[SLUG] ssh and vnc
I have been trying to install x11vnc and then use ssh tunnels to connect. There are two different machines that I am trying to connect to, one Ubuntu and one is an Apple iBook running Xubuntu. 1 I have no problem with either machine NOT using ssh 2 using ssh: ssh -L 5900:localhost:5900 remote_name 'x11vnc -localhost -display :0' Works great with the Ubuntu machine Does not work with the Xubuntu machine (vncviewer localhost:0 appears to connect, but there is no display) I presume it must be some setting in ssh, but I can't see any difference. Can anyone help? Many thanks. Alan -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 28/01/2007, at 4:44 PM, Alan L Tyree wrote: I have been trying to install x11vnc and then use ssh tunnels to connect. There are two different machines that I am trying to connect to, one Ubuntu and one is an Apple iBook running Xubuntu. 1 I have no problem with either machine NOT using ssh 2 using ssh: ssh -L 5900:localhost:5900 remote_name 'x11vnc -localhost -display :0' Works great with the Ubuntu machine Does not work with the Xubuntu machine (vncviewer localhost:0 appears to connect, but there is no display) I presume it must be some setting in ssh, but I can't see any difference. Can anyone help? Try using the verbose flag to ssh and/or x11vnc, and compare the two machines. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Sun, 28 Jan 2007 16:54:52 +1100 Sam Lawrance <[EMAIL PROTECTED]> wrote: > > On 28/01/2007, at 4:44 PM, Alan L Tyree wrote: > > > I have been trying to install x11vnc and then use ssh tunnels to > > connect. There are two different machines that I am trying to > > connect to, one Ubuntu and one is an Apple iBook running Xubuntu. > > > > 1 I have no problem with either machine NOT using ssh > > > > 2 using ssh: ssh -L 5900:localhost:5900 remote_name 'x11vnc > > -localhost -display :0' > > > > Works great with the Ubuntu machine > > > > Does not work with the Xubuntu machine (vncviewer > > localhost:0 appears to connect, but there is no display) > > > > I presume it must be some setting in ssh, but I can't see any > > difference. > > > > Can anyone help? > > Try using the verbose flag to ssh and/or x11vnc, and compare the two > machines. Hmm. I can't do a simple X forwarding to the Xubuntu machine. [EMAIL PROTECTED]:~$ ssh -v -X misty emacs OpenSSH_4.3p2 Debian-8, OpenSSL 0.9.8c 05 Sep 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to misty [192.168.1.101] port 22. debug1: Connection established. debug1: identity file /home/alant/.ssh/identity type -1 debug1: identity file /home/alant/.ssh/id_rsa type -1 debug1: identity file /home/alant/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-5ubuntu1 debug1: match: OpenSSH_4.3p2 Debian-5ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8 debug1: Miscellaneous failure No credentials cache found debug1: Miscellaneous failure No credentials cache found debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'misty' is known and matches the RSA host key. debug1: Found key in /home/alant/.ssh/known_hosts:5 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/alant/.ssh/identity debug1: Trying private key: /home/alant/.ssh/id_rsa debug1: Offering public key: /home/alant/.ssh/id_dsa debug1: Server accepts key: pkalg ssh-dss blen 818 debug1: read PEM private key done: type DSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = en_AU.UTF-8 debug1: Sending command: emacs debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 emacs: standard input is not a tty debug1: channel 0: free: client-session, nchannels 1 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 1 > > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 28/01/2007, at 5:27 PM, Alan L Tyree wrote: On Sun, 28 Jan 2007 16:54:52 +1100 Sam Lawrance <[EMAIL PROTECTED]> wrote: On 28/01/2007, at 4:44 PM, Alan L Tyree wrote: I have been trying to install x11vnc and then use ssh tunnels to connect. There are two different machines that I am trying to connect to, one Ubuntu and one is an Apple iBook running Xubuntu. 1 I have no problem with either machine NOT using ssh 2 using ssh: ssh -L 5900:localhost:5900 remote_name 'x11vnc -localhost -display :0' Works great with the Ubuntu machine Does not work with the Xubuntu machine (vncviewer localhost:0 appears to connect, but there is no display) I presume it must be some setting in ssh, but I can't see any difference. Can anyone help? Try using the verbose flag to ssh and/or x11vnc, and compare the two machines. Hmm. I can't do a simple X forwarding to the Xubuntu machine. [EMAIL PROTECTED]:~$ ssh -v -X misty emacs ... emacs: standard input is not a tty I think the original problem lies elsewhere - that's an expected error, see the SSH manpage regarding tty / pty allocation and the -t option. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
Hi Alan, does this help... http://www-128.ibm.com/developerworks/linux/library/l-sslvnc.html?ca=dgr-lnxw02SSLVNC Ben -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 28/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: Hmm. I can't do a simple X forwarding to the Xubuntu machine. See sshd_config(5) about X11Forwarding. At least on Debian it says the following: X11Forwarding Specifies whether X11 forwarding is permitted. The argument must be "yes" or "no". The default is "no". i.e. you have to add "X11Forwarding yes" to /etc/ssh/sshd_config and restart sshd in order to make the ssh daemon accept the X11 forwarding request from the ssh client. ---Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Sun, 28 Jan 2007 18:42:00 +1100 Sam Lawrance <[EMAIL PROTECTED]> wrote: > > On 28/01/2007, at 5:27 PM, Alan L Tyree wrote: > > > On Sun, 28 Jan 2007 16:54:52 +1100 > > Sam Lawrance <[EMAIL PROTECTED]> wrote: > > > >> > >> On 28/01/2007, at 4:44 PM, Alan L Tyree wrote: > >> > >>> I have been trying to install x11vnc and then use ssh tunnels to > >>> connect. There are two different machines that I am trying to > >>> connect to, one Ubuntu and one is an Apple iBook running Xubuntu. > >>> > >>> 1 I have no problem with either machine NOT using ssh > >>> > >>> 2 using ssh: ssh -L 5900:localhost:5900 remote_name 'x11vnc > >>> -localhost -display :0' > >>> > >>> Works great with the Ubuntu machine > >>> > >>> Does not work with the Xubuntu machine (vncviewer > >>> localhost:0 appears to connect, but there is no display) > >>> > >>> I presume it must be some setting in ssh, but I can't see any > >>> difference. > >>> > >>> Can anyone help? > >> > >> Try using the verbose flag to ssh and/or x11vnc, and compare the > >> two machines. > > > > Hmm. I can't do a simple X forwarding to the Xubuntu machine. > > > > [EMAIL PROTECTED]:~$ ssh -v -X misty emacs > ... > > emacs: standard input is not a tty > > I think the original problem lies elsewhere - that's an expected > error, see the SSH manpage regarding tty / pty allocation and the -t > option. It fails with all programs. The problem is that the DISPLAY variable is not getting set. After logging into both machines with ssh -X machine_name - [EMAIL PROTECTED]:~$ echo $DISPLAY localhost:10.0 ** Ubuntu machine where everything works - [EMAIL PROTECTED]:~$ echo $DISPLAY ** Xubuntu machine where nothing works [EMAIL PROTECTED]:~$ -- The /etc/ssh/sshd_config files are the same in both machines. I don't know how DISPLAY gets set > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
