Re: X11 forwarding with SSH1 / SSH2

From: Thomas (nx10mail@yahoo.co.uk)
Date: 02/10/03

• Next message: news.verizon.net: "Re: SFTP xfer log"
• Previous message: Chris: "Re: SSH Port Forwarding through a firewall"
• In reply to: Simon Tatham: "Re: X11 forwarding with SSH1 / SSH2"
• Next in thread: Simon Tatham: "Re: X11 forwarding with SSH1 / SSH2"
• Reply: Simon Tatham: "Re: X11 forwarding with SSH1 / SSH2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: nx10mail@yahoo.co.uk (Thomas)
Date: 10 Feb 2003 13:07:44 -0800

Simon,

Thanks for the lucid response.

Simon Tatham <anakin@pobox.com> wrote in message news:<hAo*QzEKp@news.chiark.greenend.org.uk>...
> Thomas <nx10mail@yahoo.co.uk> wrote:
> > The happy sshd seems to be running SSH1 - telnet happy 22 gives
> > SSH-1.99-OpenSSH_2.2.0p1
>
> You're misunderstanding this.
> `1.99' is a special version
> announcement which means `I am willing to speak either SSH1 or SSH2,
> tell me in your response which one you want'. If it announced
> SSH-2.0 then it wouldn't be willing to speak SSH1, whereas if it
> announced SSH-1.5 it wouldn't be willing to speak SSH2.

OK, thanks.

> > Using DSA auth instead mysteriously no longer requires the -1 switch
> > (even though .ssh/config is removed)
>
> You've generated an SSH1 RSA key and an SSH2 DSA key. So to get the
> former to work you need -1 (since SSH1 and SSH2 RSA keys are not
> generally interchangeable), but for the latter the default of SSH2
> is fine.
>
> You could generate an _SSH2_ RSA key, if happy was running a later
> sshd. OpenSSH 2.2.0 doesn't support RSA in SSH2, because at the time
> it was released the SSH2 protocol drafts hadn't been updated to
> include it yet.

Should I therefore stick with DSA SSH2 auth? It's a secured network,
behind a firewall, so RSARhostsAuthentication would be secure enough -
would this be simpler? I'd be grateful for any links to learn to set
this up.

> As for your X11 problem: what form of X11 authentication are you
> using locally? Or remotely?

Dunno. How do I tell?

> Try running the commands
>
> echo $DISPLAY
> xauth list
>
> The xauth command might very well list a whole load of stuff, so you
> need to pick out the lines that correspond to the value of $DISPLAY.
> (This isn't quite as easy as just running `xauth list $DISPLAY',
> unfortunately, because various displays such as `localhost:0' and
> `unix:0' and `:0' are synonymous.)
>
> If you run those commands on both the SSH client and SSH server
> machines, what do you see?

=== client (growl) ===
[thomasn@growl thomasn]$ echo $DISPLAY
:0
[thomasn@growl thomasn]$ xauth list
growl:0 MIT-MAGIC-COOKIE-1 5c0e16722c64033441707e3d043e3736
growl/unix:0 MIT-MAGIC-COOKIE-1 5c0e16722c64033441707e3d043e3736
growl/unix:10 MIT-MAGIC-COOKIE-1 ee54b89aa38721b14a27ba762d92c5d9
[thomasn@growl thomasn]$

=== server (happy) -- using ssh happy from growl ===

[thomasn@happy thomasn]$ echo $DISPLAY
happy:10.0
[thomasn@happy thomasn]$ xauth list
[thomasn@happy thomasn]$

What else can I try? I have this working fine with another server - I
can run
growl: ssh -X -C -f romeo xemacs
using password login and xemacs works fine.I can even execute a
shell...

 Disabling all identities on growl, forcing password-based login, the
same command from growl to happy gives
X11 connection rejected because of wrong authentication.

So it doesn't appear to be an auth key problem. The only docs I can
find for using X11 over SSH - e.g.
http://www.uwsg.iu.edu/security/ssh.html
- imply that the xauth handling is transparent to the user. What am I
doing wrong? Is the "wrong authentication" message actually about
xauth cookies? Any pointers to docs I should read would be very
welcome.

Thanks,
Thomas.

PS: PuTTY is utterly marvellous and one of my few essential pieces of
kit - thank you so much for distributing it.

---

• Next message: news.verizon.net: "Re: SFTP xfer log"
• Previous message: Chris: "Re: SSH Port Forwarding through a firewall"
• In reply to: Simon Tatham: "Re: X11 forwarding with SSH1 / SSH2"
• Next in thread: Simon Tatham: "Re: X11 forwarding with SSH1 / SSH2"
• Reply: Simon Tatham: "Re: X11 forwarding with SSH1 / SSH2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: X11 forwarding with SSH1 / SSH2 ... > [thomasn@happy thomasn]$ echo $DISPLAY ... the X auth data invented by your SSH ... client has not appeared anywhere useful on the server. ... (comp.security.ssh) Re: ssh2 ... And suddenly I had a dir ssh2 in /root which is not normal I think. ... The fact that the old keys were not used means either an incompetent hacker or just that you are connected to the wrong machine. ... ssh is not a thing i could say I master. ... Therefore I'm reasonably certain that this was created for an outgoing ssh connection. ... (Fedora) Late Summary: TRU64 Unix V5.1B - Issues with SecureCopy ... To use ssh on my Alphas in the past we installed and setup OpenSSH. ... [SNIP, SNIP] ... these issues come up in compatibility with OpenSSH and SSH2 ... The answer is to take a copy of the OpenSSH scp program, rename it to scp1, ... (Tru64-UNIX-Managers) Re: Odd ssh attacks? ... port 57194 ssh2 ... The first thing to do is to set ssh so users have to use a key rather ... IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL. ... (Ubuntu) Re: openssh ... but since there was a vulnarability with open ssh 2.9.x everyone tells me to ... > Supported authentification methods for SSH1 RSA,keyboard ... > Supported keys exchange algorithm for SSH2 ... > Supported decryption ciphers for SSH2 ... (FreeBSD-Security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)