Re: More SSH Fun (X11 forwarding)

To: debian-security@lists.debian.org
Subject: Re: More SSH Fun (X11 forwarding)
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Mon, 1 Jul 2002 16:48:51 -0700
Message-id: <[🔎] 20020701234851.GD529@doorstop.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20020701233259.GE31595@cacr.caltech.edu>
References: <[🔎] 20020701202434.GB30832@cacr.caltech.edu> <[🔎] 20020701203203.GO27263@alpha.logic.tuwien.ac.at> <[🔎] 20020701204831.GB30901@cacr.caltech.edu> <[🔎] 20020701205906.GB31005@cacr.caltech.edu> <[🔎] 20020701214328.GA23348@apple> <[🔎] 20020701230008.GA31577@cacr.caltech.edu> <[🔎] 20020701232607.GB529@doorstop.net> <[🔎] 20020701233259.GE31595@cacr.caltech.edu>

* Anne Carasik (gator@cacr.caltech.edu) [020701 16:34]:
> Hi Vineet,
> 
> It doesn't matter--it's still does not work no matter what I do
> to my X server.
> 
> Anyway, I turned off xhost and X11 listening a while ago.

Right. My point was that this is a way /around/ ssh forwarding. It won't
make it any easier to get ssh forwarding working, and can only confuse
the issue. Glad you've moved on from it.

So anyway, here's a basic rundown of things to double-check:

the server has "X11Forwarding yes" in its config (and that config has
been loaded, i.e. the server has been restarted since the change).

the client has X11Forwarding yes in its config, in the right place (i.e.
after where it says "Host *", and no later declarations override and
disable it.)

you're not connecting with a key which is restricted with a
no-X11-forwarding directive in the options section of the
authorized_keys.

DISPLAY is set on the client, and displaying of local X apps works
before ever attempting a connect to the remote server. This means that
the local xauth cookie is valid and authorized to connect to the local
X server.

xauth is found at /usr/bin/X11/xauth, or the correct location is
specified correctly with an XAuthLocation directive in the remote
sshd's sshd_config, and the connecting user has correct (+rx)
permissions on it.

That's all I can come up with off the top of my head right now.  I know
you did say that you've done some of the things mentioned above, but if
it's still failing, it's a good idea to double-check that all of those
above conditions are met. Sometimes when changing lots of things around
in desperation, we forget to change something back.

I'm about to review the thread one more time to see if you've posted any
"ssh -v" or "sshd -d" outputs that may provide additional insight. If it
continues to fail, those may be useful for us to diagnose the problem.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes." -E.W. Dijkstra

Attachment: pgps2lxEshPzn.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: More SSH Fun (X11 forwarding)
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>
- Re: More SSH Fun (X11 forwarding)
  - From: Dossy <dossy@panoptic.com>

References:
- More SSH Fun (X11 forwarding)
  - From: Anne Carasik <gator@cacr.caltech.edu>
- Re: More SSH Fun (X11 forwarding)
  - From: Norbert Preining <preining@logic.at>
- Re: More SSH Fun (X11 forwarding)
  - From: Anne Carasik <gator@cacr.caltech.edu>
- Re: More SSH Fun (X11 forwarding)
  - From: Anne Carasik <gator@cacr.caltech.edu>
- Re: More SSH Fun (X11 forwarding)
  - From: David Caplan <david@david.ath.cx>
- Re: More SSH Fun (X11 forwarding)
  - From: Anne Carasik <gator@cacr.caltech.edu>
- Re: More SSH Fun (X11 forwarding)
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>
- Re: More SSH Fun (X11 forwarding)
  - From: Anne Carasik <gator@cacr.caltech.edu>

Prev by Date: Re: More SSH Fun (X11 forwarding)
Next by Date: Re: More SSH Fun (X11 forwarding)
Previous by thread: Re: More SSH Fun (X11 forwarding)
Next by thread: Re: More SSH Fun (X11 forwarding)
Index(es):
- Date
- Thread