X11 forwarding does not work as normal user

Ziying Sherwin sherwin at nlm.nih.gov
Wed May 8 06:11:02 EST 2002


Thanks again for the reply. Following your instruction, I captured the output
on both server and client side. The transcript is appended below.

It seems that if I use ssh as a super user on the client side, there are several
extra lines on the server output (those lines are marked with >>>> in the 
attachment):

  >>>debug1: server_input_channel_req: channel 0 request x11-req reply 0
  >>>debug1: session_by_channel: session 0 channel 0
  >>>debug1: session_input_channel_req: session 0 req x11-req
  >>>debug1: fd 12 setting O_NONBLOCK
  >>>debug2: fd 12 is O_NONBLOCK
  >>>debug1: channel 1: new [X11 inet listener]
  >>>debug1: fd 13 setting O_NONBLOCK
  >>>debug2: fd 13 is O_NONBLOCK
  >>>debug1: channel 2: new [X11 inet listener]1

On the client side, there are a few extra lines if the client is a super user:

  debug2: x11_get_proto /usr/openwin/bin/xauth list :0.0 2>/dev/null
  debug1: Requesting X11 forwarding with authentication spoofing.
  debug1: channel request 0: x11-req

The difference between super users and normal users is that the super users 
set their DISPLAY environmental variable, while the normal users do not. Also
the super users and normal users have different privillege over the
configuration file ssh_config.

Then, I further checked the code by putting additional lines to print the
debug information. It seems that in routine ssh_session2_setup in ssh.c file,
the program checks whether forward_x11 option is set AND the environmental 
variable DISPLAY is set. In our case, we set the forward_x11 option in the 
/etc/ssh_config file, however, from the debuggin message, the forward_x11 
option is not set unless we manually specify it in the command line using "-X" 
option.  And since DISPLAY is not set either, the function x11_get_proto is 
not called for normal users. 

So here is our questions:

1. We used to use ssh as security shell. It works for both super users and 
   normal users no matter whether the DISPLAY environmental variable is set
   or not. We are using both CDE and openwin on Solaris 2.8 platform. As a
   widely used security shell, openssh should not decide whether to establish
   a X11 forwarding based on the assumtion that all users set their DISPLAY
   environmental variable. Is it possible for openssh to handle this more
   flexible?

2. Why the X11 forwarding setting does not get picked up by normal user? 

Thanks.
Ziying

------------------------------------------------------------------------------
Output from "ssh -vvv noble -l <normal user>" as super user

>ssh -vvv noble -l foo
[debug information]
<banner message>
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
[...]
debug3: remaining preferred: 
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
foo at noble's password:
debug1: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: ssh-userauth2 successful: method password
debug3: clear hostkey 0
debug3: clear hostkey 1
debug3: clear hostkey 2
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.
debug2: callback start
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug3: tty_make_modes: ospeed 9600
debug3: tty_make_modes: ispeed 9600
debug3: tty_make_modes: 1 3
[...]
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug2: x11_get_proto /usr/openwin/bin/xauth list :0.0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: channel request 0: shell
debug1: fd 5 setting TCP_NODELAY
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug3: Trying to reverse map address 130.14.31.40.
Last login: Tue May  7 11:12:24 2002 from :0
Environment:
  USER=foo
  LOGNAME=foo
  HOME=/home/foo
  PATH=/usr/bin:/bin:/usr/sbin:/sbin
  MAIL=/var/mail//foo
  SHELL=/bin/ksh
  TZ=US/Eastern
  SSH_CLIENT=130.14.31.40 34829 22
  SSH_TTY=/dev/pts/8
  TERM=sun-cmd
  DISPLAY=localhost:10.0
debug3: channel_close_fds: channel 0: r -1 w -1 e -1
debug3: channel_close_fds: channel 1: r 12 w 12 e -1
debug3: channel_close_fds: channel 2: r 13 w 13 e -1
Running /usr/openwin/bin/xauth add unix:10.0 MIT-MAGIC-COOKIE-1 45b4a6b13aaf6d34e15c6874b43b8ba0
debug1: Received SIGCHLD.
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 38777
debug1: fd 9 setting O_NONBLOCK
debug2: fd 9 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: channel 1: rcvd eof
debug1: channel 1: output open -> drain
debug1: channel 1: obuf empty
debug1: channel 1: close_write
debug1: channel 1: output drain -> closed
debug1: channel 1: FORCE input drain
debug1: channel 1: ibuf empty
debug1: channel 1: send eof
debug1: channel 1: input drain -> closed
debug1: channel 1: send close
debug3: channel 1: will not send data after close
debug1: channel 1: rcvd close
debug3: channel 1: will not send data after close
debug1: channel 1: is dead
debug1: channel 1: garbage collecting
debug1: channel_free: channel 1: x11, nchannels 2
debug3: channel_free: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 6/7)
  #1 x11 (t4 r3 i3/0 o3/0 fd 9/9)

