X11forwarding yes: how to debug/setup after xauth fix

Michael Felt michael at felt.demon.nl
Fri Oct 13 07:58:03 AEDT 2017


On 08/10/2017 23:32, Michael Felt wrote:
> On 04/10/2017 11:07, Michael Felt wrote:
>> I do not often use X11 - but when I do I prefer to enable 
>> X11forwarding, and when finished - turn it off. This is preferable, 
>> imho, to having "clear" X11 processing when local - and otherwise 
>> impossible when working remote.
>>
>> Working with openssh-7.5p2 I cannot figure out what (extra) I need to 
>> do with sshd_config to get it working.
>>
>> I know that there is a security-fix starting with openssh-7.2 
>> (https://www.openssh.com/security.html, March 9, 2016) - and when I 
>> load any version of openssh prior to Openssh-7.2 I get the expected 
>> X11 behavior over an ssh(d) X11forwarding tunnel.
>>
>> So, what should I be looking at on my server or client-side. Is there 
>> a different setting I should be using? I am still using the "putty" 
>> setting of: MIT-Magic-Cookie-1. (I'll test, in a moment using 
>> XDM-Authorization-1). However, the hint I am hoping for is the flag 
>> to set for sshd (e.g., -ddddd) and what debug string - to see if 
>> X11forwarding is attempted, and if so, why it is rejected by the sshd.
>>
>> Again - no changes to client-side - openssh-7.1 and earlier work, 
>> openssh-7.2 and later do not.
>>
> If you need more verbose debug data - please say what you need 
> specifically.

No comments? Is the data in the wrong format?

IMHO - any comment is better than no comment. If it will take time - I 
will wait. But being held up because the data is wrong - and noone 
saying so - is counterproductive.

Thx again for your time.