here is help I recieved with this Ken Ken, I think that I have found the problem with your display. When you logged in as root you lost the authorization for the display. The long version can be found on this page... https://www6.software.ibm.com/developerworks/education/l-lpic1110/section4.html You need to log in though. So here is an excerpt from that page. Good luck cheers Exporting a display An X display is known by a name of the form hostname:displaynumber.screennumber. For Linux running on a workstation such as a PC, there is typically only one display with a single screen. In this case, the displayname may be, and usually is, omitted so the display is known as :0.0. The DISPLAY environment variable is usually set to the display name., so you can display it using the command echo $DISPLAY. Depending on your system, this variable may or may not be set if you use su - to switch to another user. In such a case, you may need to set and export the DISPLAY as shown in Listing 25. In this listing you see an attempt to start the xclock application after switching to root, but the attempt fails because the DISPLAY environment variable is not set. Even if the DISPLAY variable is set, you still may not be able to use the display, as you will also need authorization to do so. Listing 25. Attempting to start xclock [EMAIL PROTECTED]:~> whoami ian [EMAIL PROTECTED]:~> echo $DISPLAY :0.0 [EMAIL PROTECTED]:~> su - Password: lyrebird:~ # echo $DISPLAY lyrebird:~ # xclock Error: Can't open display: lyrebird:~ # export DISPLAY=:0.0 lyrebird:~ # echo $DISPLAY :0.0 lyrebird:~ # xclock Xlib: connection to ":0.0" refused by server Xlib: No protocol specified Error: Can't open display: :0.0 lyrebird:~ # export XAUTHORITY=~ian/.Xauthority lyrebird:~ # xclock lyrebird:~ # ls -l ~ian/.Xauthority -rw--- 1 ian users 206 Feb 18 16:20 /home/ian/.Xauthority Let's take a look at what is going on here. In this case, the user ian logged in to the system and his DISPLAY environment was set to :0.0 as we expect. When user ian switched to user root, the DISPLAY environment variable was not set, and an attempt to start xclock failed because the application did not know what display to use. So the substituted user, root, set the DISPLAY environment variable, and exported it so that it would be available to other shells that might be started from this terminal window. Note that setting and exporting an environment variable does not use the leading $ sign, while displaying or otherwise using the value does. Note too, that if the su command had omitted the - (minus) sign, the DISPLAY environment variable would have been set as it had been for user ian. Nevertheless, even with the environment variable set, xclock still failed. The reason for the second failure lies in the client/server nature of X. Although root is running in a window on the one and only display on this system, the display is actually owned by the user who logged in originally, ian in this case. Let's take a look at X authorization. Alan L Tyree wrote: On Sun, 28 Jan 2007 18:42:00 +1100 Sam Lawrance <[EMAIL PROTECTED]> wrote: On 28/01/2007, at 5:27 PM, Alan L Tyree wrote: On Sun, 28 Jan 2007 16:54:52 +1100 Sam Lawrance <[EMAIL PROTECTED]> wrote: On 28/01/2007, at 4:44 PM, Alan L Tyree wrote: I have been trying to install x11vnc and then use ssh tunnels to connect. There are two different machines that I am trying to connect to, one Ubuntu and one is an Apple iBook running Xubuntu. 1 I have no problem with either machine NOT using ssh 2 using ssh: ssh -L 5900:localhost:5900 remote_name 'x11vnc -localhost -display :0' Works great with the Ubuntu machine Does not work with the Xubuntu machine (vncviewer localhost:0 appears to connect, but there is no display) I presume it must be some setting in ssh, but I can't see any difference. Can anyone help? Try using the verbose flag to ssh and/or x11vnc, and compare the two machines. Hmm. I can't do a simple X forwarding to the Xubuntu machine. [EMAIL PROTECTED]:~$ ssh -v -X misty emacs ... emacs: standard input is not a tty I think the original problem lies elsewhere - that's an expected error, see the SSH manpage regarding tty / pty allocation and the -t option. It fails with all programs. The problem is that the DISPLAY variable is not getting set. After logging into both machines with ssh -X machine_name - [EMAIL PROTECTED]:~$ echo $DISPLAY localhost:10.0 ** Ubuntu machine where everything works - [EMAIL PROTECTED]:~$ echo $DISPLAY ** Xubuntu machine where nothing works [EMAIL PROTECTED]:~$ -- The /etc/ssh/sshd_config files are the same in both machines. I don't know how DISPLAY gets set -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Mon, 29 Jan 2007 09:04:38 +1100 Ken Wilson <[EMAIL PROTECTED]> wrote: > here is help I recieved with this > Ken > > Ken, > > I think that I have found the problem with your display. When you > logged in as root you lost the authorization for the display. The > long version can be found on this page... But I haven't logged in as root. I just ssh -X in as myself. On one machine the display gets reset properly (presumably by ssh?) but on the other it doesn't. And I can't seem to find any real difference between the two. I also do X forwarding by ssh-ing into a Sun box. This also works without problems. The Sun DISPLAY variable gets properly reset. It is only my Xubuntu iBook that is being recalcitrant. Thanks for the reference. Interesting stuff. Alan > > https://www6.software.ibm.com/developerworks/education/l-lpic1110/section4.html > > You need to log in though. So here is an excerpt from that page. > > Good luck > > cheers > > > > Exporting a display > > An X display is known by a name of the form > hostname:displaynumber.screennumber. For Linux running on a > workstation such as a PC, there is typically only one display with a > single screen. In this case, the displayname may be, and usually is, > omitted so the display is known as :0.0. The DISPLAY environment > variable is usually set to the display name., so you can display it > using the command echo $DISPLAY. Depending on your system, this > variable may or may not be set if you use su - to switch to another > user. In such a case, you may need to set and export the DISPLAY as > shown in Listing 25. In this listing you see an attempt to start the > xclock application after switching to root, but the