debug3: channel_close_fds: channel 1: r 9 w 9 e -1
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 38778
debug1: fd 9 setting O_NONBLOCK
debug2: fd 9 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: channel 1: rcvd eof
debug1: channel 1: output open -> drain
debug1: channel 1: obuf empty
debug1: channel 1: close_write
debug1: channel 1: output drain -> closed
debug1: channel 1: FORCE input drain
debug1: channel 1: ibuf empty
debug1: channel 1: send eof
debug1: channel 1: input drain -> closed
debug1: channel 1: send close
debug3: channel 1: will not send data after close
debug1: channel 1: rcvd close
debug3: channel 1: will not send data after close
debug1: channel 1: is dead
debug1: channel 1: garbage collecting
debug1: channel_free: channel 1: x11, nchannels 2
debug3: channel_free: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 6/7)
  #1 x11 (t4 r3 i3/0 o3/0 fd 9/9)

debug3: channel_close_fds: channel 1: r 9 w 9 e -1
mer[zs]ksh:171>echo $DISPLAY
localhost:10.0
nob[foo]csh:52>xauth list
noble:0  MIT-MAGIC-COOKIE-1  542e4645344831694c3164595a513559
noble/unix:0  MIT-MAGIC-COOKIE-1  542e4645344831694c3164595a513559
130.14.35.142:0  MIT-MAGIC-COOKIE-1  435433683137484e51415761444b7348
image3pc:0  MIT-MAGIC-COOKIE-1  7976416b43797453317662554133314c
[...]

------------------------------------------------------------------------------

Output from "ssh -vvv noble <normal user>" as normal user
hum[zs]ksh:306>ssh -vvv noble -l foo
[debug message]
<banner message>
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
[...]
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: 
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
foo at noble's password:
debug1: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: ssh-userauth2 successful: method password
debug3: clear hostkey 0
debug3: clear hostkey 1
debug3: clear hostkey 2
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.
debug2: callback start
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug3: tty_make_modes: ospeed 9600
debug3: tty_make_modes: ispeed 9600
debug3: tty_make_modes: 1 3
[...]
debug3: tty_make_modes: 93 0
debug1: channel request 0: shell
debug1: fd 6 setting TCP_NODELAY
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug3: Trying to reverse map address 130.14.31.40.
Last login: Tue May  7 13:43:47 2002 from hume
Environment:
  USER=foo
  LOGNAME=foo
  HOME=/home/foo
  PATH=/usr/bin:/bin:/usr/sbin:/sbin
  MAIL=/var/mail//foo
  SHELL=/bin/ksh
  TZ=US/Eastern
  SSH_CLIENT=130.14.31.40 34839 22
  SSH_TTY=/dev/pts/8
  TERM=sun-cmd
debug3: channel_close_fds: channel 0: r -1 w -1 e -1
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
mer[zs]ksh:173>echo $DISPLAY

nob[zs]ksh:158>xauth list
hume:0  MIT-MAGIC-COOKIE-1  7a76423953564963475a397735434777
hume/unix:0  MIT-MAGIC-COOKIE-1  7a76423953564963475a397735434777
noble:0  MIT-MAGIC-COOKIE-1  386a366156644f4b5141667642516c56
noble/unix:0  MIT-MAGIC-COOKIE-1  386a366156644f4b5141667642516c56
[...]


------------------------------------------------------------------------------
Output from "/usr/sbin/sshd -d -d -d" for a connection from super user

