X11 forwarding problem -- openssh-3.5p1 -- redhat 8.0 -- linux 2.4.18
Jim Prewett
download at ahpcc.unm.edu
Wed Jan 22 09:58:49 EST 2003
Yes, but I was too lame to remember to include that. I decided to take
iptables out of the mix by doing /etc/rc.d/init.d/iptables stop (which
makes all chains go to ACCEPT).
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Thanks,
Jim
On Tue, 21 Jan 2003, Ladner, Eric (Eric.Ladner) wrote:
> You've checked 'iptables -L' to see if those ports are being REJECTEd on
> the RH 8.0 box?
>
> Eric
>
> -----Original Message-----
> From: Jim Prewett [mailto:download at ahpcc.unm.edu]
> Sent: Tuesday, January 21, 2003 4:32 PM
> To: openssh-unix-dev at mindrot.org
> Subject: X11 forwarding problem -- openssh-3.5p1 -- redhat 8.0 -- linux
> 2.4.18
>
>
> All,
> I'm working on upgrading a machine from RH 6.2 to RH 8.0. I've
> encountered one major (for me) snag in that I cannot get X11 forwarding
> to work anymore.
>
> I've been google-ing the error messages all morning, with no luck.
>
> Here is debugging output from the server (client debugging output sent
> upon request... I don't feel it is relevant). What I feel is
> interesting is at the bottom of the following text block:
>
> # sshd -ddd -p 222
> debug1: sshd version OpenSSH_3.5p1
> debug1: private host key: #0 type 0 RSA1
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #2 type 2 DSA
> debug1: Bind to port 222 on 0.0.0.0.
> Server listening on 0.0.0.0 port 222.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug1: Server will not fork when running in debugging mode. Connection
> from 129.24.246.132 port 1179
> debug1: Client protocol version 2.0; client software version
> OpenSSH_3.4p1 FreeBSD-20020702
> debug1: match: OpenSSH_3.4p1 FreeBSD-20020702 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-1.99-OpenSSH_3.5p1
> debug2: Network child is on pid 32411
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug3: privsep user:group 74:74
> debug1: permanently_set_uid: 74/74
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
> bc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
> bc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-9
> 6,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-9
> 6,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
> bc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
> bc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-9
> 6,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-9
> 6,hmac-md5-96
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 2048 8192
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug3: mm_request_send entering: type 1
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug1: dh_gen_key: priv key bits set: 121/256
> debug1: bits set: 1612/3191
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug1: bits set: 1595/3191
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 4
> debug3: monitor_read: checking request 4
> debug3: mm_answer_sign
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: mm_request_receive_expect entering: type 5
> debug3: mm_request_receive entering
> debug3: mm_answer_sign: signature 0x809f278(55)
> debug3: mm_request_send entering: type 5
> debug2: monitor_read: 4 used once, disabling now
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user download service ssh-connection method
> none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 6
> debug3: monitor_read: checking request 6
> debug3: mm_answer_pwnamallow
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: mm_request_receive_expect entering: type 7
> debug3: mm_request_receive entering
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 7
> debug2: monitor_read: 6 used once, disabling now
> debug3: mm_request_receive entering
> debug2: input_userauth_request: setting up authctxt for download
> debug3: mm_start_pam entering
> debug3: mm_request_send entering: type 41
> debug3: mm_inform_authserv entering
> debug3: monitor_read: checking request 41
> debug1: Starting up PAM with username "download"
> debug3: mm_request_send entering: type 3
> debug2: input_userauth_request: try method none
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug3: Trying to reverse map address 129.24.246.132.
