2

This is a debugging question. When you ask for clarification please make sure it is not already covered below.

I have 4 machines: Z, A, N, and M.

To get to A you have to log into Z first.

To get to M you have to log into N first.

The following works:

ssh -X Z xclock
ssh -X Z ssh -X Z xclock
ssh -X Z ssh -X A xclock
ssh -X N xclock
ssh -X N ssh -X N xclock

But this does not:

ssh -X N ssh -X M xclock
Error: Can't open display:

The $DISPLAY is clearly not set when logging in to M. The question is why?

Z and A share same NFS-homedir. N and M share the same NFS-homedir. N's sshd runs on a non standard port.

$ grep X11 <(ssh Z cat /etc/ssh/ssh_config) 
ForwardX11 yes
# ForwardX11Trusted yes

$ grep X11 <(ssh N cat /etc/ssh/ssh_config) 
ForwardX11 yes
# ForwardX11Trusted yes

N:/etc/ssh/ssh_config == Z:/etc/ssh/ssh_config and M:/etc/ssh/ssh_config == A:/etc/ssh/ssh_config

/etc/ssh/sshd_config is the same for all 4 machines (apart from Port and login permissions for certain groups).

If I forward M's ssh port to my local machine it still does not work:

terminal1$ ssh -L 8888:M:22 N
terminal2$ ssh -X -p 8888 localhost xclock
Error: Can't open display:

A:.Xauthority contains A, but M:.Xauthority does not contain M.

xauth is installed in /usr/bin/xauth on both A and M.

xauth is being run when logging in to A but not when logging in to M.

ssh -vvv does not complain about X11 or xauth when logging in to A and M. Both say:

debug2: x11_get_proto: /usr/bin/xauth  list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 0
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.

I have a feeling the problem may be related to M missing in M:.Xauthority (caused by xauth not being run) or that $DISPLAY is somehow being disabled by a login script, but I cannot figure out what is wrong.

-- update 20110628

I did not know about sshrc so that was a good guess. But alas, not the problem here. It does not exist on any of the 4 machines:

$ ls ~/.ssh/rc /etc/ssh/sshrc
ls: cannot access /home/tange/.ssh/rc: No such file or directory
ls: cannot access /etc/ssh/sshrc: No such file or directory

As mentioned the $DISPLAY variable is not set on M, but is fine on A:

$ ssh -X N ssh -X M 'echo \$DISPLAY'
<<empty>>
$ ssh -X Z ssh -X A 'echo \$DISPLAY'
localhost:14.0

The difference in output from a working session and a non-working session (Note: There are no warnings about X forwarding or xauth in the non-working session):

$ stdout ssh -X Z ssh -vX A 'echo \$DISPLAY' >/tmp/a
$ stdout ssh -X N ssh -vX M 'echo \$DISPLAY' >/tmp/b
$ diff /tmp/a /tmp/b
4c4
< debug1: Connecting to A [1.1.1.5] port 22.
---
> debug1: Connecting to M [1.1.3.3] port 22.
23,24c23,24
< debug1: Host 'A' is known and matches the RSA host key.
< debug1: Found key in /home/tange/.ssh/known_hosts:35
---
> debug1: Host 'M' is known and matches the RSA host key.
> debug1: Found key in /home/tange/.ssh/known_hosts:1
43d42
< debug1: Sending env LC_ALL = en_US.UTF-8
46c45
< localhost:14.0
---
> 
53,54c52,53
< Transferred: sent 2384, received 2312 bytes, in 0.2 seconds
< Bytes per second: sent 10714.8, received 10391.2
---
> Transferred: sent 2336, received 2296 bytes, in 0.0 seconds
> Bytes per second: sent 54629.1, received 53693.7

Instaling lsh-server instead of openssh-server on M fixes the X-forwarding, but is an unacceptable solution.

Ole Tange
  • 2,836
  • 5
  • 29
  • 45

2 Answers2

2

You don't specify if X11Forwarding is set to yes in /etc/ssh/sshd_config on M, which would definitely explain why it's not working.

Andy Smith
  • 1,798
  • 13
  • 15
  • Read above: /etc/ssh/sshd_config is the same for all 4 machines (apart from Port and login permissions for certain groups). Also `ssh -vvv` would complain about X11 or xauth when logging in to A and M. And as mentioned above `ssh -vvv` says exactly the same. – Ole Tange Jun 28 '11 at 13:41
  • Okay. Anything interesting in `/etc/profile`? What distribution of Linux are they? Are they all the same version? – Andy Smith Jun 29 '11 at 01:11
  • A good guess. But `/etc/profile` on M only deals with $PS1, $PATH and umask. Also note in my update that installing `lsh-server` fixes the X11-forwarding, so the problem is specific to `openssh-server`. All 4 machines run Debian. – Ole Tange Jun 29 '11 at 09:21
  • 2
    A curious problem indeed! Another one - is `X11UseLocalhost` set to `yes` (or not present at all) in `/etc/ssh/sshd_config`? If not, try adding in `X11UseLocalhost no` and see if that makes any difference. – Andy Smith Jun 30 '11 at 10:42
  • 5
    'X11UseLocalhost no' worked. (not X11Forwarding) – Ole Tange Sep 28 '11 at 15:05
  • 1
    @Andy Smith X11UseLocalhost set to "no" solved for me .. if you edit your post to explicitly mention this I'll be glad to upvote :) – drAlberT May 21 '13 at 09:36
  • Small note that you need to kill -HUP sshd (the main sshd process) to get ssh to reread its config. After that, the above worked for me. – Goblinhack Sep 12 '14 at 14:24
0

In my case it was firewall default policy which was set to "DROP".

You need to check which port is being listened (usually it is 6000 + value in $DISPLAY environment variable) and set proper rules. Run as root:

# echo $DISPLAY
localhost:10.0

# netstat -altnp | grep LIST          
tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      13670/sshd

# iptables -A INPUT -i lo -p tcp -m tcp --dport 6010 -j ACCEPT 
# iptables -A INPUT -i lo -p tcp -m tcp --sport 6010 -j ACCEPT
# iptables -A OUTPUT -o lo -p tcp -m tcp --dport 6010 -j ACCEPT 
# iptables -A OUTPUT -o lo -p tcp -m tcp --sport 6010 -j ACCEPT
humkins
  • 271
  • 2
  • 8