attempt fails > because the DISPLAY environment variable is not set. Even if the > DISPLAY variable is set, you still may not be able to use the > display, as you will also need authorization to do so. > > > Listing 25. Attempting to start xclock > > [EMAIL PROTECTED]:~> whoami > ian > [EMAIL PROTECTED]:~> echo $DISPLAY > :0.0 > [EMAIL PROTECTED]:~> su - > Password: > lyrebird:~ # echo $DISPLAY > > lyrebird:~ # xclock > Error: Can't open display: > lyrebird:~ # export DISPLAY=:0.0 > lyrebird:~ # echo $DISPLAY > :0.0 > lyrebird:~ # xclock > Xlib: connection to ":0.0" refused by server > Xlib: No protocol specified > > Error: Can't open display: :0.0 > lyrebird:~ # export XAUTHORITY=~ian/.Xauthority > lyrebird:~ # xclock > lyrebird:~ # ls -l ~ian/.Xauthority > -rw--- 1 ian users 206 Feb 18 16:20 /home/ian/.Xauthority > > > > Let's take a look at what is going on here. In this case, the user ian > logged in to the system and his DISPLAY environment was set to :0.0 > as we expect. When user ian switched to user root, the DISPLAY > environment variable was not set, and an attempt to start xclock > failed because the application did not know what display to use. > > So the substituted user, root, set the DISPLAY environment variable, > and exported it so that it would be available to other shells that > might be started from this terminal window. Note that setting and > exporting an environment variable does not use the leading $ sign, > while displaying or otherwise using the value does. Note too, that if > the su command had omitted the - (minus) sign, the DISPLAY > environment variable would have been set as it had been for user ian. > Nevertheless, even with the environment variable set, xclock still > failed. > > The reason for the second failure lies in the client/server nature of > X. Although root is running in a window on the one and only display > on this system, the display is actually owned by the user who logged > in originally, ian in this case. Let's take a look at X authorization. > > > > > > > > > Alan L Tyree wrote: > > On Sun, 28 Jan 2007 18:42:00 +1100 > > Sam Lawrance <[EMAIL PROTECTED]> wrote: > > > >> On 28/01/2007, at 5:27 PM, Alan L Tyree wrote: > >> > >>> On Sun, 28 Jan 2007 16:54:52 +1100 > >>> Sam Lawrance <[EMAIL PROTECTED]> wrote: > >>> > On 28/01/2007, at 4:44 PM, Alan L Tyree wrote: > > > I have been trying to install x11vnc and then use ssh tunnels to > > connect. There are two different machines that I am trying to > > connect to, one Ubuntu and one is an Apple iBook running > > Xubuntu. > > > > 1 I have no problem with either machine NOT using ssh > > > > 2 using ssh: ssh -L 5900:localhost:5900 remote_name 'x11vnc > > -localhost -display :0' > > > > Works great with the Ubuntu machine > > > > Does not work with the Xubuntu machine (vncviewer > > localhost:0 appears to connect, but there is no display) > > > > I presume it must be some setting in ssh, but I can't see any > > difference. > > > > Can anyone help? > Try using the verbose flag to ssh and/or x11vnc, and compare the > two machines. > >>> Hmm. I can't do a simple X forwarding to the Xubuntu machine. > >>> > >>>
Re: [SLUG] ssh and vnc
Alan L Tyree wrote: It fails with all programs. The problem is that the DISPLAY variable is not getting set. After logging into both machines with ssh -X machine_name - [EMAIL PROTECTED]:~$ echo $DISPLAY localhost:10.0 ** Ubuntu machine where everything works - [EMAIL PROTECTED]:~$ echo $DISPLAY ** Xubuntu machine where nothing works [EMAIL PROTECTED]:~$ -- The /etc/ssh/sshd_config files are the same in both machines. I don't know how DISPLAY gets set If you add -vv to your ssh flags, you'll see something like: debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-2fcsElfWeT/xauthfile generate 127.0.0.1:0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-2fcsElfWeT/xauthfile list 127.0.0.1:0.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 after the connection is authenticated. Every time I've had a problem like this, it was because xauth wasn't installed on the server. -- Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Mon, 29 Jan 2007 09:58:56 +1100 Peter Hardy <[EMAIL PROTECTED]> wrote: > Alan L Tyree wrote: > > It fails with all programs. > > > > The problem is that the DISPLAY variable is not getting set. After > > logging into both machines with ssh -X machine_name > > > > - > > [EMAIL PROTECTED]:~$ echo $DISPLAY > > localhost:10.0 ** Ubuntu machine where everything > > works - > > [EMAIL PROTECTED]:~$ echo $DISPLAY > > ** Xubuntu machine where nothing works > > [EMAIL PROTECTED]:~$ > > -- > > > > The /etc/ssh/sshd_config files are the same in both machines. > > > > I don't know how DISPLAY gets set > > If you add -vv to your ssh flags, you'll see something like: > > debug2: x11_get_proto: /usr/X11R6/bin/xauth -f > /tmp/ssh-2fcsElfWeT/xauthfile generate 127.0.0.1:0.0 > MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null > debug2: x11_get_proto: /usr/X11R6/bin/xauth -f > /tmp/ssh-2fcsElfWeT/xauthfile list 127.0.0.1:0.0 2>/dev/null > debug1: Requesting X11 forwarding with authentication spoofing. > debug2: channel 0: request x11-req confirm 0 > > after the connection is authenticated. > > Every time I've had a problem like this, it was because xauth wasn't > installed on the server. > debug2: x11_get_proto: /usr/bin/X11/xauth list :0.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug1: Sending environment. debug1: Sending env LANG = en_AU.UTF-8 debug2: channel 0: request env confirm 0 debug2: channel 0: request shell confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 Linux misty 2.6.17-10-powerpc #2 Tue Dec 5 22:00:09 UTC 2006 ppc [EMAIL PROTECTED]:~$ echo $DISPLAY [EMAIL PROTECTED]:~$ [EMAIL PROTECTED]:~$ type xauth xauth is /usr/bin/xauth Sigh! I don't **need** to ssh -X into this machine, so maybe I'll stop wasting time on it. Very frustrating. Alan > -- > Pete > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On the machine that you're trying to connect to, try running (as root) netstat -ntlp for me. I think you'll find that X isn't listening on any TCP socket. It certainly isn't on my ubuntu desktop. If you look in /etc/gdm/gdm.conf, you'll find: # If true this will basically append -nolisten tcp to every X command line, a # good default to have (why is this a "negative" setting? because if it is # false, you could still not allow it by setting command line of any particular # server). It's probably better to ship with this on since most users will not # need this and it's more of a security risk then anything else. # Note: Anytime we find a -query or -indirect on the command line we do not add # a "-nolisten tcp", as then the query just wouldn't work, so this setting only # affects truly local sessions. DisallowTCP=true I would think that at a minimum you need to set that to "False" and restart GDM; once it's