On Monday 18 September 2006 21:35, Konstantinos Pachopoulos wrote: > --- Herbert Poetzl <[EMAIL PROTECTED]> wrote: > > On Sun, Sep 17, 2006 at 09:39:51PM +0100, > > > > Konstantinos Pachopoulos wrote: > > > Hi, > > > i cannot ssh forward, through my "ipcop" guest > > > (10.0.0.6/24). In the host system i have made it > > > "visible" via "ip addr add 10.0.0.6/24 broadcast + > > > > dev > > > > > eth0". > > > > > > Here's what i get when i try to run firestarter or > > > nedit or xterm for example: > > > > > > -------------------- > > > ipcop:~# firestarter > > > X11 connection rejected because of wrong > > > authentication. > > > The application 'firestarter' lost its connection > > > > to > > > > > the display localhost:10.0; > > > most likely the X server was shut down or you > > > killed/destroyed > > > the application. > > > ipcop:~# nedit > > > X11 connection rejected because of wrong > > > authentication. > > > X connection to localhost:10.0 broken (explicit > > > > kill > > > > > or server shutdown). > > > -------------------- > > > > > > Here's the /etc/ssh/sshd_config of the "ipcop" > > > > server: > > > -------------------- > > > # Package generated configuration file > > > # See the sshd(8) manpage for details > > > > > > # What ports, IPs and protocols we listen for > > > Port 22 > > > # Use these options to restrict which > > > interfaces/protocols sshd will bind to > > > #ListenAddress :: > > > #ListenAddress 0.0.0.0 > > > Protocol 2 > > > # HostKeys for protocol version 2 > > > HostKey /etc/ssh/ssh_host_rsa_key > > > HostKey /etc/ssh/ssh_host_dsa_key > > > #Privilege Separation is turned on for security > > > UsePrivilegeSeparation yes > > > > > > # Lifetime and size of ephemeral version 1 server > > > > key > > > > > KeyRegenerationInterval 3600 > > > ServerKeyBits 768 > > > > > > # Logging > > > SyslogFacility AUTH > > > LogLevel INFO > > > > > > # Authentication: > > > LoginGraceTime 600 > > > PermitRootLogin yes > > > StrictModes yes > > > > > > RSAAuthentication yes > > > PubkeyAuthentication yes > > > #AuthorizedKeysFile %h/.ssh/authorized_keys > > > > > > # Don't read the user's ~/.rhosts and ~/.shosts > > > > files > > > > > IgnoreRhosts yes > > > # For this to work you will also need host keys in > > > /etc/ssh_known_hosts > > > RhostsRSAAuthentication no > > > # similar for protocol version 2 > > > HostbasedAuthentication no > > > # Uncomment if you don't trust ~/.ssh/known_hosts > > > > for > > > > > RhostsRSAAuthentication > > > #IgnoreUserKnownHosts yes > > > > > > # To enable empty passwords, change to yes (NOT > > > RECOMMENDED) > > > PermitEmptyPasswords no > > > > > > # Change to no to disable s/key passwords > > > #ChallengeResponseAuthentication yes > > > > > > # Change to yes to enable tunnelled clear text > > > passwords > > > PasswordAuthentication no > > > > > > # To change Kerberos options > > > #KerberosAuthentication no > > > #KerberosOrLocalPasswd yes > > > #AFSTokenPassing no > > > #KerberosTicketCleanup no > > > > > > # Kerberos TGT Passing does only work with the AFS > > > kaserver > > > #KerberosTgtPassing yes > > > > > > X11Forwarding yes > > > X11DisplayOffset 10 > > > PrintMotd no > > > PrintLastLog yes > > > KeepAlive yes > > > #UseLogin no > > > > > > #MaxStartups 10:30:60 > > > #Banner /etc/issue.net > > > > > > Subsystem sftp /usr/lib/sftp-server > > > > > > UsePAM yes > > > X11UseLocalhost no #tried with as suggested and > > > without
I confirm, to enable X11 forwarding in a vserver, you can add the following parameter in sshd_config : X11UseLocalhost no You should read the security notes in the man pages, because it can weaken your security. Just to be sure : after changing sshd_config, don't forget to reload it (/etc/init.d/sshd reload). After that, the DISPLAY variable in the vserver should be of the form "name.dom.tld:10.0" instead of "localhost:10.0". You can also use the foolowing command (if the X11 display is :10) : netstat -apn | grep 6010 sshd should now be listening on the IP assigned to the vserver, on the TCP port 6010. > > > -------------------- > > > > > > Any ideas? I have been searching for a couple > > > > days, > > > > > but found nothing. Is this a routing, firewall > > > > issue > > > > > maybe? I do not know a lot about networking. I > > > > hope i > > > > > will learn through VServer :) > > > > check if $DISPLAY is set and what it contains, > > also double check that your guest has mk/xauth > > installed and the ssh client is not called with > > -x (maybe explicitely specify -X for a test) > > > > check the ssh logon with the -v option to ssh, > > > > HTH, > > Herbert > > Hi, > i cannot find mkxauth command in a Debian Etch amd64 > package. Is it the same with "xauth generate"? Anyway, > xauth (of xbase-clients) is installed- in general i > have the same package