mer[root]csh:64>/usr/sbin/sshd -d -d -d
debug1: sshd version OpenSSH_3.1p1
debug3: Not a RSA1 key file /etc/openssh_3.1p1/etc/ssh_host_rsa_key.
[...]
debug1: userauth_banner: sent
Failed none for foo from 130.14.31.40 port 34848 ssh2
debug1: userauth-request for user foo service ssh-connection method keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=foo devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices 
Failed keyboard-interactive for foo from 130.14.21.40 port 34848 ssh2
debug1: userauth-request for user foo service ssh-connection method password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
Accepted password for foo from 130.14.21.40 port 34848 ssh2
debug1: Entering interactive session for SSH2.
debug1: fd 3 setting O_NONBLOCK
debug1: fd 9 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/8
debug3: tty_parse_modes: SSH2 n_bytes 266
debug3: tty_parse_modes: ospeed 9600
debug3: tty_parse_modes: ispeed 9600
[...]
debug3: tty_parse_modes: 91 1
debug3: tty_parse_modes: 92 0
debug3: tty_parse_modes: 93 0
>>>debug1: server_input_channel_req: channel 0 request x11-req reply 0
>>>debug1: session_by_channel: session 0 channel 0
>>>debug1: session_input_channel_req: session 0 req x11-req
>>>debug1: fd 12 setting O_NONBLOCK
>>>debug2: fd 12 is O_NONBLOCK
>>>debug1: channel 1: new [X11 inet listener]
>>>debug1: fd 13 setting O_NONBLOCK
>>>debug2: fd 13 is O_NONBLOCK
>>>debug1: channel 2: new [X11 inet listener]
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: fd 5 setting TCP_NODELAY
debug1: fd 11 setting O_NONBLOCK
debug2: fd 10 is O_NONBLOCK
debug1: X11 connection requested.
debug1: fd 15 setting TCP_NODELAY
debug2: fd 15 is O_NONBLOCK
debug2: fd 15 is O_NONBLOCK
debug1: channel 3: new [X11 connection from 127.0.0.1 port 38781]
debug1: channel 3: open confirm rwindow 121 rmax 16384
debug1: channel 3: read<=0 rfd 15 len 0
debug1: channel 3: read failed
debug1: channel 3: close_read
debug1: channel 3: input open -> drain
debug1: channel 3: ibuf empty
debug1: channel 3: send eof
debug1: channel 3: input drain -> closed
debug1: channel 3: rcvd eof
debug1: channel 3: output open -> drain
debug1: channel 3: obuf empty
debug1: channel 3: close_write
debug1: channel 3: output drain -> closed
debug1: channel 3: rcvd close
debug3: channel 3: will not send data after close
debug1: channel 3: send close
debug1: channel 3: is dead
debug1: channel 3: garbage collecting
debug1: channel_free: channel 3: X11 connection from 127.0.0.1 port 38781, nchannels 4
debug3: channel_free: status: The following connections are open:
  #0 server-session (t4 r0 i0/0 o0/0 fd 11/10)
  #3 X11 connection from 127.0.0.1 port 38781 (t4 r1 i3/0 o3/0 fd 15/15)

debug3: channel_close_fds: channel 3: r 15 w 15 e -1
debug1: X11 connection requested.
debug1: fd 15 setting TCP_NODELAY
debug2: fd 15 is O_NONBLOCK
debug2: fd 15 is O_NONBLOCK
debug1: channel 3: new [X11 connection from 127.0.0.1 port 38782]
debug1: channel 3: open confirm rwindow 131072 rmax 16384
debug1: channel 3: read<=0 rfd 15 len 0
debug1: channel 3: read failed
debug1: channel 3: close_read
debug1: channel 3: input open -> drain
debug1: channel 3: ibuf empty
debug1: channel 3: send eof
debug1: channel 3: input drain -> closed
debug1: channel 3: rcvd eof
debug1: channel 3: output open -> drain
debug1: channel 3: obuf empty
debug1: channel 3: close_write
debug1: channel 3: output drain -> closed
debug1: channel 3: rcvd close
debug3: channel 3: will not send data after close
debug1: channel 3: send close
debug1: channel 3: is dead
debug1: channel 3: garbage collecting
debug1: channel_free: channel 3: X11 connection from 127.0.0.1 port 38782, nchannels 4
debug3: channel_free: status: The following connections are open:
  #0 server-session (t4 r0 i0/0 o0/0 fd 11/10)
  #3 X11 connection from 127.0.0.1 port 38782 (t4 r1 i3/0 o3/0 fd 15/15)

debug3: channel_close_fds: channel 3: r 15 w 15 e -1
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 4785
debug1: session_exit_message: session 0 channel 0 pid 4785
debug1: channel request 0: exit-status
debug1: session_exit_message: release channel 0
debug1: channel 0: write failed
debug1: channel 0: close_write
debug1: channel 0: output open -> closed
debug1: session_close: session 0 pid 4785
debug1: session_pty_cleanup: session 0 release /dev/pts/8
debug2: notify_done: reading
debug1: channel 0: read<=0 rfd 11 len 0
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
debug1: channel 0: send close
debug3: channel 0: will not send data after close
debug1: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: server-session, nchannels 3
debug3: channel_free: status: The following connections are open:
  #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1)

debug3: channel_close_fds: channel 0: r -1 w -1 e -1
Connection closed by remote host.
debug1: channel_free: channel 1: X11 inet listener, nchannels 2
debug3: channel_free: status: The following connections are open:

debug3: channel_close_fds: channel 1: r 12 w 12 e -1
debug1: channel_free: channel 2: X11 inet listener, nchannels 1
debug3: channel_free: status: The following connections are open:

debug3: channel_close_fds: channel 2: r 13 w 13 e -1
Closing connection to 130.14.21.40