listening on a socket (you probably want to make it only listen on 127.0.0.1 - implementing this is left as an exercise for the reader), you should be able to connect to it. Also, I note that you're using Xubuntu, so (unless you installed it yourself), GDM will be the wrong thing to look at - again, finding the correct file is left as an exercise for the reader, as is finding some way to do this that doesn't involve messing with text config files. Feel free to flame me off-list and I'll try to help with the exercises :) On 29/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: On Mon, 29 Jan 2007 09:58:56 +1100 Peter Hardy <[EMAIL PROTECTED]> wrote: > Alan L Tyree wrote: > > It fails with all programs. > > > > The problem is that the DISPLAY variable is not getting set. After > > logging into both machines with ssh -X machine_name > > > > - > > [EMAIL PROTECTED]:~$ echo $DISPLAY > > localhost:10.0 ** Ubuntu machine where everything > > works - > > [EMAIL PROTECTED]:~$ echo $DISPLAY > > ** Xubuntu machine where nothing works > > [EMAIL PROTECTED]:~$ > > -- > > > > The /etc/ssh/sshd_config files are the same in both machines. > > > > I don't know how DISPLAY gets set > > If you add -vv to your ssh flags, you'll see something like: > > debug2: x11_get_proto: /usr/X11R6/bin/xauth -f > /tmp/ssh-2fcsElfWeT/xauthfile generate 127.0.0.1:0.0 > MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null > debug2: x11_get_proto: /usr/X11R6/bin/xauth -f > /tmp/ssh-2fcsElfWeT/xauthfile list 127.0.0.1:0.0 2>/dev/null > debug1: Requesting X11 forwarding with authentication spoofing. > debug2: channel 0: request x11-req confirm 0 > > after the connection is authenticated. > > Every time I've had a problem like this, it was because xauth wasn't > installed on the server. > debug2: x11_get_proto: /usr/bin/X11/xauth list :0.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 0 debug1: Sending environment. debug1: Sending env LANG = en_AU.UTF-8 debug2: channel 0: request env confirm 0 debug2: channel 0: request shell confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 Linux misty 2.6.17-10-powerpc #2 Tue Dec 5 22:00:09 UTC 2006 ppc [EMAIL PROTECTED]:~$ echo $DISPLAY [EMAIL PROTECTED]:~$ [EMAIL PROTECTED]:~$ type xauth xauth is /usr/bin/xauth Sigh! I don't **need** to ssh -X into this machine, so maybe I'll stop wasting time on it. Very frustrating. Alan > -- > Pete > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 30/01/07, Zhasper <[EMAIL PROTECTED]> wrote: On the machine that you're trying to connect to, try running (as root) netstat -ntlp for me. I think you'll find that X isn't listening on any TCP socket. It certainly isn't on my ubuntu desktop. If you look in /etc/gdm/gdm.conf, you'll find: # If true this will basically append -nolisten tcp to every X command line, a # good default to have (why is this a "negative" setting? because if it is # false, you could still not allow it by setting command line of any particular # server). It's probably better to ship with this on since most users will not # need this and it's more of a security risk then anything else. # Note: Anytime we find a -query or -indirect on the command line we do not add # a "-nolisten tcp", as then the query just wouldn't work, so this setting only # affects truly local sessions. DisallowTCP=true I would think that at a minimum you need to set that to "False" and restart GDM; once it's listening on a socket (you probably want to make it only listen on 127.0.0.1 - implementing this is left as an exercise for the reader), you should be able to connect to it. Also, I note that you're using Xubuntu, so (unless you installed it yourself), GDM will be the wrong thing to look at - again, finding the correct file is left as an exercise for the reader, as is finding some way to do this that doesn't involve messing with text config files. Reading http://ubuntuguide.org/wiki/Ubuntu_Edgy#How_to_turn_on_the_XDMCP_feature made me look at System -> Administration ->Login Window -> Security, at which place I find a setting labelled "Deny TCP Connections to X server", which has the additional description:"Disables X forwarding, but does not affect XDMCP". It defaults to being checked. I would assume this corresponds to the option in the file I mentioned. If this exists, or something similar, in Xubuntu, it would seem like a good knob to twiddle. -- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 30/01/07, Zhasper <[EMAIL PROTECTED]> wrote: On the machine that you're trying to connect to, try running (as root) netstat -ntlp for me. I think you'll find that X isn't listening on any TCP socket. It certainly isn't on my ubuntu desktop. The X server on the remote machine shouldn't have anything to do with this. You can run X clients on a CPU which doesn't have a server as long as they have a valiud $DISPLAY to connect to (as many of us can testify - e.g. installing Oracle through their Java-based installer on some remote server which doesn't even have a monitor). --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Tue, 30 Jan 2007 16:31:21 +1100 Zhasper <[EMAIL PROTECTED]> wrote: > On the machine that you're trying to connect to, try running (as root) > netstat -ntlp for me. > > I think you'll find that X isn't listening on any TCP socket. It > certainly isn't on my ubuntu desktop. > > If you look in /etc/gdm/gdm.conf, you'll find: > > # If true this will basically append -nolisten tcp to every X command > # line, a good default to have (why is this a "negative" setting? > # because if it is false, you could still not allow it by setting > # command line of any particular server). It's probably better to > # ship with this on since most users will not need this and it's more > # of a security risk then anything else. Note: Anytime we find a > # -query or -indirect on the command line we do not add a "-nolisten > # tcp", as then the query just wouldn't work, so this setting only > # affects truly local sessions. > DisallowTCP=true > > I would think that at a minimum you need to set that to "False" and > restart GDM; once it's listening on a socket (you probably want to > make it only listen on 127.0.0.1 - implementing this is left as an > exercise for the reader), you should be able to connect to it. > > Also, I note that you're using Xubuntu, so (unless you installed it > yourself), GDM will be the wrong thing to look at - again, finding the > correct file is left as an exercise for the reader, as is finding some > way to do this that doesn't involve messing with text config files. > > Feel free to flame me off-list and I'll try to help with the > exercises :) No flames either on or off the list! Thanks for your thoughts on this. I will pursue them tomorrow and report back. Cheers, alan > > On 29/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > On Mon, 29 Jan 2007 09:58:56 +1100 > > Peter Hardy <[EMAIL PROTECTED]> wrote: > > > > > Alan L Tyree wrote: > > > > It fails with all programs. > > > > > > > > The problem is that the DISPLAY variable is not getting set. > > > > After logging into both machines with ssh -X machine_name > > > > > > > > - > > > > [EMAIL PROTECTED]:~$ echo $DISPLAY > > > > localhost:10.0 ** Ubuntu machine where everything > > > > works - > > > > [EMAIL PROTECTED]:~$ echo $DISPLAY > > > > ** Xubuntu machine where nothing works > > > > [EMAIL PROTECTED]:~$ > > > > -- > > > > > > > > The /etc/ssh/sshd_config files are the same in both machines. > > > > > > > > I don't know how DISPLAY gets set > > > > > > If you add -vv to your ssh flags, you'll see something like: > > > > > > debug2: x11_get_proto: /usr/X11R6/bin/xauth -f > > > /tmp/ssh-2fcsElfWeT/xauthfile generate 127.0.0.1:0.0 > > > MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null > > > debug2: x11_get_proto: /usr/X11R6/bin/xauth -f > > > /tmp/ssh-2fcsElfWeT/xauthfile list 127.0.0.1:0.0 2>/dev/null > > > debug1: Requesting X11 forwarding with authentication spoofing. > > > debug2: channel 0: request x11-req confirm 0 > > > > > > after the connection is authenticated. > > > > > > Every time I've had a problem like this, it was because xauth > > > wasn't installed on the server. > > > > > > > debug2: x11_get_proto: /usr/bin/X11/xauth list :0.0 2>/dev/null > > debug1: Requesting X11 forwarding with authentication spoofing. > > debug2: channel 0: request x11-req confirm 0 > > debug2: client_session2_setup: id 0 > > debug2: channel 0: request pty-req confirm 0 > > debug1: Sending environment. > > debug1: Sending env LANG = en_AU.UTF-8 > > debug2: channel 0: request env confirm 0 > > debug2: channel 0: request shell confirm 0 > > debug2: fd 3 setting TCP_NODELAY > > debug2: callback done > > debug2: channel 0: open confirm rwindow 0 rmax 32768 > > debug2: channel 0: rcvd adjust 131072 > > Linux misty 2.6.17-10-powerpc #2 Tue Dec 5 22:00:09 UTC 2006 ppc > > > > [EMAIL PROTECTED]:~$ echo $DISPLAY > > > > [EMAIL PROTECTED]:~$ > > [EMAIL PROTECTED]:~$ type xauth > > xauth is /usr/bin/xauth > > > > > > Sigh! I don't **need** to ssh -X into this machine, so maybe I'll > > stop wasting time on it. Very frustrating. > > > > Alan > > > > > -- > > > Pete > > > -- > > > SLUG - Sydney Linux User's Group Mailing List - > > > http://slug.org.au/ Subscription info and FAQs: > > > http://slug.org.au/faq/mailinglists.html > > > > > > > > > -- > > Alan L Tyreehttp://www2.austlii.edu.au/~alan > > Tel: +61 2 4782 2670Mobile: +61 427 486 206 > > Fax: +61 2 4782 7092FWD: 615662 > > -- > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > > > > > > > -- > There is nothing more worthy of contempt than a man who quotes himself > - Zhasper, 2004 > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092
Re: [SLUG] ssh and vnc
On 30/01/07, Amos Shapira <[EMAIL PROTECTED]> wrote: On 30/01/07, Zhasper <[EMAIL PROTECTED]> wrote: > > On the machine that you're trying to connect to, try running (as root) > netstat -ntlp for me. > > I think you'll find that X isn't listening on any TCP socket. It > certainly isn't on my ubuntu desktop. The X server on the remote machine shouldn't have anything to do with this. You can run X clients on a CPU which doesn't have a server as long as they have a valiud $DISPLAY to connect to (as many of us can testify - e.g. installing Oracle through their Java-based installer on some remote server which doesn't even have a monitor). Urr... quite right. I thought the Xubuntu machine was the remote server, but on re-reading, I see that I was wrong - it's one of the clients that's trying to connect to the server[1]. However, partway through the tread, Alan noted that: [EMAIL PROTECTED]:~$ echo $DISPLAY ** Xubuntu machine where nothing works combine this with your completely correct comment that " You can run X clients on a CPU which doesn't have a server as long as they have a valid $DISPLAY to connect to" - well, I think we can see where the problem might be :) I'm fairly sure I'm on the right track - please let me know if I'm still missing something :) -- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2004 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Tue, 30 Jan 2007 16:52:21 +1100 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > On 30/01/07, Zhasper <[EMAIL PROTECTED]> wrote: > > > > On the machine that you're trying to connect to, try running (as > > root) netstat -ntlp for me. > > > > I think you'll find that X isn't listening on any TCP socket. It > > certainly isn't on my ubuntu desktop. > > > The X server on the remote machine shouldn't have anything to do with > this. You can run X clients on a CPU which doesn't have a server as > long as they have a valiud $DISPLAY to connect to (as many of us can > testify - e.g. installing Oracle through their Java-based installer > on some remote server which doesn't even have a monitor). And that does seem to be the problem - the Xubuntu machine does not set the DISPLAY variable when I log in with SSH. It is set on the other Ubuntu machines that I try (well, both of them). These other Ubuntus would be stock standard installs. > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Tue, 30 Jan 2007 17:12:33 +1100 Zhasper <[EMAIL PROTECTED]> wrote: > On 30/01/07, Amos Shapira <[EMAIL PROTECTED]> wrote: > > On 30/01/07, Zhasper <[EMAIL PROTECTED]> wrote: > > > > > > On the machine that you're trying to connect to, try running (as > > > root) netstat -ntlp for me. > > > > > > I think you'll find that X isn't listening on any TCP socket. It > > > certainly isn't on my ubuntu desktop. > > > > > > The X server on the remote machine shouldn't have anything to do > > with this. You can run X clients on a CPU which doesn't have a > > server as long as they have a valiud $DISPLAY to connect to (as > > many of us can testify - e.g. installing Oracle through their > > Java-based installer on some remote server which doesn't even have > > a monitor). > > Urr... quite right. I thought the Xubuntu machine was the remote > server, but on re-reading, I see that I was wrong - it's one of the > clients that's trying to connect to the server[1]. No, you are correct. The Xubuntu is "remote". I am trying to connect to it from a Debian unstable machine. "Misty" is the Xubuntu machine, and it seems to refuse to set the DISPLAY variable. The frustrating thing is that I can't find any significant difference between the Xubuntu configuration files and the Ubuntu ones that behave perfectly. > > However, partway through the tread, Alan noted that: > > > [EMAIL PROTECTED]:~$ echo $DISPLAY > >** Xubuntu machine where nothing works > > combine this with your completely correct comment that " You can run X > clients on a CPU which doesn't have a server as long as they have a > valid $DISPLAY to connect to" - well, I think we can see where the > problem might be :) > > I'm fairly sure