Re: ssh -X from A through B to C

To: debian-user@lists.debian.org
Subject: Re: ssh -X from A through B to C
From: Mark Gillingham <markgill@uwalumni.com>
Date: Sat, 14 Feb 2004 12:40:01 -0600
Message-id: <[🔎] 329DFB25-5F1D-11D8-87D0-0030653D7320@uwalumni.com>
In-reply-to: <[🔎] 87smhiw29j.fsf@guti.no-ip.org>


On Wednesday, February 11, 2004, at 12:36 AM, Cristian Gutierrez wrote:

Mark Gillingham wrote:

I'm confused by ssh -X. The box that has my CVS work is on a private
network. If I'm on that private network, I can forward X from the box
to my Mac 10.2 box. If I'm outside the network, I can ssh to another
box on the private network with a public IP and then ssh again to the
private box. I cannot, however, ssh -X from A (outside the private
network) to B (on the private network with a public address) to C (on
the private network without a public address). I suspect this has to
do with .xauth-esque privilege settings. Where to I go to hunt this
down?


Try:

  ssh -X B xclock

..to see if B allows X to be forwarded. And:

  ssh -X B ssh -X C xclock

..to see is C allows the same from B. If either of them fails (not
showing you a clock), repeat it with verbosity enabled (-v) and try to
figure something out of that. If in trouble, ask here.

--

Your tip really helped. I had an authentication error, which I fixed. Ithink that B is not set up correctly. It is the only Debian box in thebunch. A is OS X and C is RH7.3. I offer lots of logs below andapologize for it, but I'm not sure what is important.

I used xcalc because xclock was not loaded on B (perhaps becausex-server was not installed on B). So the log of ssh -X B xcalc from A(which shows a display error) is:


% ssh -X -v web2.mydomain.org  /usr/X11R6/bin/xcalc
OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
debug1: Reading configuration data /Volumes/X/Users/markgill/.ssh/config
debug1: Reading configuration data /etc/ssh_config

debug1: Rhosts Authentication disabled, originating port will not betrusted.

debug1: ssh_connect: needpriv 0
debug1: Connecting to web2.mydomain.org [206.222.33.nnn] port 22.
debug1: Connection established.
debug1: identity file /Volumes/X/Users/markgill/.ssh/identity type -1
debug1: identity file /Volumes/X/Users/markgill/.ssh/id_rsa type 1
debug1: identity file /Volumes/X/Users/markgill/.ssh/id_dsa type 2

debug1: Remote protocol version 2.0, remote software versionOpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3

debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1+CAN-2003-0693
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 141/256
debug1: bits set: 1570/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'web2.mydomain.org' is known and matches the RSA host key.
debug1: Found key in /Volumes/X/Users/markgill/.ssh/known_hosts:4
debug1: bits set: 1644/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue:publickey,password,keyboard-interactive

debug1: next auth method to try is publickey
debug1: try privkey: /Volumes/X/Users/markgill/.ssh/identity
debug1: try pubkey: /Volumes/X/Users/markgill/.ssh/id_rsa

debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x85d60hint 1

debug1: read PEM private key done: type RSA
debug1: ssh-userauth2 successful: method publickey
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: Sending command: /usr/X11R6/bin/xcalc
debug1: channel request 0: exec
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
Error: Can't open display:
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.7 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1

I still have a display error as seen by the following log from asession like ssh -X B ssh -X C xclock:

% ssh -X -v web2.mydomain.org ssh -X bitbox.mydomain.org/usr/X11R6/bin/xclock


OpenSSH_3.4p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
debug1: Reading configuration data /Volumes/X/Users/markgill/.ssh/config
debug1: Reading configuration data /etc/ssh_config

debug1: Rhosts Authentication disabled, originating port will not betrusted.

debug1: ssh_connect: needpriv 0
debug1: Connecting to web2.mydomain.org [206.222.33.147] port 22.
debug1: Connection established.
debug1: identity file /Volumes/X/Users/markgill/.ssh/identity type -1
debug1: identity file /Volumes/X/Users/markgill/.ssh/id_rsa type 1
debug1: identity file /Volumes/X/Users/markgill/.ssh/id_dsa type 2

debug1: Remote protocol version 2.0, remote software versionOpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3

debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1+CAN-2003-0693
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 139/256
debug1: bits set: 1566/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'web2.mydomain.org' is known and matches the RSA host key.
debug1: Found key in /Volumes/X/Users/markgill/.ssh/known_hosts:4
debug1: bits set: 1604/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue:publickey,password,keyboard-interactive

debug1: next auth method to try is publickey
debug1: try privkey: /Volumes/X/Users/markgill/.ssh/identity
debug1: try pubkey: /Volumes/X/Users/markgill/.ssh/id_rsa

debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x85d60hint 1

debug1: read PEM private key done: type RSA
debug1: ssh-userauth2 successful: method publickey
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req

debug1: Sending command: ssh -X bitbox.mydomain.org/usr/X11R6/bin/xclock

debug1: channel request 0: exec
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
Error: Can't open display:
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 1.6 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1

A's sshd_config file has the following settings (A is OS X Darwin):

X11Forwarding yes

#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#Compression yes


B's sshd_config file has the following settings (B is Wood):

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no


C's sshd_config file has the following settings (C is HR7.3):

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

Reply to:

Follow-Ups:
- Re: ssh -X from A through B to C
  - From: Cristian Gutierrez <crgutier@dcc.uchile.cl>

References:
- Re: ssh -X from A through B to C
  - From: Cristian Gutierrez <crgutier@dcc.uchile.cl>

Prev by Date: Re: how to install an ftp server
Next by Date: Re: how to install an ftp server
Previous by thread: Re: ssh -t B sftp C
Next by thread: Re: ssh -X from A through B to C
Index(es):
- Date
- Thread