running ssh problem
Hi folks,
Ubuntu 7.04 server amd64 router IP - 192.168.0.10 Ubuntu 7.04 desktop router IP - 192.168.0.11 Server can ssh desktop but desktop can't ssh server. On desktop $ ssh -Y satimis@192.168.0.10 rox password: Code:
.... Any advice? TIA satimis |
First check that basic ssh works. Does
Code:
ssh -Y satimis@192.168.0.10 /bin/bash |
Quote:
On desktop $ ssh -Y satimis@192.168.0.10 /bin/bash satimis@192.168.0.10's password: It just hangs here. Ah would it be the problem of running xvt on server instead of xterm? On server: $ apt-cache policy xvt Code:
xvt: Code:
xterm: $ sudo apt-get remove xvt then $ sudo apt-get install xterm TIA B.R. satimis |
Problem still remains
Hi folks,
Performed following test:- On server $ sudo apt-get remove xvt $ sudo apt-get install xterm both went through w/o problem. On desktop:- $ ssh -Y satimis@192.168.0.10 rox Code:
satimis@192.168.0.10's password: Code:
satimis@192.168.0.10's password: $ ssh -X satimis@192.168.0.10 rox Code:
satimis@192.168.0.10's password: Problem is NOT solved B.R. satimis |
What do sshd logs on server contain? What does just 'ssh satimis@192.168.0.10' do?
|
Quote:
$ ssh satimis@192.168.0.10 satimis@192.168.0.10's password: Code:
Linux ubuntu 2.6.20-15-generic #2 SMP Sun Apr 15 06:17:24 UTC 2007 x86_64 $ cat /var/log/auth.log | grep sshd | less Code:
..... |
Looks like 'ssh satimis@192.168.0.10' gives you a shell where you can actually type.. OK, does 'ssh -X satimis@192.168.0.10' do the same? (Try waiting 65 seconds after entering password, there are different timeouts to expire) Is your $HOME writable by you and clear of unwritable hidden files?
|
Quote:
On desktop $ ssh satimis@192.168.0.1 and $ ssh -X satimis@192.168.0.1 both did the same connecting the remote server $ ls displayed the files and directories on the server. However ran; $ leafpad and $ rox displatying Code:
(leafpad:5800): Gtk-WARNING **: Locale not supported by C library. Quote:
On server $ ls -l showing all files are owned by "satimis:satimis" and writable by their owner "-rw-r--r--" B.R. satimis |
What your $LC_ALL and $LANG on server contain? Anyway, this should be ignorable - it is all about impossibility to meet your supposed country-specific tastes in data representation. It should start anyway. Does rox start when it is just run on server? About writable $HOME - I meant both on desktop and server, but probably it isn't the issue. Is leafpad a window manager, by the way? I do not know, but there are some classes of X programs that need to be the only program of the kind on the $DISPLAY . So it may be the cause.. Try running Xnest with xterm in it, and experiment there, so you will not have conflicts.
|
Quote:
Quote:
Quote:
Quote:
Previously both of them worked without problem on this server which has been crashed before when I tried reinstalling "locale". Now this server is a fresh installation with same packages. Before crash "Ubuntu 7.04 desktop" can connect the server with "scp" and "ssh". Nothing has been touched on the desktop PC. Quote:
B.R. satimis |
Check them just in console..
Code:
echo $LC_ALL ; echo $LANG Code:
export LC_ALL=C; export LANG=C Code:
strace -f -o leafpad.strace leafpad EDIT: and try running Code:
xhost + 127.0.0.1 |
Quote:
$ echo $LC_ALL ; echo $LANG Code:
$ export LC_ALL=C ; export LANG=C Both w/o printout. $ strace -f -o leafpad.strace leafpad leadpad started but w/o any printout on console. On desktop $ xhost + 127.0.0.1 Code:
127.0.0.1 being added to access control list |
So does leafpad start after all this (if you repeat attempt after xhost on desktop)? If not, try 'strace' way again, wait a minute, terminate it and post leafpad.strace.
