X11forwarding yes: how to debug/setup after xauth fix
Michael Felt
michael at felt.demon.nl
Fri Oct 13 07:58:03 AEDT 2017
On 08/10/2017 23:32, Michael Felt wrote:
> On 04/10/2017 11:07, Michael Felt wrote:
>> I do not often use X11 - but when I do I prefer to enable
>> X11forwarding, and when finished - turn it off. This is preferable,
>> imho, to having "clear" X11 processing when local - and otherwise
>> impossible when working remote.
>>
>> Working with openssh-7.5p2 I cannot figure out what (extra) I need to
>> do with sshd_config to get it working.
>>
>> I know that there is a security-fix starting with openssh-7.2
>> (https://www.openssh.com/security.html, March 9, 2016) - and when I
>> load any version of openssh prior to Openssh-7.2 I get the expected
>> X11 behavior over an ssh(d) X11forwarding tunnel.
>>
>> So, what should I be looking at on my server or client-side. Is there
>> a different setting I should be using? I am still using the "putty"
>> setting of: MIT-Magic-Cookie-1. (I'll test, in a moment using
>> XDM-Authorization-1). However, the hint I am hoping for is the flag
>> to set for sshd (e.g., -ddddd) and what debug string - to see if
>> X11forwarding is attempted, and if so, why it is rejected by the sshd.
>>
>> Again - no changes to client-side - openssh-7.1 and earlier work,
>> openssh-7.2 and later do not.
>>
> If you need more verbose debug data - please say what you need
> specifically.
No comments? Is the data in the wrong format?
IMHO - any comment is better than no comment. If it will take time - I
will wait. But being held up because the data is wrong - and noone
saying so - is counterproductive.
Thx again for your time.
>
> Client Side:
>
> PUTTY-0.67
> With OpenSSH-7.6p1
>
> Event Log: Writing new session log (SSH packets mode) to file:
> C:\Users\michael\Desktop\putty.log
> Event Log: Looking up host "192.168.129.72"
> Event Log: Connecting to 192.168.129.72 port 22
> Event Log: We claim version: SSH-2.0-PuTTY_Release_0.67
> Event Log: Server version: SSH-2.0-OpenSSH_7.6
> Event Log: Using SSH protocol version 2
> Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
> ...
> Incoming packet #0x9, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
> 00000000 00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00
> ................
> Event Log: Opened main channel
> Event Log: Requesting X11 forwarding
> Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
> 00000000 00 00 00 00 00 00 00 07 78 31 31 2d 72 65 71 01
> ........x11-req.
> 00000010 00 00 00 00 12 4d 49 54 2d 4d 41 47 49 43 2d 43
> .....MIT-MAGIC-C
> 00000020 4f 4f 4b 49 45 2d 31 XX XX XX XX XX XX XX XX XX
> OOKIE-1XXXXXXXXX
> 00000030 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
> XXXXXXXXXXXXXXXX
> 00000040 XX XX XX XX XX XX XX XX XX XX XX 00 00 00 00 XXXXXXXXXXX....
> Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
> 00000000 00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01
> ........pty-req.
> 00000010 00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00
> ....xterm...P...
> 00000020 18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00
> ................
> 00000030 00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
> Outgoing packet #0xb, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
> 00000000 00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
> Incoming packet #0xa, type 100 / 0x64 (SSH2_MSG_CHANNEL_FAILURE)
> 00000000 00 00 01 00 ....
> Event Log: X11 forwarding refused
> Incoming packet #0xb, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
> 00000000 00 00 01 00 ....
> ...
>
> And OpenSSH-7.1
>
> =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.10.08 23:14:18
> =~=~=~=~=~=~=~=~=~=~=~=
> Event Log: Writing new session log (SSH packets mode) to file:
> C:\Users\michael\Desktop\putty.log
> Event Log: Looking up host "192.168.129.72"
> Event Log: Connecting to 192.168.129.72 port 22
> Event Log: We claim version: SSH-2.0-PuTTY_Release_0.67
> Event Log: Server version: SSH-2.0-OpenSSH_7.1
> Event Log: Using SSH protocol version 2
> Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
> ...
> Incoming packet #0x9, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
> 00000000 00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00
> ................
