1.el6.x86_64
>>         xorg-x11-drv-mach64-6.9.0-1.el6.x86_64
>>         xorg-x11-drv-mga-1.4.13-7.el6.x86_64
>>         xorg-x11-drv-mouse-1.7.0-4.el6.x86_64
>>         xorg-x11-drv-mutouch-1.3.0-2.el6.x86_64
>>         xorg-x11-drv-nouveau-0.0.16-13.20110719gitde9d1ba.el6.x86_64
>>         xorg-x11-drv-nv-2.1.18-2.el6.x86_64
>>         xorg-x11-drv-openchrome-0.2.904-4.el6.x86_64
>>         xorg-x11-drv-penmount-1.5.0-2.el6.x86_64
>>         xorg-x11-drv-qxl-0.0.14-13.el6_2.x86_64
>>         xorg-x11-drv-r128-6.8.1-3.el6.x86_64
>>         xorg-x11-drv-rendition-4.2.4-1.el6.x86_64
>>         xorg-x11-drv-s3virge-1.10.4-2.el6.x86_64
>>         xorg-x11-drv-savage-2.3.2-1.el6.x86_64
>>         xorg-x11-drv-siliconmotion-1.7.5-1.el6.x86_64
>>         xorg-x11-drv-sis-0.10.3-1.el6.x86_64
>>         xorg-x11-drv-sisusb-0.9.4-1.el6.x86_64
>>         xorg-x11-drv-synaptics-1.4.1-3.el6.x86_64
>>         xorg-x11-drv-tdfx-1.4.3-2.el6.x86_64
>>         xorg-x11-drv-trident-1.3.4-1.el6.x86_64
>>         xorg-x11-drv-v4l-0.2.0-4.el6.x86_64
>>         xorg-x11-drv-vesa-2.3.0-2.el6.x86_64
>>         xorg-x11-drv-vmmouse-12.7.0-1.el6.x86_64
>>         xorg-x11-drv-vmware-11.0.3-1.el6.x86_64
>>         xorg-x11-drv-void-1.4.0-1.el6.x86_64
>>         xorg-x11-drv-voodoo-1.2.4-1.el6.x86_64
>>         xorg-x11-drv-wacom-0.13.0-6.el6.x86_64
>>         xorg-x11-drv-xgi-1.6.0-11.el6.x86_64
>>         xorg-x11-font-utils-7.2-11.el6.x86_64
>>         xorg-x11-server-common-1.10.6-1.el6.centos.x86_64
>>         xorg-x11-server-utils-7.5-5.2.el6.x86_64
>>         xorg-x11-server-Xorg-1.10.6-1.el6.centos.x86_64
>>         xorg-x11-utils-7.4-8.el6.x86_64
>>         xorg-x11-xauth-1.0.2-7.1.el6.x86_64
>>         xorg-x11-xinit-1.0.9-13.el6.x86_64
>>         xorg-x11-xkb-utils-7.4-6.el6.x86_64
>>         [root@dz ~]#
>>
>>
>>     Oddly, as you can see above, SSH seems to properly negotiate the X11
>>     Forwarding, yet I still have no DISPLAY.  I compared the ssh -vv
>>     output
>>     between hope and dy to the one shown above between hope and dz
>>     and they
>>     match very closely, but only the dy destination actually gives me the
>>     DISPLAY setting and properly forwards X11.
>>
>>     I tried "ssh -Y" rather than "ssh -X" but got the same symptom.
>>
>>     I also tried clearing IP tables entirely.
>>
>>
>>     What should I try next, oh wizards?
>>
>>     -Steve
>>
>>
>>
>>
>>     _______________________________________________
>>     Linux mailing list
>>     Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca <mailto:Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca>
>>     http://oclug.on.ca/mailman/listinfo/linux
>>
>>
>>
>>
>> -- 
>> Martin Hicks P.Eng.      |         mort [ at ] bork [ dot ] org <mailto:mort [ at ] bork [ dot ] org>
>> Bork Consulting Inc.     |   +1 (613) 266-2296
>
>