X11 display forwarding


I'm having a bit of trouble with X11 display forwarding. This started
when I upgraded to OpenSSH 4.3p1. I've read the FAQ and I know about
the usual problem when upgrading involving ForwardX11Trusted. This is
how I have my config's set:

/etc/ssh/ssh_config: ForwardAgent yes
/etc/ssh/ssh_config: ForwardX11 yes
/etc/ssh/ssh_config: ForwardX11Trusted yes

/etc/ssh/sshd_config: X11Forwarding yes
/etc/ssh/sshd_config: X11UseLocalhost no

The error message I get is:

X11 connection rejected because of wrong authentication.
X connection to myfirewall.mydom.com:11.1 broken \
(explicit kill or server shutdown).

I launch apps in one of two ways.

ssh myfirewall.mydom.com -f 'ssh otherhost.mydom.com xterm'


ssh myfirewall.mydom.com -f xterm

After some trial and error I observed that the above commands
sometimes work and sometimes don't. It certainly involves
xauth stuff. At one point I killed my X servers, zeroed out
my .Xauthority files, and restarted the X servers. That move
got rid of a problem where I couldn't start new xterms from an
already connected remote xterm. Now once I've got a remote xterm
open, I can open other apps from within it.

I've noticed that my first remote application runs in DISPLAY
:10.1 (two headed display running the local command from :0.1)
and that makes sense to me. I've also noticed that sometimes
subsequent local commands will try to run remote applications
in DISPLAY :11.1. Before restarting my X servers, every new
application would increment the X display and I'd run into my
firewall restriction having only 10 ports open for X forwarding.
I haven't been able to completely describe to myself when or how
the DISPLAY will increment.

When I inspect my xauth stuff in a working condition I see this.


otherhost.mydom.com DISPLAY is otherhost.mydom.com:10.1

otherhost.mydom.com xauth list says

otherhost.mydom.com:10 MIT-MAGIC-COOKIE-1 597d13f5b61fd07b79c6d4e5942fd553
otherhost.mydom.com:10 MIT-MAGIC-COOKIE-1 afe3fd4603519360202ecbcc2ca02338
otherhost.mydom.com:11 MIT-MAGIC-COOKIE-1 3f0946d4fbcca2f7d08eb4befcef82d5
otherhost.mydom.com:11 MIT-MAGIC-COOKIE-1 6d3967fd9fd59df30250fc9ca38449a1
myfirewall.mydom.com:10 MIT-MAGIC-COOKIE-1 ee1623a886120aa4fcf708c814f6b793


myfirewall.mydom.com isn't running displayed app's now. DISPLAY isn't set.

myfirewall.mydom.com xauth list says

myfirewall.mydom.com:10 MIT-MAGIC-COOKIE-1 909822c0778498c82f3b64886ed6ceed
myfirewall.mydom.com:11 MIT-MAGIC-COOKIE-1 a87659f3c8a1d4d4eaae2effdeb29d46


local host (where I start everything) xauth list says

lwe125529.cse.tek.com:10 MIT-MAGIC-COOKIE-1 6543aba06e20e269e135158af740b2bf


Now that just doesn't make any sense! Shouldn't my at least a
pair of my MIT-MAGIC-COOKIEs match? That would seem to be why I
can't start a new application now from my local host. But, how
in the world did the applications currently open start? And,
why can I start a new xterm from my xterm currently running on
otherhost.mydom.com when no xauth cookies would seem to permit

For what it's worth, all this worked just fine with OpenSSH
3.7.1p2 for a long time. This also worked with OpenSSH 4.3p1 for
about a week, which *might* have been how long it was until I
finally rebooted myfirewall.mydom.com.

I'm really confused. Anyone got any ideas to start my sorting
this out?


PLEASE post a SUMMARY of the answer(s) to your question(s)!
Show Windows & Gates to the exit door.
Unless otherwise noted, the statements herein reflect my personal
opinions and not those of any organization with which I may be affiliated.

Relevant Pages

  • Openssh 3.7.1 HPUX 11.x - X11 forwarding broken or misconfigured?
    ... I upgraded an HPUX box's OpenSSH from a patched 3.0.x (where forwarding ... X11 forwarding turned on in sshd_config: ... Any ventured guesses on whether the null DISPLAY is working-as-designed? ... Are there other configurables I could be looking at? ...
  • Re: xterms Tek mode question
    ... The control sequences are documented in xterm's control sequences ... screenshots but there are a couple of photos that appear to display ... I did eventually manage to run the tek tests under "other terminals" and ... when I start an "xterm -t" but that's not really such a major issue ...
  • Re: X11 display forwarding
    ... I'm having a bit of trouble with X11 display forwarding. ... already connected remote xterm. ... I've noticed that my first remote application runs in DISPLAY ... all this worked just fine with OpenSSH ...
  • ssh & DISPLAY
    ... I can't seem to get X Forwarding to work right over my ssh tunnels. ... Connecting to and trying to run an xterm from server: ... xterm Xt error: Can't open display: ...
  • Re: KDE aus xterm-Konsole starten
    ... echo $DISPLAY liefert eine leere Zeile. ... Du hast also bereits ein xterm laufen, ... wenn Du in dem xterm das Kommando ... Wer mir E-Mail schreiben will, stelle | When writing me e-mail, please ...