Hi,

I have a problem with X11 forwarding. The thing is that when I'm connecting to a remote network via VPN, connect, using the VPN tunnel, to a machine in the remote network using SSH. This fare everything is fine. The problem begins when exporting the display it fails when making the connection from my Linux machine. However, when trying the same thing using cygwin under Windows XP, and setting xhost+ everything works fine, including exporting the display.

I have checked that the display is setup correctly on the remote machine and also successfully exported the display from other remote machines (not through the VPN tunnel) to my local Linux station. So I'm very confused, why is it working with cygwin when it fails under in Linux?

I get the same results with SUSE 10.0, 10.1, and 10.2. I have tried both 64 and 32 versions. I have connected my machine to two different network , one that I know is free from any filtering on my side.

Please, if anyone have any suggestions it would be really helpful.

Could there be a security problem? See xhost.

Yves.

There is no need for xhost +
Doing "xhost +" opens your screen to everybody!!

Try to get more info by using this:
ssh -vvv -X user@server

Thanks for your reply!

I'm actually using xhost+<hostName> so its not that bad. Anyway, I tried using the debug flag in SSH as you suggested. I compared it to the debugg information from cygwin and noticed the following differenes:


LINUX (SUSE 10.1):
debug2: callback start
debug2: x11_get_proto: /usr/X11R6/bin/xauth list :0.0 . 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 0
debug2: client_session2_setup: id 0

Cygwin:
debug2: callback start
debug2: x11_get_proto: /usr/X11R6/bin/xauth list 127.0.0.1:0.0 2>/dev/null
Warning: No xauth data; using fake authentification data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 0
debug2: client_session2_setup: id 0

The second line seam to contain a reference to local host in the cygwin case while it is blank in the Linux case, could this be the source to my problems? How can I change this setting?

I made the test myself, this is what I get:

And it works.

Now when you log on using the linux client (with ssh -Xvvv ..), can you try several checks:
* echo $DISPLAY
* netstat -lapute | egrep ":60..\ "
* Open an xterm and look at the debug messages.

If you get $DISPLAY=server_name:10.0 then you should have a port 6010 openened when looking at the netstat.
If it's for example server_name:14.0 then port 6014 should be opened.

ps:
NO xhost at all is needed. Even under cygwin, it should work without it. I don't understand this.

Ok, I tried it and got the following results. Zoe is the name of my machine, its in the host tabel of the remote machine.

echo $DISPLAY
zoe:0.0


netstat -lapute | egrep ":60..\ "
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 <remoteMachine>:6011 *:* LISTEN <userX> 378015182 -
tcp 0 0 <remoteMachine>:6012 *:* LISTEN <myUserName> 378444281 -
tcp 0 0 <remoteMachine>:6013 *:* LISTEN <myUserName> 377993118 -
udp 0 0 *:609 *:* root 2631564 -

xterm &
[1] 27536
xterm Xt error: Can't open display: zoe:0.0

I tried setting the display to zoe:12.0 and zoe:13.0 as well but there was no change :-(

I did try the same thing in cygwin and the printouts was the same, except for the last line where it actually produced an xterm window...

Ok I think I understand why you needed to do a xhost + to work.
Currently, your X connection is not forwarded by ssh so your traffic is not encrypted.

What you want to do is this:

xterm displays to server:6010.
server:6010 gets tunneled in ssh through client:6000

What you are now doing is this:
xterm displays to client:6000

As xterm is run by another user that the user that has started the Xserver on client, you need to allow him to connect by doing xhost+


You are sure that you do:
ssh -X
or
ssh -Y

If yes, you have to recheck with
ssh -vvv the lines for forwarding


No, it's supposed to be server:12.0 (reread my comments before about the tunnel)
Then server:12.0 will connect to serverip:6012 (which is in fact 127.0.0.1:6012). This stream will get tunnelled by ssh server back to ssh client. When ssh client receives X traffic, it forwards it to zoe:0.0

Hum, hope you got at least half of what I explained

After carefully reading your excellent advice i noticed that the display variable on my server was set to the client machine for some reason wheres according to you should be the server. Changing this solved everything!

Thank you so much for your help nx5000, this has really helped me a lot!

Just to be sure everything is not inverted

zoe is the client PC right?

Cool
Have fun!

Ok, carefully reading your previous answer got me on the right track and I think that I can follow your explanation. When changing the display settings I did not need the xhost+ anymore either, so now its not only working, ist secure as well :-)

Once again, I'm extremely grateful! I would not have figured this out myself...