RE: RE : RE : X11Forwarding problem on Solaris.

Hi,
yes I can run:

hosta$ ssh -X hostb
hostb$ /usr/openwin/bin/xclock

xclock is displayed correctly.

The program I try to start when I get the X11Forwding problems is a
graphical user interface for an application which can be controlled though
command line to a certain degree.
The program is using the display environment variable. It works great when I
logon as the user who is owning the program´s executable file. It wont work
when I logon as any other user.

Below is ssh´s debug info.
First i use ssh to connect from node2 to node4 and then I start the PROGRAM
on node4.

node2:/home/myuser> ssh -Xv node4
OpenSSH_4.3p2, OpenSSL 0.9.8d 28 Sep 2006
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to node4 [node4´s ipaddress] port 22.
debug1: Connection established.
debug1: identity file /home/myuser/.ssh/identity type -1
debug1: identity file /home/myuser/.ssh/id_rsa type -1
debug1: identity file /home/myuser/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'node4' is known and matches the RSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/myuser/.ssh/identity
debug1: Trying private key: /home/myuser/.ssh/id_rsa
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
myuser@node4's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
Last login: Mon May 7 15:20:11 2007 from node2
Oracle Home is set

node4:/home/myuser> PROGRAM ( ...starting program here... )
node4:/home/myuser> debug1: client_input_channel_open: ctype x11 rchan 2 win
65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 43646
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 43647
debug1: channel 2: new [x11]
debug1: confirm x11
X11 connection rejected because of wrong authentication.
debug1: channel 2: free: x11, nchannels 3
node:/home/myuser>

Thanks


-----Original Message-----
From: Francois Bolduc [mailto:Francois.Bolduc@xxxxxxxxxxxxxx]
Sent: den 27 april 2007 20:33
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: RE: RE : RE : X11Forwarding problem on Solaris.


Let's isolate SSH and X11 forwarding. Can you run:

hosta$ ssh -X hostb
hostb$ /usr/openwin/bin/xclock

If this works, can you give a sample of the command you run that fails, or
simply what the command is launching?
François Bolduc
Consultant
FUJITSU CONSEIL (Canada) inc.
Bureau : 613.238.2697
francois.bolduc@xxxxxxxxxxxxxx
From: Staffan Persson [mailto:s.persson@xxxxxxx]Sent: Wed 4/25/2007 1:47
PMTo: Francois Bolduc; secureshell@xxxxxxxxxxxxxxxxxxxxxxxx: RE: RE : RE :
X11Forwarding problem on Solaris.
Hi,
below is my answers on your questions.

Q. What does your sshd config look like?

A. My sshd_config file is stored in the following path:
/usr/local/etc

and the file´s content is:

Port 22
Protocol 2,1
HostKey /usr/local/etc/ssh_host_key
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
PermitRootLogin no
StrictMode no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
AcceptEnv yes
PermitUserEnvironment Yes
PermitTunnel yes
Subsystem sftp /usr/local/libexec/sftp-server


Q. Do you have any ssh_config files that might override global settings.
Look in $HOME/.ssh

A. I have a $HOME/.ssh directory and in that directory the file
"known_hosts" is stored.


Q. When X11 Forwarding is active you should also have a .Xauthority file
created in your $HOME on the remote system.

A. Yes, that is correct.



Q. The DISPLAY variable also gets set by the SSH daemon automatically using
the display offset set in the sshd_config. Are any of the ssh environment
variables set?

A. The following ssh environment variables is set:

$ set | egrep "DISPLAY|SSH"
DISPLAY=localhost:10.0
SSH_CLIENT='An_IP-Address-1 59129 22´
SSH_CONNECTION=''An_IP-Address-1 59129 An_IP-Address-2 22'
SSH_TTY=/dev/pts/3

I´ve noticed that I miss the env variable
SSH_AUTH_SOCK=/tmp/ssh-WIQT5070/agent.5070 that you have specified in the
mail below.

Thanks


-----Original Message-----
From: Francois Bolduc [mailto:Francois.Bolduc@xxxxxxxxxxxxxx]
Sent: den 24 april 2007 20:41
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: RE : RE : X11Forwarding problem on Solaris.


What does your sshd config look like?