I'm on the right track - please let me know if I'm > still missing something :) > > > -- > There is nothing more worthy of contempt than a man who quotes himself > - Zhasper, 2004 > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 30/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: The frustrating thing is that I can't find any significant difference between the Xubuntu configuration files and the Ubuntu ones that behave perfectly. Let's try to look at the situation from a different angle - login to the remote system with "-X" and try to find whether you can see anything listening on TCP port 6010 (that's the port sshd will usually forward X11 through, determined by X11DisplayOffset in /etc/ssh/sshd_config) using "sudo netstat -tlp". For some reason this command will not list the program name on a (working) Debian Etch, but rather something like: tcp0 0 localhost:6010 *:* LISTEN 21577/4 (21577 is the pid, I assume the "/4" is the file descriptor) Also can you check that you have package "xbase-clients" installed on the remote Xubuntu ("Misty")? Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Tue, 30 Jan 2007 18:27:04 +1100 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > On 30/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > The frustrating thing is that I can't find any significant > > difference between the Xubuntu configuration files and the Ubuntu > > ones that behave perfectly. > > > Let's try to look at the situation from a different angle - login to > the remote system with "-X" and try to find whether you can see > anything listening on TCP port 6010 (that's the port sshd will > usually forward X11 through, determined by X11DisplayOffset > in /etc/ssh/sshd_config) using "sudo netstat -tlp". > On the remote Xubuntu ("Misty"), logged in with ssh -X: [EMAIL PROTECTED]:~$ sudo netstat -tlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 localhost:2208*:* LISTEN 3795/hpiod tcp0 0 *:sunrpc *:* LISTEN 3062/portmap tcp0 0 *:x11 *:* LISTEN 3520/X tcp0 0 localhost:ipp *:* LISTEN 3776/cupsd tcp0 0 localhost:60924 *:* LISTEN 3804/python tcp6 0 0 *:x11 *:* LISTEN 3520/X tcp60 0 *:ssh *:* LISTEN 4223/sshd On the Local Debian Sid ("Windy"): tcp0 0 *:sunrpc *:* LISTEN 2136/portmap tcp0 0 *:auth *:* LISTEN 2718/inetd tcp 0 0 localhost:ipp *:* LISTEN 2487/cupsd tcp 0 0 *:39354*:* LISTEN 2789/rpc.statd tcp6 0 0 *:ssh*:* LISTEN 2741/sshd > For some reason this command will not list the program name on a > (working) Debian Etch, but rather something like: > > tcp0 0 localhost:6010 *:* > LISTEN 21577/4 > > (21577 is the pid, I assume the "/4" is the file descriptor) > > Also can you check that you have package "xbase-clients" installed on > the remote Xubuntu ("Misty")? Confirmed. Also, I took note of an earlier suggestion and unticked the item in "Login Window Preferences" which is "Deny TCP connections to Xserver. And, I still have the following fundamental problem: [EMAIL PROTECTED]:~$ echo $DISPLAY [EMAIL PROTECTED]:~$ Thanks for the help. I'm sure it is something simple, but Of course, it is always simple once you know how to do it :-) Cheers, Alan > > Cheers, > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: On the remote Xubuntu ("Misty"), logged in with ssh -X: [EMAIL PROTECTED]:~$ sudo netstat -tlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 localhost:2208*:* LISTEN 3795/hpiod tcp0 0 *:sunrpc *:* LISTEN 3062/portmap tcp0 0 *:x11 *:* LISTEN 3520/X tcp0 0 localhost:ipp *:* LISTEN 3776/cupsd tcp0 0 localhost:60924 *:* LISTEN 3804/python tcp6 0 0 *:x11 *:* LISTEN 3520/X tcp60 0 *:ssh *:* LISTEN 4223/sshd So it looks like the -X request doesn't get handled by sshd on the other side, or at least it doesn't listen on a TCP port for you, so your problem is more foundamental than not having the $DISPLAY set. Run "sshd -ddd" on a seprate port on Misty and try to connect to it ("-p" parameter to ssh client). Be careful to do it that way instead of killing the standard sshd daemon - read sshd(8) about "-d" carefully before doing that. On the Local Debian Sid ("Windy"): That's not relevant, it's the ssh daemn on the other side that's supposed to listen for new X11 connections and pass them locally when they arrive, nothing new should listen on the local host for that (the local side of ssh is just another X11 client in that context). It's digging like this that teaches you the most about Linux/networking/tools/debugging methods, so keep digging. Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Wed, 31 Jan 2007 07:39:02 +1100 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > On the remote Xubuntu ("Misty"), logged in with ssh -X: > > [EMAIL PROTECTED]:~$ sudo netstat -tlp > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign Address > > State PID/Program name > > tcp0 0 localhost:2208*:* LISTEN 3795/hpiod > > tcp0 0 *:sunrpc *:* LISTEN 3062/portmap > > tcp0 0 *:x11 *:* LISTEN 3520/X > > tcp0 0 localhost:ipp *:* LISTEN 3776/cupsd > > tcp0 0 localhost:60924 *:* LISTEN 3804/python > > tcp6 0 0 *:x11 *:* LISTEN 3520/X > > tcp60 0 *:ssh *:* LISTEN 4223/sshd > > > So it looks like the -X request doesn't get handled by sshd on the > other side, or at least it doesn't listen on a TCP port for you, so > your problem is more foundamental than not having the $DISPLAY set. > > Run "sshd -ddd" on a seprate port on Misty and try to connect to it > ("-p" parameter to ssh client). > Be careful to do it that way instead of killing the standard sshd > daemon - read sshd(8) about "-d" carefully before doing that. OK, I'll try to give that a go later in the day. > > It's digging like this that teaches you the most about > Linux/networking/tools/debugging methods, so keep digging. True, so true. I'm learning a lot more about ssh than I ever wanted to know :-) Thanks for the help, Amos. > > Cheers, > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Wed, 31 Jan 2007 09:36:57 +1100 [EMAIL PROTECTED] wrote: > Sorry to jump in here late, I haven;t looked at the whole thread. > > Have you already checked your sshd_config on the machine you are > ssh'ing to > > You need to have: > X11Forwarding yes <-- default is NO > X11UseLocalhost yes Check. > > you can also get around it with: > AllowTcpForwarding yes<-- I assume the default of this is no as > well. > > but would have to deal with the security yourself in that case. > > You already seem to have your X server listening on a TCP port so you > are OK there (the default these days is to use a unix socket I think) > > Anyway - hope I am not stating the obvious here. > If all of that fails then the sshd -ddd looks like a plan to me, use > a different port (e.g. -p 5022) - you will need to run this after > you ssh'ed in of course. Fooling around with that now. The man page says that output is sent to the system log (which I presume is /var/log/syslog). It doesn't seem to be doing that. However, it runs through lots