> Event Log: Opened main channel
> Event Log: Requesting X11 forwarding
> Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
> 00000000 00 00 00 00 00 00 00 07 78 31 31 2d 72 65 71 01
> ........x11-req.
> 00000010 00 00 00 00 12 4d 49 54 2d 4d 41 47 49 43 2d 43
> .....MIT-MAGIC-C
> 00000020 4f 4f 4b 49 45 2d 31 XX XX XX XX XX XX XX XX XX
> OOKIE-1XXXXXXXXX
> 00000030 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
> XXXXXXXXXXXXXXXX
> 00000040 XX XX XX XX XX XX XX XX XX XX XX 00 00 00 00 XXXXXXXXXXX....
> Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
> 00000000 00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01
> ........pty-req.
> 00000010 00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00
> ....xterm...P...
> 00000020 18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00
> ................
> 00000030 00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
> Outgoing packet #0xb, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
> 00000000 00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
> Incoming packet #0xa, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
> 00000000 00 00 01 00 ....
> Event Log: X11 forwarding enabled
> Incoming packet #0xb, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
> 00000000 00 00 01 00 ....
> ...
>
> Server side:
>
> # /opt/sbin/sshd -dddd
> debug2: load_server_config: filename /var/openssh/etc/sshd_config
> debug2: load_server_config: done config len = 476
> debug2: parse_server_config: config /var/openssh/etc/sshd_config len 476
> debug3: /var/openssh/etc/sshd_config:90 setting X11Forwarding yes
> debug3: /var/openssh/etc/sshd_config:112 setting Subsystem sftp
> /usr/sbin/sftp-server
> debug3: /var/openssh/etc/sshd_config:127 setting ciphers
> aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305 at openssh.com,aes256-cbc
> debug3: /var/openssh/etc/sshd_config:136 setting KexAlgorithms
> curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug3: kex names ok:
> [curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
> debug3: /var/openssh/etc/sshd_config:150 setting macs
> hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1
> debug1: sshd version OpenSSH_7.1, OpenSSL 1.0.2j 26 Sep 2016
> ...
>
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug1: server_input_channel_req: channel 0 request x11-req reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req x11-req
> debug3: sock_set_v6only: set socket 7 IPV6_V6ONLY
> debug2: fd 6 setting O_NONBLOCK
> debug3: fd 6 is O_NONBLOCK
> debug1: channel 1: new [X11 inet listener]
> debug2: fd 7 setting O_NONBLOCK
> debug3: fd 7 is O_NONBLOCK
> debug1: channel 2: new [X11 inet listener]
> debug1: server_input_channel_req: channel 0 request pty-req reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> debug1: Allocating pty.
> debug1: session_pty_req: session 0 alloc /dev/pts/2
> debug1: server_input_channel_req: channel 0 request shell reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req shell
> +++++++
>
> debug2: load_server_config: filename /var/openssh/etc/sshd_config
> debug2: load_server_config: done config len = 215
> debug2: parse_server_config: config /var/openssh/etc/sshd_config len 215
> debug3: /var/openssh/etc/sshd_config:42 setting AuthorizedKeysFile
> .ssh/authorized_keys
> debug3: /var/openssh/etc/sshd_config:89 setting X11Forwarding yes
> debug3: /var/openssh/etc/sshd_config:112 setting Subsystem sftp
> /opt/libexec/sftp-server
> debug1: sshd version OpenSSH_7.6, OpenSSL 1.0.2j 26 Sep 2016
> ...
>
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug3: send packet: type 91
> debug3: receive packet: type 98
> debug1: server_input_channel_req: channel 0 request x11-req reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req x11-req
> debug3: send packet: type 4
> debug3: send packet: type 100
> debug3: receive packet: type 98
> debug1: server_input_channel_req: channel 0 request pty-req reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> debug1: Allocating pty.
> debug1: session_pty_req: session 0 alloc /dev/pts/2
> debug3: send packet: type 99
> debug3: receive packet: type 98
> debug1: server_input_channel_req: channel 0 request shell reply 1
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req shell
>
> Again, thx for your time.
>
>> Thanks for you time!
>>
>> Michael
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list