|
Quote:
Performed following steps:- On server; $ echo $LC_ALL ; echo $LANG Code:
$ export LC_ALL=C ; export LANG=C No complaint. $ strace -f -o leafpad.strace leafpad started leafpad locally. On desktop; $ xhost + 127.0.0.1 Code:
127.0.0.1 being added to access control list Code:
No complaint. $ ssh -Y satimis@102.168.0.10 leafpad Code:
satimis@192.168.0.10's password Then popup; leafpad: cannot open display. Remark: Rox, the file manager, is running on both server and desktop. I found following mistake on server; $ locale Code:
locale: Cannot set LC_CTYPE to default locale: No such file or directory Edit: Performed following steps to fix the problem of above warning on the 3 lines mentioned; $ sudo apt-get install language-pack-en-base Code:
Reading package lists... Done Code:
LANG=C $ sudo dpkg-reconfigure locales ??? Tks ) Rebooted server. $ locale Code:
LANG=en_HK.UTF-8 $ echo $LC_ALL ; echo $LANG Code:
No complaint. $ strace -f -o leafpad.strace leafpad started leadpad On desktop; $ xhost + 127.0.0.1 Code:
Code:
No complaint. $ ssh -Y satimis@192.168.0.10 leafpad satimis@192.168.0.10's password It just hung here sometimes and then; leafpad: cannot open display. satimis |
I mean
Code:
ssh -X satimis@192.168.0.10 |
Quote:
On desktop $ xhost + 127.0.0.110 Code:
127.0.0.1 being added to access control list satimis@192.168.0.10's password: Code:
On running; $ sudo /etc/init.d/httpd.vmware start Code:
$ sudo aptitude install locales my solve my problem. I haven't tried yet. Previously I also suffered locale problem on this server. I tried to fix the problem, resulting in the server crashed finally. This is a fresh installation, not complete yet. Therefore I have to proceed with caution. satimis |
Locale problems should be ignored. If you wait a minute, does window appear?
|
Quote:
On server:- $ echo $LC_ALL ; echo $LANG Code:
No complaint $ strace -f -o rox.strace rox Code:
On desktop :- $ xhost + 127.0.0.1 Code:
127.0.0.1 being added to access control list satimis@192.168.0.1's password Code:
satimis |
Do you have $DISPLAY set on your desktop?
|
Quote:
satimis |
When I ask about $DISPLAY, I mean $DISPLAY environment variable. It can be viewed by
Code:
echo $DISPLAY |
Quote:
$ echo $DISPLAY Code:
:0.0 |
And on server through ssh?
|
Quote:
Performed further 2 tests:- 1) Test-1 a) server to another desktop F7 on 192.168.0.12 $ ssh -Y satimis@192.168.0.12 nautilus It worked w/o problem with remote nautilus displayed locally. b) desktop F7 to server $ ssh -Y satimis@192.168.0.10 rox with the same result unable to display remote rox locally. Server can be ssh-connected. 2) Test-2 Installed localeconf on server. $ cat /etc/environment Code:
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games" $ sudo /etc/init.d/httpd.vmware start Code:
Starting httpd.vmware: After rebooting the server and running; $ sudo /etc/init.d/httpd.vmware start Code:
Password: I have to run; $ export LC_ALL="C" No complaint. $ sudo /etc/init.d/httpd.vmware start Code:
Starting httpd.vmware: satimis |
"On server through SSH" - I meant, what is in $DISPLAY when you 'ssh -X' from client to server and check inside ssh session.
About VMWare - what is your goal? To defeat chaos or to have it running? In the latter I think that setting the environment variable in the beginning of the script will be enough (perl should work somehow, and script itself will not be able to tell the difference once variable is set) |
Quote:
$ echo $LC_ALL ; echo $LANG Code:
No complaint $ echo $DISPLAY Code:
:0.0 start rox window On desktop:- $ ssh -X satimis@192.168.0.10 server connected. "ls" displayed remote data locally $ echo $DISPLAY Code:
localhost:10:0 Quote:
$ perl -version Code:
satimis |
Cause of problem found
Hi raskin,
I found the cause of problem. It is the firewall "iptables" which stops X forwarding. On server after running; $ sudo iptables -F On desktop; $ ssh -X satimis@192.168.0.10 rox Code:
satimis@192.168.0.10's password: Before the server crashed I ran another firewall script. I'm now running following scripts; $ cat /etc/rc.local Code:
# On server; Restart iptables $ sudo /etc/rc.local restart No complaint On desktop running $ ssh -X satimis@server_IP rox Code:
ssh: connect to host server_IP port 22: Connection refused Code:
ssh: connect to host server_IP port 22: Connection refused Again on server $ sudo nano /etc/ssh/sshd_config adding "ListenAddress 192.168.0.11" (router IP) $ cat /etc/ssh/sshd_config Code:
.... Again on desktop $ ssh -X satimis@server_IP rox Code:
ssh: connect to host server_IP port 22: Connection refused Code:
ssh: connect to host server_IP port 22: Connection refused TIA satimis |
Well, the warnings were not misleading for me - I knew they have nothing to do with the problem. About iptables - did you check what rules take precedence in iptables, first specified or last specified? About VMWare - so does creating a shell script 'httpd.vmware' with contents
Code:
export LC_ALL=C ; export LANG=c; perl httpd.vmware.perl |
Quote:
I created an executable file on /etc/network/if-up.d/iptables.start and copid the complete script on the file. Each time on starting the network iptables started as well. Quote:
$ sudo /etc/init.d/httpd.vmware start Code:
Password: After deleting "perl httpd.vmware.perl" $ sudo /etc/init.d/httpd.vmware start Code:
Password: What are your trying to do with that phrase? B.R. satimis |
I meant that you move old httpd.vmware perl script to httpd.vmware.perl
About precedence - yu issue multiple commands for every chain. Are sure about the order? |
Quote:
How to configure and secure Linux for VMware http://searchservervirtualization.te...242833,00.html building this Virtual machine for testing. I haven't modified the script. satimis |
Is there anything interesting in dmesg?
