New X11 trouble - SSH

This is a discussion on New X11 trouble - SSH ; I have three hosts on my home network, hosta, hostb & hostc, and I'm having connection troubles amongst some of them. hosta can run remote X11 applications on either hostb or hostc without issue. hosta can run multiple applications at ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: New X11 trouble

  1. New X11 trouble


    I have three hosts on my home network, hosta, hostb & hostc, and
    I'm having connection troubles amongst some of them.

    hosta can run remote X11 applications on either hostb or hostc
    without issue. hosta can run multiple applications at the same
    time variously on hostb or hostc.

    hostb can run X11 applications on hosta. hostb can only intermittently
    run applications on hostc. For instance, when I try to start up an
    xterm, running on hostc and displaying on hostb, then most of the time
    the start-up will fail with this message:

    X connection to hostc.mydom.com:10.0 broken (explicit kill or server shutdown).

    On the occassions when the xterm does start, then I can launch
    more X applications in that xterm.

    hostc can't run X11 applications on either of the other two hosts.

    Now, here's where I'm really confused. All three hosts have
    identical ssh_config files, have identical sshd_config files,
    have identical ~/.ssh/config files, and have identical /etc/hosts
    files.

    ssh_config contains:

    Host *
    ForwardAgent yes
    ForwardX11 yes
    ForwardX11Trusted yes
    Protocol 2
    StrictHostKeyChecking ask

    sshd_config contains:

    Protocol 2
    HostKey /etc/ssh/ssh_host_key
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    PermitRootLogin no
    X11Forwarding yes
    X11DisplayOffset 10
    X11UseLocalhost no
    UsePrivilegeSeparation no
    MaxStartups 3
    Subsystem sftp /usr/lib/ssh/sftp-server

    ~/.ssh/config contains:

    Compression yes
    ForwardX11 yes
    ForwardAgent no
    ForwardX11Trusted yes

    For a short time I had a problem with /etc/hosts on hostc in that
    it had 127.0.0.1 listed as one of the addresses of hostc, causing
    me to groom /etc/hosts until they looked good, and look identical
    across the hosts.

    All 3 hosts are running OpenSSH 4.3p1. hosta is a Mandrake 10.1
    system. hostb is a Mandrake 9.0 system. hostc is a Mandriva
    2006.0 system.

    I'm thinking of going back to OpenSSH 3.7.1p2, which ran without
    fail ever since I installed it shortly after its release. The
    Mandriva 2006.0 system ran without fail with OpenSSH 4.2p1.
    Maybe that would be a good choice. I'd rather fix the 4.3p1
    implementation tho, since it includes improved security over
    prior versions.

    Any advice? Thanks....

    --
    PLEASE post a SUMMARY of the answer(s) to your question(s)!
    Show Windows & Gates to the exit door.
    Unless otherwise noted, the statements herein reflect my personal
    opinions and not those of any organization with which I may be affiliated.

  2. Re: New X11 trouble


    Do you share a single home directory among the three hosts (e.g. via NFS)?
    If so, the xauth files might be stomping on each other or fighting over
    locks.

    --
    Richard Silverman
    res@qoxp.net


  3. Re: New X11 trouble

    Richard E. Silverman wrote:
    > Do you share a single home directory among the three hosts (e.g. via NFS)?
    > If so, the xauth files might be stomping on each other or fighting over
    > locks.


    Nope. I'm not sharing anything by NFS, though I can access each machine
    over NFS via automounter, if I wish.

    Good thought tho...

    --
    PLEASE post a SUMMARY of the answer(s) to your question(s)!
    Show Windows & Gates to the exit door.
    Unless otherwise noted, the statements herein reflect my personal
    opinions and not those of any organization with which I may be affiliated.

  4. Re: New X11 trouble

    I just saw a new message appear in /var/log/auth.log when I tried
    to start an application which previously started just fine. The
    message was "administratively prohibited". I web searched for
    'sshd "administratively prohibited"' and found a thread saying
    that sometimes /etc/resolv.conf could be unreadable by the ssh
    user and cause problems. My /etc/resolv.conf files are all
    readable. But, the /etc/resolv.conf files are a bit different on
    hostc.

    I also saw another thread in that same search about turning
    on/off privilege separation. I'll look at both of those things
    tonight.

    Thanks...

    --
    PLEASE post a SUMMARY of the answer(s) to your question(s)!
    Show Windows & Gates to the exit door.
    Unless otherwise noted, the statements herein reflect my personal
    opinions and not those of any organization with which I may be affiliated.