------------------------------------------------------------------------------
Output from "/usr/sbin/sshd -d -d -d" for a connection from normal user

mer[root]csh:68>/usr/sbin/sshd -d -d -d
debug1: sshd version OpenSSH_3.1p1
debug3: Not a RSA1 key file /etc/openssh_3.1p1/etc/ssh_host_rsa_key.
[...]
debug1: userauth_banner: sent
Failed none for foo from 130.14.31.40 port 34852 ssh2
debug1: userauth-request for user foo service ssh-connection method keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=foo devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices 
Failed keyboard-interactive for foo from 130.14.21.40 port 34852 ssh2
debug1: userauth-request for user foo service ssh-connection method password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
Accepted password for foo from 130.14.21.40 port 34852 ssh2
debug1: Entering interactive session for SSH2.
debug1: fd 3 setting O_NONBLOCK
debug1: fd 9 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/8
debug3: tty_parse_modes: SSH2 n_bytes 266
debug3: tty_parse_modes: ospeed 9600
[...]
debug3: tty_parse_modes: 92 0
debug3: tty_parse_modes: 93 0
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: fd 5 setting TCP_NODELAY
debug1: fd 11 setting O_NONBLOCK
debug2: fd 10 is O_NONBLOCK
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 4814
debug1: session_exit_message: session 0 channel 0 pid 4814
debug1: channel request 0: exit-status
debug1: session_exit_message: release channel 0
debug1: channel 0: write failed
debug1: channel 0: close_write
debug1: channel 0: output open -> closed
debug1: session_close: session 0 pid 4814
debug1: session_pty_cleanup: session 0 release /dev/pts/8
debug2: notify_done: reading
debug1: channel 0: read<=0 rfd 11 len 0
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
debug1: channel 0: send close
debug3: channel 0: will not send data after close
debug1: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: server-session, nchannels 1
debug3: channel_free: status: The following connections are open:
  #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1)

debug3: channel_close_fds: channel 0: r -1 w -1 e -1
Connection closed by remote host.
Closing connection to 130.14.21.40



On Tue, 7 May 2002, Dennis Haag wrote:

> Hmm, not sure. Try running the server in debug mode (-d -d -d) and the
> client in verbose mode (-v -v -v) and compare the output between the one
> that works and the one that doesn't. If you are still stuck send the debug
> output to the openssh list.
> 
> 
> Ziying Sherwin wrote:
> > 
> > Thanks you very much for the help.
> > 
> > I tried to build openssh with the three options that you mentioned in the
> > email, but it still does not work. Apparently, if I use ssh as super user,
> > there is no problem to find the path to the xauth.
> > 
> > On Mon, 6 May 2002, Dennis Haag wrote:
> > 
> > > If you configure it it with the --with-xauth=/usr/openwin/bin/xauth
> > > --x-includes=/usr/openwin/include --x-libraries=/usr/openwin/lib options
> > > does it work?
> > >
> > > Ziying Sherwin wrote:
> > > >
> > > > We installed openssh 3.1p1 on our Solaris 2.8 machine using gcc 2.95.2. During
> > > > the installation, we modified ssh_config and sshd_config to enable X11 and
> > > > agent forwarding.
> > > >
> > > > In sshd_config, we changed the following line to read:
> > > >
> > > >      X11Forwarding yes
> > > >
> > > > In ssh_config, we changed the following two lines to read:
> > > >
> > > >     ForwardAgent yes
> > > >     ForwardX11 yes
> > > >
> > > > Both files are set to permission readable to all.
> > > >
> > > > The X11 forwarding works fine if we logged as super user, but does not work
> > > > for normal users. What is the problem?
> > > >
> > > > Thanks,
> > > > Ziying Sherwin
> > > >
> > > > P.S. I am not on the mailing list, please reply to sherwin at nlm.nih.gov
> > > >
> > > > _______________________________________________
> > > > openssh-unix-dev at mindrot.org mailing list
> > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > >
> > > --
> > > Dennis Haag                             Engineering Computer Services
> > > haag at apple.com                          unix-support at apple.com
> > > 408-974-6630                            ECS Hotline: 408-974-4747
> > >
> 
> -- 
> Dennis Haag                             Engineering Computer Services
> haag at apple.com                          unix-support at apple.com
> 408-974-6630                            ECS Hotline: 408-974-4747
> 




More information about the openssh-unix-dev mailing list