X11forwarding yes: how to debug/setup after xauth fix

Michael Felt michael at felt.demon.nl
Mon Oct 9 08:32:58 AEDT 2017 

On 04/10/2017 11:07, Michael Felt wrote:
> I do not often use X11 - but when I do I prefer to enable 
> X11forwarding, and when finished - turn it off. This is preferable, 
> imho, to having "clear" X11 processing when local - and otherwise 
> impossible when working remote.
>
> Working with openssh-7.5p2 I cannot figure out what (extra) I need to 
> do with sshd_config to get it working.
>
> I know that there is a security-fix starting with openssh-7.2 
> (https://www.openssh.com/security.html, March 9, 2016) - and when I 
> load any version of openssh prior to Openssh-7.2 I get the expected 
> X11 behavior over an ssh(d) X11forwarding tunnel.
>
> So, what should I be looking at on my server or client-side. Is there 
> a different setting I should be using? I am still using the "putty" 
> setting of: MIT-Magic-Cookie-1. (I'll test, in a moment using 
> XDM-Authorization-1). However, the hint I am hoping for is the flag to 
> set for sshd (e.g., -ddddd) and what debug string - to see if 
> X11forwarding is attempted, and if so, why it is rejected by the sshd.
>
> Again - no changes to client-side - openssh-7.1 and earlier work, 
> openssh-7.2 and later do not.
>
If you need more verbose debug data - please say what you need specifically.

Client Side:

PUTTY-0.67
With OpenSSH-7.6p1

Event Log: Writing new session log (SSH packets mode) to file: 
C:\Users\michael\Desktop\putty.log
Event Log: Looking up host "192.168.129.72"
Event Log: Connecting to 192.168.129.72 port 22
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.67
Event Log: Server version: SSH-2.0-OpenSSH_7.6
Event Log: Using SSH protocol version 2
Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
...
Incoming packet #0x9, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
   00000000  00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00 
................
Event Log: Opened main channel
Event Log: Requesting X11 forwarding
Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
   00000000  00 00 00 00 00 00 00 07 78 31 31 2d 72 65 71 01 
........x11-req.
   00000010  00 00 00 00 12 4d 49 54 2d 4d 41 47 49 43 2d 43 
.....MIT-MAGIC-C
   00000020  4f 4f 4b 49 45 2d 31 XX XX XX XX XX XX XX XX XX 
OOKIE-1XXXXXXXXX
   00000030  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 
XXXXXXXXXXXXXXXX
   00000040  XX XX XX XX XX XX XX XX XX XX XX 00 00 00 00 XXXXXXXXXXX....
Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
   00000000  00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01 
........pty-req.
   00000010  00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00 
....xterm...P...
   00000020  18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00 
................
   00000030  00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
Outgoing packet #0xb, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
   00000000  00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
Incoming packet #0xa, type 100 / 0x64 (SSH2_MSG_CHANNEL_FAILURE)
   00000000  00 00 01 00                                      ....
Event Log: X11 forwarding refused
Incoming packet #0xb, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
   00000000  00 00 01 00                                      ....
...

And OpenSSH-7.1

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.10.08 23:14:18 
=~=~=~=~=~=~=~=~=~=~=~=
Event Log: Writing new session log (SSH packets mode) to file: 
C:\Users\michael\Desktop\putty.log
Event Log: Looking up host "192.168.129.72"
Event Log: Connecting to 192.168.129.72 port 22
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.67
Event Log: Server version: SSH-2.0-OpenSSH_7.1
Event Log: Using SSH protocol version 2
Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
...
Incoming packet #0x9, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
   00000000  00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00 
................
Event Log: Opened main channel
Event Log: Requesting X11 forwarding
Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
   00000000  00 00 00 00 00 00 00 07 78 31 31 2d 72 65 71 01 
........x11-req.
   00000010  00 00 00 00 12 4d 49 54 2d 4d 41 47 49 43 2d 43 
.....MIT-MAGIC-C
   00000020  4f 4f 4b 49 45 2d 31 XX XX XX XX XX XX XX XX XX 
OOKIE-1XXXXXXXXX
   00000030  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 
XXXXXXXXXXXXXXXX
   00000040  XX XX XX XX XX XX XX XX XX XX XX 00 00 00 00 XXXXXXXXXXX....
Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
   00000000  00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01 
........pty-req.
   00000010  00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00 
....xterm...P...
   00000020  18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00 
................
   00000030  00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
Outgoing packet #0xb, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
   00000000  00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
Incoming packet #0xa, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
   00000000  00 00 01 00                                      ....
Event Log: X11 forwarding enabled
Incoming packet #0xb, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
   00000000  00 00 01 00                                      ....
...

Server side:

# /opt/sbin/sshd -dddd
debug2: load_server_config: filename /var/openssh/etc/sshd_config
debug2: load_server_config: done config len = 476
debug2: parse_server_config: config /var/openssh/etc/sshd_config len 476
debug3: /var/openssh/etc/sshd_config:90 setting X11Forwarding yes
debug3: /var/openssh/etc/sshd_config:112 setting Subsystem sftp 
/usr/sbin/sftp-server
debug3: /var/openssh/etc/sshd_config:127 setting ciphers 
aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305 at openssh.com,aes256-cbc
debug3: /var/openssh/etc/sshd_config:136 setting KexAlgorithms 
curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug3: kex names ok: 
[curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug3: /var/openssh/etc/sshd_config:150 setting macs 
hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1
debug1: sshd version OpenSSH_7.1, OpenSSL 1.0.2j  26 Sep 2016
...

debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request x11-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug3: sock_set_v6only: set socket 7 IPV6_V6ONLY
debug2: fd 6 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 1: new [X11 inet listener]
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 2: new [X11 inet listener]
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
+++++++

debug2: load_server_config: filename /var/openssh/etc/sshd_config
debug2: load_server_config: done config len = 215
debug2: parse_server_config: config /var/openssh/etc/sshd_config len 215
debug3: /var/openssh/etc/sshd_config:42 setting AuthorizedKeysFile 
.ssh/authorized_keys
debug3: /var/openssh/etc/sshd_config:89 setting X11Forwarding yes
debug3: /var/openssh/etc/sshd_config:112 setting Subsystem sftp 
/opt/libexec/sftp-server
debug1: sshd version OpenSSH_7.6, OpenSSL 1.0.2j  26 Sep 2016
...

debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug3: send packet: type 91
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request x11-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug3: send packet: type 4
debug3: send packet: type 100
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug3: send packet: type 99
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell

Again, thx for your time.

> Thanks for you time!
>
> Michael
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list