  5. Re: New X11 trouble

    On 2006-04-13, Kevin the Drummer wrote:

    > I just saw a new message appear in /var/log/auth.log when I tried
    > to start an application which previously started just fine. The
    > message was "administratively prohibited". I web searched for


    Could this refer to a firewall rule as here?
    http://www.rfc-editor.org/rfc/rfc1122.txt

    --
    Elvis Notargiacomo master AT barefaced DOT cheek
    http://www.notatla.org.uk/goen/
    Powergen write "Why not stay with us" - let me count the ways!

  6. Re: New X11 trouble

    >>>>> "KD" == Kevin the Drummer writes:

    KD> I just saw a new message appear in /var/log/auth.log when I tried
    KD> to start an application which previously started just fine. The
    KD> message was "administratively prohibited".

    Although it sounds like the ICMP message of the same name, this is
    actually a message OpenSSH generates itself. It will happen e.g. if he
    client requests a tcpip-direct channel in response to a -L forwarding, but
    the server has does not allow it due to configuration.

    --
    Richard Silverman
    res@qoxp.net


  7. SOLVED -- Re: New X11 trouble

    Kevin the Drummer wrote:
    > I have three hosts on my home network, hosta, hostb & hostc, and
    > I'm having connection troubles amongst some of them.
    >
    > hosta can run remote X11 applications on either hostb or hostc
    > without issue. hosta can run multiple applications at the same
    > time variously on hostb or hostc.
    >
    > hostb can run X11 applications on hosta. hostb can only intermittently
    > run applications on hostc. For instance, when I try to start up an
    > xterm, running on hostc and displaying on hostb, then most of the time
    > the start-up will fail with this message:
    >
    > X connection to hostc.mydom.com:10.0 broken (explicit kill or server shutdown).
    >
    > On the occassions when the xterm does start, then I can launch
    > more X applications in that xterm.
    >
    > hostc can't run X11 applications on either of the other two hosts.
    >
    > Now, here's where I'm really confused. All three hosts have
    > identical ssh_config files, have identical sshd_config files,
    > have identical ~/.ssh/config files, and have identical /etc/hosts
    > files.
    >
    > ssh_config contains:
    >
    > Host *
    > ForwardAgent yes
    > ForwardX11 yes
    > ForwardX11Trusted yes
    > Protocol 2
    > StrictHostKeyChecking ask
    >
    > sshd_config contains:
    >
    > Protocol 2
    > HostKey /etc/ssh/ssh_host_key
    > HostKey /etc/ssh/ssh_host_rsa_key
    > HostKey /etc/ssh/ssh_host_dsa_key
    > PermitRootLogin no
    > X11Forwarding yes
    > X11DisplayOffset 10
    > X11UseLocalhost no
    > UsePrivilegeSeparation no
    > MaxStartups 3
    > Subsystem sftp /usr/lib/ssh/sftp-server
    >
    > ~/.ssh/config contains:
    >
    > Compression yes
    > ForwardX11 yes
    > ForwardAgent no
    > ForwardX11Trusted yes
    >
    > For a short time I had a problem with /etc/hosts on hostc in that
    > it had 127.0.0.1 listed as one of the addresses of hostc, causing
    > me to groom /etc/hosts until they looked good, and look identical
    > across the hosts.
    >
    > All 3 hosts are running OpenSSH 4.3p1. hosta is a Mandrake 10.1
    > system. hostb is a Mandrake 9.0 system. hostc is a Mandriva
    > 2006.0 system.
    >
    > I'm thinking of going back to OpenSSH 3.7.1p2, which ran without
    > fail ever since I installed it shortly after its release. The
    > Mandriva 2006.0 system ran without fail with OpenSSH 4.2p1.
    > Maybe that would be a good choice. I'd rather fix the 4.3p1
    > implementation tho, since it includes improved security over
    > prior versions.


    I found the problem. I'm not sure why this is, but I now need to
    set "X11UseLocalhost yes" in sshd_config. A *long* time ago I
    got used to setting this to "no", otherwise X forwarding wouldn't
    work. Now for the first time I'm required to set it to "yes".
    I found the answer by trial and error with all of the relevant
    parameters in sshd_config. Everything seems to be working again,
    including stuff like this:

    ssh myfirewall.mydom.com -f 'ssh otherhost.mydom.com xterm'

    I hope this helps someone....

    --
    PLEASE post a SUMMARY of the answer(s) to your question(s)!
    Show Windows & Gates to the exit door.
    Unless otherwise noted, the statements herein reflect my personal
    opinions and not those of any organization with which I may be affiliated.

+ Reply to Thread