> debug1: PAM setting rhost to "dhcp132.ahpcc.unm.edu"
> debug2: monitor_read: 41 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 3
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 10
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> Failed none for download from 129.24.246.132 port 1179 ssh2
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> Failed none for download from 129.24.246.132 port 1179 ssh2
> debug1: userauth-request for user download service ssh-connection method
> keyboard-interactive
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method keyboard-interactive
> debug1: keyboard-interactive devs
> debug1: auth2_challenge: user=download devs=
> debug1: kbdint_alloc: devices ''
> debug2: auth2_challenge_start: devices
> Failed keyboard-interactive for download from 129.24.246.132 port 1179
> ssh2
> debug1: userauth-request for user download service ssh-connection method
> password
> debug1: attempt 2 failures 2
> debug2: input_userauth_request: try method password
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 10
> debug1: PAM Password authentication accepted for user "download"
> debug3: mm_answer_authpassword: sending result 1
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: user authenticated
> Accepted password for download from 129.24.246.132 port 1179 ssh2
> debug3: mm_send_keystate: Sending new keys: 0x809e408 0x809d4b0
> debug3: mm_newkeys_to_blob: converting 0x809e408
> debug3: mm_newkeys_to_blob: converting 0x809d4b0
> debug3: mm_send_keystate: New keys have been sent
> debug3: mm_send_keystate: Sending compression state
> debug3: mm_request_send entering: type 24
> debug3: mm_send_keystate: Finished sending state
> debug2: pam_acct_mgmt() = 0
> Accepted password for download from 129.24.246.132 port 1179 ssh2
> debug1: monitor_child_preauth: download has been authenticated by
> privileged process
> debug3: mm_get_keystate: Waiting for new keys
> debug3: mm_request_receive_expect entering: type 24
> debug3: mm_request_receive entering
> debug3: mm_newkeys_from_blob: 0x80a97c0(118)
> debug2: mac_init: found hmac-md5
> debug3: mm_get_keystate: Waiting for second key
> debug3: mm_newkeys_from_blob: 0x80a97c0(118)
> debug2: mac_init: found hmac-md5
> debug3: mm_get_keystate: Getting compression state
> debug3: mm_get_keystate: Getting Network I/O buffers
> debug3: mm_share_sync: Share sync
> debug3: mm_share_sync: Share sync end
> debug2: User child is on pid 32412
> debug3: mm_request_receive entering
> debug1: PAM establishing creds
> debug1: permanently_set_uid: 31618/100
> debug1: newkeys: mode 0
> debug1: newkeys: mode 1
> debug1: Entering interactive session for SSH2.
> debug1: fd 7 setting O_NONBLOCK
> debug1: fd 8 setting O_NONBLOCK
> debug1: server_init_dispatch_20
> debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
> 16384
> debug1: input_session_request
> debug1: channel 0: new [server-session]
> debug1: session_new: init
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug1: server_input_channel_req: channel 0 request pty-req reply 0
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> debug1: lastlog_openseek: Couldn't open /var/log/lastlog: Permission
> denied
> debug1: Allocating pty.
> debug3: mm_request_send entering: type 25
> debug3: monitor_read: checking request 25
> debug3: mm_answer_pty entering
> debug1: session_new: init
> debug1: session_new: session 0
> debug3: mm_request_send entering: type 26
> debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY
> debug3: mm_request_receive_expect entering: type 26
> debug3: mm_request_receive entering
> debug1: session_pty_req: session 0 alloc /dev/pts/4
> debug3: mm_answer_pty: tty /dev/pts/4 ptyfd 3
> debug3: mm_request_receive entering
> debug3: tty_parse_modes: SSH2 n_bytes 251
> debug3: tty_parse_modes: ospeed 38400
> debug3: tty_parse_modes: ispeed 38400
> debug3: tty_parse_modes: 1 3
> debug3: tty_parse_modes: 2 28
> debug3: tty_parse_modes: 3 8
> debug3: tty_parse_modes: 4 21
> debug3: tty_parse_modes: 5 4
> debug3: tty_parse_modes: 6 255
> debug3: tty_parse_modes: 7 255