configuration both in the guest > and the host, but the host X-forwards OK. > > > Here are some outputs: > ----------------------------- > fire-deb:~# echo $DISPLAY > localhost:10.0 > ----------------------------- > [EMAIL PROTECTED]:~$ ssh -vX [EMAIL PROTECTED] > OpenSSH_4.3p2 Debian-3, OpenSSL 0.9.8b 04 May 2006 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to 10.0.0.8 [10.0.0.8] port 22. > debug1: Connection established. > debug1: identity file /home/kostas/.ssh/identity type > -1 > debug1: identity file /home/kostas/.ssh/id_rsa type -1 > debug1: identity file /home/kostas/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software > version OpenSSH_4.3p2 Debian-3 > debug1: match: OpenSSH_4.3p2 Debian-3 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_4.3p2 > Debian-3 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) > sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host '10.0.0.8' is known and matches the RSA > host key. > debug1: Found key in /home/kostas/.ssh/known_hosts:1 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > publickey,password > debug1: Next authentication method: publickey > debug1: Trying private key: /home/kostas/.ssh/identity > debug1: Trying private key: /home/kostas/.ssh/id_rsa > debug1: Trying private key: /home/kostas/.ssh/id_dsa > debug1: Next authentication method: password > [EMAIL PROTECTED]'s password: > debug1: Authentication succeeded (password). > debug1: channel 0: new [client-session] > debug1: Entering interactive session. > debug1: Requesting X11 forwarding with authentication > spoofing. > debug1: Requesting authentication agent forwarding. > debug1: Sending environment. > debug1: Sending env LANG = en_US.UTF-8 > Last login: Mon Sep 18 22:46:32 2006 from 10.0.0.1 > fire-deb:~# xterm > _X11TransSocketINETConnect() can't get address for > localhost:6010: Name or service not known > Warning: This program is an suid-root program or is > being run by the root user. > The full text of the error or warning message cannot > be safely formatted > in this environment. You may get a more descriptive > message by running the > program as a non-root user or by removing the suid bit > on the executable. > xterm Xt error: Can't open display: %s > fire-deb:~# > -------------------------------- > [EMAIL PROTECTED]:~$ ssh -vY [EMAIL PROTECTED] > OpenSSH_4.3p2 Debian-3, OpenSSL 0.9.8b 04 May 2006 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to 10.0.0.8 [10.0.0.8] port 22. > debug1: Connection established. > debug1: identity file /home/kostas/.ssh/identity type > -1 > debug1: identity file /home/kostas/.ssh/id_rsa type -1 > debug1: identity file /home/kostas/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software > version OpenSSH_4.3p2 Debian-3 > debug1: match: OpenSSH_4.3p2 Debian-3 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_4.3p2 > Debian-3 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) > sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host '10.0.0.8' is known and matches the RSA > host key. > debug1: Found key in /home/kostas/.ssh/known_hosts:1 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > publickey,password > debug1: Next authentication method: publickey > debug1: Trying private key: /home/kostas/.ssh/identity > debug1: Trying private key: /home/kostas/.ssh/id_rsa > debug1: Trying private key: /home/kostas/.ssh/id_dsa > debug1: Next authentication method: password > [EMAIL PROTECTED]'s password: > debug1: Authentication succeeded (password). > debug1: channel 0: new [client-session] > debug1: Entering interactive session. > debug1: Requesting X11 forwarding with authentication > spoofing. > debug1: Requesting authentication agent forwarding. > debug1: Sending environment. > debug1: Sending env LANG = en_US.UTF-8 > Last login: Mon Sep 18 22:56:55 2006 from 10.0.0.1 > fire-deb:~# xterm > _X11TransSocketINETConnect() can't get address for > localhost:6010: Name or service not known > Warning: This program is an suid-root program or is > being run by the root user. > The full text of the error or warning message cannot > be safely formatted > in this environment. You may get a more descriptive > message by running the > program as a non-root user or by removing the suid bit > on the executable. > xterm Xt error: Can't open display: %s > fire-deb:~# > --------------------------------- > > Thanks, > Kostas > > > > ___________________________________________________________ > The all-new Yahoo! Mail goes wherever you go - free your email address from > your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver -- Xavier Montagutelli Tel : +33 (0)5 55 45 77 20 Service Commun Informatique Fax : +33 (0)5 55 45 75 95 Universite de Limoges 123, avenue Albert Thomas 87060 Limoges cedex _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
