X11Forwarding problem when xauth cannot write to /home mounted via NFS
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
X11Forwarding problem when xauth cannot write to /home mounted via NFS
In our organization we use about a hundred openSUSE clients connected to one central server that acts as file and authentication server (let's call this machine "mainserver"). Home directories for all users are mounted via NFS on the local clients. One of these clients acts as a gateway and allows users to log in using SSH to do some work etc. The use case at hand now is that a user want to connect from an outside machine with X11-forwarding to this gateway machine, and I am pretty sure I have narrowed down the reason it does not work to the following: xauth normally writes an .Xauthority file to the home directory when handling sessions. However, since sshd is run as root@gateway it doesn't have permissions to read/write files in the home directory of the user on the main server (mainserver:/home/user). I have checked all other settings with X11-forwarding that can cause problems, and the testing outside machine can connect with X11 to the mainserver itself and other machines, that is not the issue.
Now, this could be solved by making all home directories r/w accessible by all, but that is obviously a terrible thing to do from a security point of view. Can any of you think of a workaround so I can make X11-forwarding work?
I am aware of the potential security problems with X11-forwarding in itself.
Ok, something here doesn't make sense to me. AFAIK, sshd is ALWAYS run as root.
It's not that root doesn't have write access. The user who is logging onto the target machine is not root.
Have you tried
Code:
ssh -Y target-machine-ip-address firefox
using firefox as a test X-11 program?
I find the -Y option gets around xauth issues nicely.
Also, to get around issues with X-11 forwarding, I normally run vncserver on the target host. That way, you can get a full desktop and let vnc manage the auth issues.
Then, you can use vncviewer to connect to the desktop on the target host, or if you want it encrypted, you can use sshvnc or a ssh tunnel to start the vncviewer on the target machine.
You can run a vnc server using x11vnc or vncserver. There are a couple different ways to do it.
If you don't like vnc, you can probably run xrdp and use rdesktop to connect to that server.
It's easier to get vnc working than plain ol'X-11 forwarding and using ssh, it's more secure too.
I've done vnc various ways over the years, so if you decide to use that, I can point you in the direction of various configs that have worked for me. I set vnc up on every network I have ever managed and it works pretty well. There are other ways to do the same thing, most of which have some kind of security built in. Some of them are pretty cool, but vnc works well enough for me. YMMV.
Thank you for great suggestions Rhamel, especially since no-one seemed to give an answer in this thread - kudos to you!
Regarding sshd: yes it is always run as root, but root on the gateway machine. Since the user's home directory is on another server and only mounted via NFS on the gateway, root@gateway cannot access this home directory, only user@gateway can. Does this make sense, or do you see some way to change that?
As you suggested, for all my tests i used the -Y option since it seemed to be the most permissive, but to no avail (I also tried with -X).
However, your solution to use vnc may be a much better one, thanks for pointing me in that direction. I will try to switch to that solution instead, and if you have some pointers and tips (or links etc) on how to make good configs and/or tweaks for vnc, I would sincerely appreciate it.
Ok, sorry to be harping on this point. You've probably moved on from this, but I've spent the morning on this thing for another project I've working on.
Ok, so what I've realised (really late in the game for me), is that ssvncviewer comes with a utility called 'tsvnc' which is very useful.
1. it connects to the remote host via ssh.
2. it starts up x11vnc on the remote host as the user who just logged in. Since the user then owns the session, there is no xauth problems.
3. it then starts up a vncviewer session from the local host to the x11vnc session running on the remote host as the same user.
So, on the target host, you just need to have x11vnc in the PATH of the user you will be logging in as. You don't have to set up anything else on the remote server. Well, you need to have sshd running, of course.
Since you are logging in using ssh,you can use ~/.ssh/authorized_keys to avoid entering passwords, which I always prefer.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.