> debug3: tty_parse_modes: 8 17
> debug3: tty_parse_modes: 9 19
> debug3: tty_parse_modes: 10 26
> debug1: Ignoring unsupported tty mode opcode 11 (0xb)
> debug3: tty_parse_modes: 12 18
> debug3: tty_parse_modes: 13 23
> debug3: tty_parse_modes: 14 22
> debug1: Ignoring unsupported tty mode opcode 17 (0x11)
> debug3: tty_parse_modes: 18 15
> debug3: tty_parse_modes: 30 0
> debug3: tty_parse_modes: 31 0
> debug3: tty_parse_modes: 32 0
> debug3: tty_parse_modes: 33 0
> debug3: tty_parse_modes: 34 0
> debug3: tty_parse_modes: 35 0
> debug3: tty_parse_modes: 36 1
> debug3: tty_parse_modes: 38 1
> debug3: tty_parse_modes: 39 1
> debug3: tty_parse_modes: 40 0
> debug3: tty_parse_modes: 41 1
> debug3: tty_parse_modes: 50 1
> debug3: tty_parse_modes: 51 1
> debug3: tty_parse_modes: 53 1
> debug3: tty_parse_modes: 54 1
> debug3: tty_parse_modes: 55 1
> debug3: tty_parse_modes: 56 0
> debug3: tty_parse_modes: 57 0
> debug3: tty_parse_modes: 58 0
> debug3: tty_parse_modes: 59 1
> debug3: tty_parse_modes: 60 1
> debug3: tty_parse_modes: 61 1
> debug3: tty_parse_modes: 62 1
> debug3: tty_parse_modes: 70 1
> debug3: tty_parse_modes: 72 1
> debug3: tty_parse_modes: 73 0
> debug3: tty_parse_modes: 74 0
> debug3: tty_parse_modes: 75 0
> debug3: tty_parse_modes: 90 1
> debug3: tty_parse_modes: 91 1
> debug3: tty_parse_modes: 92 0
> debug3: tty_parse_modes: 93 0
> debug1: server_input_channel_req: channel 0 request x11-req reply 0
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req x11-req
> debug1: bind port 6010: Cannot assign requested address
> debug1: bind port 6011: Cannot assign requested address
>
> <snip -- more failed attempts to bind a port. It does try all of them
> from 6010 to 6999.>
>
> debug1: bind port 6998: Cannot assign requested address
> debug1: bind port 6999: Cannot assign requested address
> Failed to allocate internet-domain X11 display socket.
> debug1: x11_create_display_inet failed.
> debug1: server_input_channel_req: channel 0 request shell reply 0
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req shell
> debug1: PAM setting tty to "/dev/pts/4"
> debug1: PAM establishing creds
> debug1: fd 4 setting TCP_NODELAY
> debug1: channel 0: rfd 10 isatty
> debug1: fd 10 setting O_NONBLOCK
> debug2: fd 9 is O_NONBLOCK
> debug1: Setting controlling tty using TIOCSCTTY.
>
> My configuration (defaults and blanks stripped):
> # awk '!/^$|^#/ {print}' /etc/ssh/sshd_config
> HostKey /etc/ssh/ssh_host_key
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> SyslogFacility AUTHPRIV
> X11Forwarding yes
> X11DisplayOffset 10
> UsePrivilegeSeparation yes
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
>
> This is built from a source rpm from redhat
> (http://ftp.redhat.com/pub/redhat/linux/rawhide/SRPMS/SRPMS/openssh-3.5p
> 1-3.src.rpm)
>
> I modified the openssh.spec file slightly:
> # diff -u openssh.spec openssh.spec.orig
> --- openssh.spec 2003-01-21 11:31:15.000000000 -0700
> +++ openssh.spec.orig 2003-01-21 11:30:34.000000000 -0700
> @@ -9,7 +9,7 @@
> %define no_x11_askpass 0
>
> # Do we want to disable building of gnome-askpass? (1=yes 0=no)
> -%define no_gnome_askpass 1
> +%define no_gnome_askpass 0
>
> # Do we want to link against a static libcrypto? (1=yes 0=no) %define
> static_libcrypto 0 @@ -24,10 +24,10 @@ %define build6x 0
>
> # Disable IPv6 (avoids DNS hangs on some glibc versions) -%define noip6
> 1
> +%define noip6 0
>
> # Do we want kerberos5 support (1=yes 0=no)
> -%define kerberos5 0
> +%define kerberos5 1
>
> # Whether or not /sbin/nologin exists.
> %define nologin 1
>
>
> Also, I saw some stuff in the archives about IPV6 causing some problems.
> I'm not using IPV6: grep IPV6 /usr/src/linux/.config # CONFIG_IPV6 is
> not set
>
> I've also tried passing -4 to both the client and the server to ensure
> they don't get confused about v4 vs. v6.
>
> Please let me know if additional information would be helpful. I'll be
> more than happy to provide it.
>
> Any help would be greatly appreciated,
> Jim
>
>
>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
More information about the openssh-unix-dev
mailing list