$ egrep -v "^#|^$" /etc/ssh/sshd_config

Do you have any ssh_config files that might override global settings. Look
in $HOME/.ssh

When X11 Forwarding is active you should also have a .Xauthority file
created in your $HOME on the remote system. The DISPLAY variable also gets
set by the SSH daemon automatically using the display offset set in the
sshd_config. Are any of the ssh environment variables set?
$ set | egrep "DISPLAY|SSH"
DISPLAY=localhost:10.0
SSH_AUTH_SOCK=/tmp/ssh-WIQT5070/agent.5070
SSH_CLIENT='192.197.1.19 28001 22'
SSH_CONNECTION='192.197.1.19 28001 192.168.0.22 22'
SSH_TTY=/dev/pts/2
$

François Bolduc
Consultant
FUJITSU CONSEIL (Canada) inc.
Bureau : 613.238.2697
francois.bolduc@xxxxxxxxxxxxxx

-------- Message d'origine--------
De: Staffan Persson [mailto:s.persson@xxxxxxx]
Date: mar. 4/24/2007 11:57
À: Francois Bolduc; secureshell@xxxxxxxxxxxxxxxxx
Objet : RE: RE : X11Forwarding problem on Solaris.

RE : X11Forwarding problem on Solaris.Hi,
no I do not switch user before calling the application. I use a user account
that normally can start the application when I logon to the specified node
with telnet. It is only when I use ssh that this problem occur.

Thanks
Staffan
-----Original Message-----
From: Francois Bolduc [mailto:Francois.Bolduc@xxxxxxxxxxxxxx]
Sent: den 23 april 2007 19:17
To: secureshell@xxxxxxxxxxxxxxxxx
Subject: RE : X11Forwarding problem on Solaris.


Are you switching users on the remote system with su or sudo before
calling the application?

François Bolduc
Consultant
FUJITSU CONSEIL (Canada) inc.
Bureau : 613.238.2697
francois.bolduc@xxxxxxxxxxxxxx

-------- Message d'origine--------
De: listbounce@xxxxxxxxxxxxxxxxx de la part de Staffan Persson
Date: sam. 4/21/2007 11:44
À: secureshell@xxxxxxxxxxxxxxxxx
Objet : X11Forwarding problem on Solaris.

Hi,
I have a X11 Forwarding problem with OpenSSH on Solaris. The problem occur
when I logon from one unix node to another using OpenSSH with the
following
command:

> ssh -X node2

And then when I try to start an application from node2 I almost
immediately
get the following error message:

X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).

The problem seem to occur when I am an ordinary user which is not the
owner
of the executable file I try to run. When I logon as the file owner then
everything works just fine.

I have configured OpenSSH to support X11Forwarding with the following
adjustments:

/usr/local/etc/ssh_config
ForwardX11 yes

/usr/local/etc/sshd_config
X11Forwarding yes

Do you know what may cause this problem and what I can do to solve it?

Thanks
Rickard

Relevant Pages

  • Update: Unable to login without password using ssh
    ... The permission on the .ssh directory was following ... I have other servers which are working. ... debug1: Rhosts Authentication disabled, originating port will not be trusted. ... debug1: sent kexinit: none ...
    (SunManagers)
  • Solaris->Fedora6 unidirectional problem
    ... I have a strange unsolved unidirectional problem using ssh from Solaris to Fedora6: ... I have a couple FC6 behind the Solaris boxes ... debug2: fd 4 setting O_NONBLOCK ... debug1: fd 4 clearing O_NONBLOCK ...
    (SSH)
  • [SLE] Slow SSH login
    ... A> ssh B ... second delay no matter the authentication mechanism ... debug1: Authentication succeeded. ...
    (SuSE)
  • UPDATE2: SSH problem to Solaris 10 : Resource temporarily unavailable]
    ... I truss-ed the client ssh call and managed to identify the exact ... debug1: Rhosts Authentication disabled, originating port will not be trusted. ... debug1: We proposed langtags, ctos: en-US ...
    (SunManagers)
  • RE: RE : RE : X11Forwarding problem on Solaris.
    ... Subject: RE: RE: X11Forwarding problem on Solaris. ... debug1: Connection established. ... debug1: Next authentication method: keyboard-interactive ...
    (SSH)