>
> Client Side:
>
> PUTTY-0.67
> With OpenSSH-7.6p1
>
> Event Log: Writing new session log (SSH packets mode) to file: 
> C:\Users\michael\Desktop\putty.log
> Event Log: Looking up host "192.168.129.72"
> Event Log: Connecting to 192.168.129.72 port 22
> Event Log: We claim version: SSH-2.0-PuTTY_Release_0.67
> Event Log: Server version: SSH-2.0-OpenSSH_7.6
> Event Log: Using SSH protocol version 2
> Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
> ...
> Incoming packet #0x9, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
>   00000000  00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00 
> ................
> Event Log: Opened main channel
> Event Log: Requesting X11 forwarding
> Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
>   00000000  00 00 00 00 00 00 00 07 78 31 31 2d 72 65 71 01 
> ........x11-req.
>   00000010  00 00 00 00 12 4d 49 54 2d 4d 41 47 49 43 2d 43 
> .....MIT-MAGIC-C
>   00000020  4f 4f 4b 49 45 2d 31 XX XX XX XX XX XX XX XX XX 
> OOKIE-1XXXXXXXXX
>   00000030  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 
> XXXXXXXXXXXXXXXX
>   00000040  XX XX XX XX XX XX XX XX XX XX XX 00 00 00 00 XXXXXXXXXXX....
> Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
>   00000000  00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01 
> ........pty-req.
>   00000010  00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00 
> ....xterm...P...
>   00000020  18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00 
> ................
>   00000030  00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
> Outgoing packet #0xb, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
>   00000000  00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
> Incoming packet #0xa, type 100 / 0x64 (SSH2_MSG_CHANNEL_FAILURE)
>   00000000  00 00 01 00                                      ....
> Event Log: X11 forwarding refused
> Incoming packet #0xb, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
>   00000000  00 00 01 00                                      ....
> ...
>
> And OpenSSH-7.1
>
> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.10.08 23:14:18 
> =~=~=~=~=~=~=~=~=~=~=~=
> Event Log: Writing new session log (SSH packets mode) to file: 
> C:\Users\michael\Desktop\putty.log
> Event Log: Looking up host "192.168.129.72"
> Event Log: Connecting to 192.168.129.72 port 22
> Event Log: We claim version: SSH-2.0-PuTTY_Release_0.67
> Event Log: Server version: SSH-2.0-OpenSSH_7.1
> Event Log: Using SSH protocol version 2
> Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
> ...
> Incoming packet #0x9, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
>   00000000  00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00 
> ................
> Event Log: Opened main channel
> Event Log: Requesting X11 forwarding
> Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
>   00000000  00 00 00 00 00 00 00 07 78 31 31 2d 72 65 71 01 
> ........x11-req.
>   00000010  00 00 00 00 12 4d 49 54 2d 4d 41 47 49 43 2d 43 
> .....MIT-MAGIC-C
>   00000020  4f 4f 4b 49 45 2d 31 XX XX XX XX XX XX XX XX XX 
> OOKIE-1XXXXXXXXX
>   00000030  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 
> XXXXXXXXXXXXXXXX
>   00000040  XX XX XX XX XX XX XX XX XX XX XX 00 00 00 00 XXXXXXXXXXX....
> Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
>   00000000  00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01 
> ........pty-req.
>   00000010  00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00 
> ....xterm...P...
>   00000020  18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00 
> ................
>   00000030  00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
> Outgoing packet #0xb, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
>   00000000  00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
> Incoming packet #0xa, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
>   00000000  00 00 01 00                                      ....
> Event Log: X11 forwarding enabled
> Incoming packet #0xb, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
>   00000000  00 00 01 00                                      ....
> ...
>
> Server side:
>
> # /opt/sbin/sshd -dddd
> debug2: load_server_config: filename /var/openssh/etc/sshd_config
> debug2: load_server_config: done config len = 476
> debug2: parse_server_config: config /var/openssh/etc/sshd_config len 476
> debug3: /var/openssh/etc/sshd_config:90 setting X11Forwarding yes
> debug3: /var/openssh/etc/sshd_config:112 setting Subsystem sftp 
> /usr/sbin/sftp-server
> debug3: /var/openssh/etc/sshd_config:127 setting ciphers 
> aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305 at openssh.com,aes256-cbc
> debug3: /var/openssh/etc/sshd_config:136 setting KexAlgorithms 
> curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug3: kex names ok: 
> [curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
> debug3: /var/openssh/etc/sshd_config:150 setting macs 
> hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1
> debug1: sshd version OpenSSH_7.1, OpenSSL 1.0.2j  26 Sep 2016
> ...
>
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug1: server_input_channel_req: channel 0 request x11-req reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req x11-req
> debug3: sock_set_v6only: set socket 7 IPV6_V6ONLY
> debug2: fd 6 setting O_NONBLOCK
> debug3: fd 6 is O_NONBLOCK
> debug1: channel 1: new [X11 inet listener]
> debug2: fd 7 setting O_NONBLOCK
> debug3: fd 7 is O_NONBLOCK
> debug1: channel 2: new [X11 inet listener]
> debug1: server_input_channel_req: channel 0 request pty-req reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> debug1: Allocating pty.
> debug1: session_pty_req: session 0 alloc /dev/pts/2
> debug1: server_input_channel_req: channel 0 request shell reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req shell
> +++++++
>
> debug2: load_server_config: filename /var/openssh/etc/sshd_config
> debug2: load_server_config: done config len = 215
> debug2: parse_server_config: config /var/openssh/etc/sshd_config len 215
> debug3: /var/openssh/etc/sshd_config:42 setting AuthorizedKeysFile 
> .ssh/authorized_keys
> debug3: /var/openssh/etc/sshd_config:89 setting X11Forwarding yes
> debug3: /var/openssh/etc/sshd_config:112 setting Subsystem sftp 
> /opt/libexec/sftp-server
> debug1: sshd version OpenSSH_7.6, OpenSSL 1.0.2j  26 Sep 2016
> ...
>
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug3: send packet: type 91
> debug3: receive packet: type 98
> debug1: server_input_channel_req: channel 0 request x11-req reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req x11-req
> debug3: send packet: type 4
> debug3: send packet: type 100
> debug3: receive packet: type 98
> debug1: server_input_channel_req: channel 0 request pty-req reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> debug1: Allocating pty.
> debug1: session_pty_req: session 0 alloc /dev/pts/2
> debug3: send packet: type 99
> debug3: receive packet: type 98
> debug1: server_input_channel_req: channel 0 request shell reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req shell
>
> Again, thx for your time.
>
>> Thanks for you time!
>>
>> Michael
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



More information about the openssh-unix-dev mailing list