On Sun, Dec 21, 2014 at 1:17 AM, Harry Putnam <rea...@newsguy.com> wrote:
> This properly belongs on the ssh group, but posting there has not gotten
> any responses... and the list is quite slow to boot.
>
> I like using ssh -X to other lan remotes but with new versions of openssh
> or perhaps the configs, it only works 1 way.
>
> I can `ssh -X' to the gentoo host from a debian host but not the other
> way round.
>
> Two different versions of openssh appear to be involved. But not sure
> how different they are.
>
> RHOST=a debian HOST
> LHOST= Gentoo HOST
>
> ssh -vN $RHOST 2>&1|grep "remote software version"
>
> [...] OpenSSH_6.7p1 Debian-3
>
> ssh -vN $LHOST 2>&1|grep "remote software version"
>
> [...] OpenSSH_6.7p1-hpn14v5
>
>
> One thing I tried to do was to copy the RHOST sshd_config and ssh_config to
> LHOST. Restart and try again... there were a few incompatible bits in
> the files so after commenting a few out until no config errors.
>
> However ssh -X still displayed the error and would NOT work when:
> ssh -X RHOST from LHOST
> ({Note that plain ssh LHOST or RHOST works in any direction}
>
> Error outut with ssh -X $RHOST "xterm"
>
> ,----
> | Warning: untrusted X11 forwarding setup failed: xauth key data not
> generated
> | Warning: No xauth data; using fake authentication data for X11
> forwarding.
> | Invalid MIT-MAGIC-COOKIE-1 keyxterm: Xt error: Can't open display:
> localhost:10.0
>
I believe you're looking for the "xhost" command and its archaic
permissions setup settings.
The idea is that the machine hosting the X server has an additional
permissions setting that controls which
hosts are allowed to use the X displays.
Since you say that it's apparently the debian host that doesn't allow
launching of X programs,
what happens if, from the working GUI on the debian host, you run:
xhost +
Before you try connecting to it from the gentoo machine? It should say
something like
access control disabled, clients can connect from any host
And you should be able to open your xterm using ssh -X.
`----
>
> [Full Error output with ssh -vv -X is very lengthy so is attached at the
> end]
>
> I'm not seeing how to debug this further. So going back to the stock
> version of sshd_config ssh_config on gentoo with two changes:
>
> commented out this line:
> PasswordAuthentication no
>
> added this:
> X11Forwarding yes
>
> ------- ------- ---=--- ------- -------
> Full sshd_config on LHOST: sudo grep ^[^#] /etc/ssh/sshd_config
> ------- ------- ---=--- ------- -------
> UsePAM yes
> X11Forwarding yes
> PrintMotd no
> PrintLastLog no
> UsePrivilegeSeparation sandbox # Default for new
> installations.
> Subsystem sftp /usr/lib/misc/sftp-server
> AcceptEnv LANG LC_*
>
> ------- Config END -------
>
>
> ------- ------- ---=--- ------- -------
> Full ssh_config on LHOST: sudo grep ^[^#] /etc/ssh/ssh_config
> ------- ------- ---=--- ------- -------
>
> ForwardX11 yes
> SendEnv LANG LC_*
>
> ------- Config END -------
>
> #######################################################
>
> Now the same info for RHOST
>
> ------- ------- ---=--- ------- -------
> Full sshd_config on RHOST: ssh root@RHOST "grep ^[^#]
> /etc/ssh/sshd_config"
> ------- ------- ---=--- ------- -------
>
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> HostKey /etc/ssh/ssh_host_ed25519_key
> AcceptEnv LANG LC_*
> ChallengeResponseAuthentication no
> IgnoreRhosts yes
> HostbasedAuthentication no
> KeyRegenerationInterval 3600
> LogLevel INFO
> LoginGraceTime 120
> PermitEmptyPasswords no
> PermitRootLogin yes
> Port 22
> PrintLastLog yes
> PrintMotd no
> Protocol 2
> PubkeyAuthentication yes
> RSAAuthentication yes
> RhostsRSAAuthentication no
> ServerKeyBits 1024
> SyslogFacility AUTH
> StrictModes yes
> Subsystem sftp /usr/lib/misc/sftp-server
> TCPKeepAlive yes
> UsePAM yes
> UsePrivilegeSeparation sandbox
> X11Forwarding yes
>
> ------- Config END -------
>
>
> ------- ------- ---=--- ------- -------
> Full ssh_config on RHOST: ssh root@RHOST "grep ^[^#] /etc/ssh/ssh_config"
> ------- ------- ---=--- ------- -------
> Host *
> ForwardX11 yes
> SendEnv LANG LC_*
> HashKnownHosts yes
>
> ------- Config END -------
>
> ############################################
> ############################################
>
> The only thing more I can think to include is the full lengthy output of
> ssh -vv -X
>
>
--
This email is: [ ] actionable [ ] fyi [ ] social
Response needed: [ ] yes [ ] up to you [ ] no
Time-sensitive: [ ] immediate [ ] soon [ ] none
