ssh -X....

os2 · 09-25-2005, 12:37 PM

hi

i use suse 9.3
i have a router (dlink)

on my router, i set a Virtual Server to access ssh

from the net, i able to connect to my computer with ssh

i tried to ssh -X

but when i try to start

xclock

i get

Error: Can't open display:

printenv DISPLAY show me nothing

if i use xhost + before to connect, i get the same result...

X11Forwarding is set to yes

my firewall is closed

if i use my computer, try to with ssh with my ip router adress (ssh forward to my computer), i get the same result... ssh work but can't start a X application...

any idea?

david_ross · 09-25-2005, 01:10 PM

Is X forwarding enabled on the server?

Did you try setting the display number manually?

debianmike · 09-25-2005, 01:12 PM

I've wondered this too....

If using an SSH tunnel, does the X port need to be opened on the router? or does all traffic travel "inside" the ssh tunnel?

david_ross · 09-25-2005, 01:15 PM

Using X forwarding and ssh will use the ssh tunnel to transmit the data so no ports should need opened unless the client machine is blocking loopback connections.

os2 · 09-25-2005, 01:28 PM

Quote:

Originally posted by david_ross
Is X forwarding enabled on the server?

Did you try setting the display number manually?

sshd_config

Code:

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
PermitRootLogin no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0

ssh_config

Code:

Host *
#   ForwardAgent no
ForwardX11 yes

where i need to set the display number on the client or server?
how to do it?

spooon · 09-25-2005, 01:58 PM

Did you try "ssh -Y"?

os2 · 09-25-2005, 02:13 PM

Quote:

Originally posted by spooon
Did you try "ssh -Y"?

ya and i get the same thing....

david_ross · 09-27-2005, 11:58 AM

Can you post the output from:
netstat -nlp
iptables -nL

on the X client.

os2 · 09-27-2005, 07:49 PM

Quote:

Originally posted by david_ross
Can you post the output from:
netstat -nlp
iptables -nL

on the X client.

collinm@ws101:~> netstat -nlp

Code:

(Tous les processus ne peuvent être identifiés, les infos sur les processus
non possédés ne seront pas affichées, vous devez être root pour les voir toutes.)
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale          Adresse distante        Etat        PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      -
udp        0      0 0.0.0.0:631             0.0.0.0:*                           -
udp        0      0 192.168.0.101:123       0.0.0.0:*                           -
udp        0      0 127.0.0.1:123           0.0.0.0:*                           -
udp        0      0 0.0.0.0:123             0.0.0.0:*                           -
udp        0      0 :::177                  :::*                                -
udp        0      0 :::123                  :::*                                -
Sockets du domaine UNIX actives(seulement serveurs)
Proto RefCpt Indicatrs   Type       Etat          I-Node PID/Program name    Chemin
unix  2      [ ACC ]     STREAM     LISTENING     20122  7475/kdeinit Runnin /tmp/ksocket-collinm/kdeinit-:0
unix  2      [ ACC ]     STREAM     LISTENING     10588  -                   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     20205  7495/klauncher [kde /tmp/ksocket-collinm/klauncherhJSRQa.slave-socket
unix  2      [ ACC ]     STREAM     LISTENING     20336  7512/artsd          /tmp/ksocket-collinm/ws101.ltsp-1d58-4339e46c
unix  2      [ ACC ]     STREAM     LISTENING     17338  -                   /var/run/.resmgr_socket
unix  2      [ ACC ]     STREAM     LISTENING     18866  -                   /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     18079  -                   /var/run/xdmctl/dmctl/socket
unix  2      [ ACC ]     STREAM     LISTENING     18088  -                   /var/run/xdmctl/dmctl-:0/socket
unix  2      [ ACC ]     STREAM     LISTENING     18911  -                   /var/run/powersave_socket
unix  2      [ ACC ]     STREAM     LISTENING     18915  -                   /var/run/powersave_clientsocket
unix  2      [ ACC ]     STREAM     LISTENING     19014  -                   /var/run/nscd/socket
unix  2      [ ACC ]     STREAM     LISTENING     20120  7475/kdeinit Runnin /tmp/ksocket-collinm/kdeinit__0
unix  2      [ ACC ]     STREAM     LISTENING     20185  7490/dcopserver [kd /tmp/.ICE-unix/dcop7490-1127867496
unix  2      [ ACC ]     STREAM     LISTENING     20329  7515/ksmserver [kde /tmp/.ICE-unix/7515
unix  2      [ ACC ]     STREAM     LISTENING     18084  -                   /tmp/.X11-unix/X

ws101:/home/collinm # iptables -nL

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
input_ext  all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
target     prot opt source               destination

Chain input_ext (1 references)
target     prot opt source               destination
DROP       all  --  0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 12
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 14
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 18
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED icmp type 5
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP '
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
reject_func  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:113 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:69
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain reject_func (1 references)
target     prot opt source               destination
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-proto-unreachable

david_ross · 09-28-2005, 12:19 PM

Looking at the netstat output there isn't a listening X connection.

Perhaps with more verbose information we could see the problem:
ssh -vvvX user@remotehost

debianmike · 09-28-2005, 12:20 PM

try this:

xhost + on local
ssh -X remote
export DISPLAY=localIP:0 (or 1)

xclock

os2 · 09-28-2005, 01:31 PM

Quote:

Originally posted by david_ross
Looking at the netstat output there isn't a listening X connection.

Perhaps with more verbose information we could see the problem:
ssh -vvvX user@remotehost

ok no problem

Code:

collinm@ws101:~> ssh -vvX user@xx.xx.xx.xx
OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 70.80.139.21 [70.80.139.21] port 22.
debug1: Connection established.
debug1: identity file /home/collinm/.ssh/identity type -1
debug1: identity file /home/collinm/.ssh/id_rsa type -1
debug1: identity file /home/collinm/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-gro
up1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijnda
el-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijnda
el-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md
5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md
5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-gro
up1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijnda
el-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijnda
el-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md
5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md
5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 126/256
debug2: bits set: 487/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '70.80.139.21' is known and matches the RSA host key.
debug1: Found key in /home/collinm/.ssh/known_hosts:2
debug2: bits set: 524/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/collinm/.ssh/identity ((nil))
debug2: key: /home/collinm/.ssh/id_rsa ((nil))
debug2: key: /home/collinm/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/collinm/.ssh/identity
debug1: Trying private key: /home/collinm/.ssh/id_rsa
debug1: Trying private key: /home/collinm/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/X11R6/bin/xauth  list :0 . 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 0
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 0
debug1: Sending environment.
debug1: Sending env LANG = fr_FR.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 0
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072