|
Quote:
Code:
[ 0.000000] Linux version 2.6.20-15-generic (root@yellow) (gcc version 4.1.2 (Ubuntu 4.1.2-0ubuntu4)) #2 SMP Sun Apr 1 satimis |
And if you run tcpdump or wireshark on desktop, what does it say about icmp traffic or port 22 traffic?
|
Quote:
Code:
tcpdump: no suitable device found Code:
/usr/sbin/tcpdump Code:
The program 'wireshark' is currently not installed. You can install it by typing: |
What your network interface is called? Run 'tcpdump -i <interface name>'. It would also be interesting to run it on client and on server and compare.. Also post output of 'netstat -nlp' on server.
|
Quote:
$ ifconfig Code:
eth0 Link encap:Ethernet HWaddr 00:0E:A6:F9:A3:5B $ sudo tcpdump -i eth0 Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode $ netstat -nlp Code:
(Not all processes could be identified, non-owned process info On desktop $ ifconfig Code:
eth0 Link encap:Ethernet HWaddr 00:07:40:82:68:14 $ sudo tcpdump -i eth0 Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode $ netstat -nlp Code:
(Not all processes could be identified, non-owned process info |
What traffic between desktop and server does tcpdump show when you try to ssh -X? The most interesting part is how does this differ from the view point of client and server..
|
Quote:
satimis |
Do I understand correctly that with iptables off everything is OK? In this case, with iptables running.
|
Quote:
Quote:
On desktop 1) Console-1 $ ssh -X satimis@192.168.0.10 rox Code:
satimis@192.168.0.10's password: Console-2 $ sudo tcpdump -i eth0 Code:
Password: On server $ sudo tcpdump -i eth0 Code:
Password: satimis |
Try (on desktop) telnet or netcat or ncat to server port 22.. What happens? Also redo tcpdump experiment: launch it on both boxes first, then try 'ssh -X', and please leave only communication between server and client in your post. By the way, I looked once more at iptables configuration and if I understand anything, it forbids network connections from 127.0.0.1 to 127.0.0.1 through loopback - and X forwarding is done that way.
|
Quote:
1) Test-1 On desktop; $ telnet 192.168.0.10 22 Code:
Trying 192.168.0.10... $ sudo tcpdump -i eth0 Code:
Password: On server; $ sudo tcpdump -i eth0 Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 2) Test-2 On desktop $ ssh -X satimis@192.168.0.10 rox Code:
satimis@192.168.0.10's password: On server; $ sudo tcpdump -i eth0 Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode B.R. satimis |
Try allowing all traffic from localhost to localhost on server.
|
Quote:
satimis |
No, I mean make iptables accept all incoming local traffic and also allow all outgoing local traffic.
|
Quote:
Code:
# INPUT satimis |
Well, theoretically everything can somewhat reduce security. But if you already have a malicious process on server where you ssh... Well, I would say that you have lost the server and need to reinstall it anyway. There is a significant risk that they have already cracked root. Then ssh can be already compromised. Well, yes,chance to access your X server through forwarding can give enemy an advantage when trying to take over your desktop (and -X is better than -Y from that point of view), but you still don't have options better than 'ssh -X' (Though it is interesting if VNC is better).
|
Quote:
Quote:
Code:
http://www.realvnc.com/ What will the difference in function between VNC and ssh? TIA satimis |
I used TightVNC. They recommend to tunnel it through SSH tunneling - to get encryption with no extra configuration. The benefit of VNC (compared to ssh) is that entire VNC session is just a window on your desktop, so sniffing your keyboard requires finding actual arbitrary-code-execution hole in TightVNC or a really obscure way to force vncviewer deivate from acceptable behavior.
|
All times are GMT -5. The time now is 06:24 AM. |