of ports (Not sure where it starts since I can't scroll up that far) and then reports: debug2: bind port 6999: Cannot assign requested address Failed to allocate internet-domain X11 display socket. debug1: x11_create_display_inet failed. So that at least explains why DISPLAY is not set. Any further help appreciated. Alan > > > From the above; > Running netstat on the client [ which has the X server ] won't tell > you anything - you need to run it on the server (by that I mean the > machine with the sshd running) to check if you have localhost:6010 > listening (or similar port - depending on the setting of : > X11DisplayOffset in the sshd_config ) > > > Useful man pages: > http://www.die.net/doc/linux/man/man5/sshd_config.5.html > http://gentoo-wiki.com/MAN_sshd_8 > > good luck with it. > > > > > Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > On Wed, 31 Jan 2007 07:39:02 +1100 > > "Amos Shapira" <[EMAIL PROTECTED]> wrote: > > > > > On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > > > > > On the remote Xubuntu ("Misty"), logged in with ssh -X: > > > > [EMAIL PROTECTED]:~$ sudo netstat -tlp > > > > Active Internet connections (only servers) > > > > Proto Recv-Q Send-Q Local Address Foreign Address > > > > State PID/Program name > > > > tcp0 0 localhost:2208*:* LISTEN > > > > 3795/hpiod tcp0 0 *:sunrpc *:* > > > > LISTEN 3062/portmap tcp0 0 *:x11 > > > > *:* LISTEN 3520/X tcp0 0 localhost:ipp > > > > *:* LISTEN 3776/cupsd tcp0 0 > > > > localhost:60924 *:* LISTEN 3804/python tcp6 > > > > 0 0 *:x11 *:* LISTEN 3520/X tcp60 > > > > 0 *:ssh *:* LISTEN 4223/sshd > > > > > > > > > So it looks like the -X request doesn't get handled by sshd on the > > > other side, or at least it doesn't listen on a TCP port for you, > > > so your problem is more foundamental than not having the $DISPLAY > > > set. > > > > > > Run "sshd -ddd" on a seprate port on Misty and try to connect to > > > it ("-p" parameter to ssh client). > > > Be careful to do it that way instead of killing the standard sshd > > > daemon - read sshd(8) about "-d" carefully before doing that. > > > > OK, I'll try to give that a go later in the day. > > > > > > > > > > It's digging like this that teaches you the most about > > > Linux/networking/tools/debugging methods, so keep digging. > > > > True, so true. I'm learning a lot more about ssh than I ever wanted > > to know :-) > > > > Thanks for the help, Amos. > > > > > > > > > > Cheers, > > > > > > --Amos > > > -- > > > SLUG - Sydney Linux User's Group Mailing List - > > > http://slug.org.au/ Subscription info and FAQs: > > > http://slug.org.au/faq/mailinglists.html > > > > > > > > > -- > > Alan L Tyreehttp://www2.austlii.edu.au/~alan > > Tel: +61 2 4782 2670Mobile: +61 427 486 206 > > Fax: +61 2 4782 7092FWD: 615662 > > -- > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Wed, 31 Jan 2007 09:54:30 +1100 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > On 31/01/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > > you can also get around it with: > > AllowTcpForwarding yes<-- I assume the default of this is no as > > well. > > > I forgot about that one but the manual says that the default is > "yes". You still need to enable the X11Forwarding which is a separate > flag as you stated. > > but would have to deal with the security yourself in that case. > > > > You already seem to have your X server listening on a TCP port so > > you are OK there (the default these > > days is to use a unix socket I think) > > > That's not relevant - once the X11 connection is forwarded to the > local ssh client, the ssh client can use UNIX-domain sockets to > connect to the local X11 server just like any other local X11 client. > > If all of that fails then the sshd -ddd looks like a plan to me, use a > > different port (e.g. -p 5022) - you will need to run this after you > > ssh'ed in of course. > > > And make sure the port is accessible through any firewall on the way > (you DO have iptables set up, do you?) closed down on Misty as part of the investigation. I'm behind a NAT router with all of these machines so it seems minimal risk. Alan > > Cheers, > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: Fooling around with that now. The man page says that output is sent to the system log (which I presume is /var/log/syslog). It doesn't seem to be doing that. However, it runs through lots of ports (Not sure where it starts since I can't scroll up that far) and then reports: Then forward the output to a file - "sudo ...sshd ... > ~/sshd.out 2>&1 &" debug2: bind port 6999: Cannot assign requested address Failed to allocate internet-domain X11 display socket. debug1: x11_create_display_inet failed. So that at least explains why DISPLAY is not set. Any further help appreciated. Googling about, http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104336969724537&w=2 looks closest to your situation - do you have the loopback interface configured? Another option - disable ipv6 by adding: ListenAddress 0.0.0.0 To sshd_config. (source: http://www.samag.com/documents/s=9915/sam0512i/0512i.htm it's Sun-specific but the error message is the same). Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Wed, 31 Jan 2007 10:40:03 +1100 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > Fooling around with that now. The man page says that output is sent > > to the system log (which I presume is /var/log/syslog). It doesn't > > seem to be doing that. > > > > However, it runs through lots of ports (Not sure where it starts > > since I can't scroll up that far) and then reports: > > > Then forward the output to a file - "sudo ...sshd ... > ~/sshd.out > 2>&1 &" Of course. Muy stupido. The relevant part seems here: debug1: Entering interactive session for SSH2. debug2: fd 6 setting O_NONBLOCK debug2: fd 7 setting O_NONBLOCK debug1: server_init_dispatch_20 debug2: User child is on pid 10258 debug3: mm_request_receive entering debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug2: bind port 6010: Cannot assign requested address debug2: bind port 6010: Cannot assign requested address debug2: bind port 6011: Cannot assign requested address ... debug2: bind port 6998: Cannot assign requested address debug2: bind port 6999: Cannot assign requested address debug2: bind port 6999: Cannot assign requested address Failed to allocate internet-domain X11 display socket. debug1: x11_create_display_inet failed. But I don't know what to make of it. Thanks, Alan > > debug2: bind port 6999: Cannot assign requested address > > Failed to allocate internet-domain X11 display socket. > > debug1: x11_create_display_inet failed. > > > > So that at least explains why DISPLAY is not set. > > > > Any further help appreciated. > > > Googling about, > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104336969724537&w=2 > looks closest to your situation - do you have the loopback interface > configured? > > Another option - disable ipv6 by adding: > > ListenAddress 0.0.0.0 > > To sshd_config. > > (source: http://www.samag.com/documents/s=9915/sam0512i/0512i.htm it's > Sun-specific but the error message is the same). > > Cheers, > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: But I don't know what to make of it. What about the rest of my message below? (copied again) Googling about, > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104336969724537&w=2 > looks closest to your situation - do you have the loopback interface > configured? > > Another option - disable ipv6 by adding: > > ListenAddress 0.0.0.0 > > To sshd_config. > > (source: http://www.samag.com/documents/s=9915/sam0512i/0512i.htm it's > Sun-specific but the error message is the same). Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Wed, 31 Jan 2007 11:05:08 +1100 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > But I don't know what to make of it. > > > What about the rest of my message below? (copied again) Ooops, missed that. I'll try it. > > > Googling about, > > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104336969724537&w=2 > > > looks closest to your situation - do you have the loopback > > > interface configured? > > > > > > Another option - disable ipv6 by adding: > > > > > > ListenAddress 0.0.0.0 > > > > > > To sshd_config. > > > > > > (source: http://www.samag.com/documents/s=9915/sam0512i/0512i.htm > > > it's Sun-specific but the error message is the same). > > > Cheers, > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Wed, 31 Jan 2007 11:05:08 +1100 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > But I don't know what to make of it. > > > What about the rest of my message below? (copied again) > > > Googling about, > > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104336969724537&w=2 > > > looks closest to your situation - do you have the loopback > > > interface configured? That may be it: [EMAIL PROTECTED]:~$ ifconfig eth0 Link encap:Ethernet HWaddr 00:11:24:92:E1:91 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:294 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:12348 (12.0 KiB) Interrupt:52 Base address:0x8000 eth1 Link encap:Ethernet HWaddr 00:11:24:7D:2B:C4 inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::211:24ff:fe7d:2bc4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:874 errors:0 dropped:0 overruns:0 frame:0 TX packets:1035 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:57675 (56.3 KiB) TX bytes:1126998 (1.0 MiB) Interrupt:41 Base address:0x3000 [EMAIL PROTECTED]:~$ But no lo device! Will pursue further and report back. Thanks for that. > > > > > > Another option - disable ipv6 by adding: > > > > > > ListenAddress 0.0.0.0 > > > > > > To sshd_config. > > > > > > (source: http://www.samag.com/documents/s=9915/sam0512i/0512i.htm > > > it's Sun-specific but the error message is the same). > > > Cheers, > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: That may be it: [EMAIL PROTECTED]:~$ ifconfig eth0 Link encap:Ethernet HWaddr 00:11:24:92:E1:91 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:294 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:12348 (12.0 KiB) Interrupt:52 Base address:0x8000 eth1 Link encap:Ethernet HWaddr 00:11:24:7D:2B:C4 inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::211:24ff:fe7d:2bc4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:874 errors:0 dropped:0 overruns:0 frame:0 TX packets:1035 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:57675 (56.3 KiB) TX bytes:1126998 (1.0 MiB) Interrupt:41 Base address:0x3000 [EMAIL PROTECTED]:~$ But no lo device! Will pursue further and report back. Check that you have the following in /etc/network/interfaces: # The loopback network interface auto lo iface lo inet loopback then run "ifup lo" --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ssh and vnc
On Wed, 31 Jan 2007 12:06:22 +1100 "Amos Shapira" <[EMAIL PROTECTED]> wrote: > On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > That may be it: > > > > [EMAIL PROTECTED]:~$ ifconfig > > eth0 Link encap:Ethernet HWaddr 00:11:24:92:E1:91 > > UP BROADCAST MULTICAST MTU:1500 Metric:1 > > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:294 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:0 (0.0 b) TX bytes:12348 (12.0 KiB) > > Interrupt:52 Base address:0x8000 > > > > eth1 Link encap:Ethernet HWaddr 00:11:24:7D:2B:C4 > > inet addr:192.168.1.101 Bcast:192.168.1.255 > > Mask:255.255.255.0 inet6 addr: fe80::211:24ff:fe7d:2bc4/64 > > Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:874 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:1035 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:1000 > > RX bytes:57675 (56.3 KiB) TX bytes:1126998 (1.0 MiB) > > Interrupt:41 Base address:0x3000 > > > > [EMAIL PROTECTED]:~$ > > > > But no lo device! Will pursue further and report back. > > > Check that you have the following in /etc/network/interfaces: > > # The loopback network interface > auto lo > iface lo inet loopback > > then run "ifup lo" BINGO!! [EMAIL PROTECTED]:~$ echo $DISPLAY localhost:10.0 There was an error in the /etc/network/interfaces file that prevented lo from being started. No idea at all how it came to be corrupted. Thanks to all for your help on this. Cheers, Alan > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Alan L Tyreehttp://www2.austlii.edu.au/~alan Tel: +61 2 4782 2670Mobile: +61 427 486 206 Fax: +61 2 4782 7092FWD: 615662 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Re: [SLUG] ssh and vnc
Sorry to jump in here late, I haven;t looked at the whole thread. Have you already checked your sshd_config on the machine you are ssh'ing to You need to have: X11Forwarding yes <-- default is NO X11UseLocalhost yes you can also get around it with: AllowTcpForwarding yes<-- I assume the default of this is no as well. but would have to deal with the security yourself in that case. You already seem to have your X server listening on a TCP port so you are OK there (the default these days is to use a unix socket I think) Anyway - hope I am not stating the obvious here. If all of that fails then the sshd -ddd looks like a plan to me, use a different port (e.g. -p 5022) - you will need to run this after you ssh'ed in of course. >From the above; Running netstat on the client [ which has the X server ] won't tell you anything - you need to run it on the server (by that I mean the machine with the sshd running) to check if you have localhost:6010 listening (or similar port - depending on the setting of : X11DisplayOffset in the sshd_config ) Useful man pages: http://www.die.net/doc/linux/man/man5/sshd_config.5.html http://gentoo-wiki.com/MAN_sshd_8 good luck with it. > Alan L Tyree <[EMAIL PROTECTED]> wrote: > > On Wed, 31 Jan 2007 07:39:02 +1100 > "Amos Shapira" <[EMAIL PROTECTED]> wrote: > > > On 31/01/07, Alan L Tyree <[EMAIL PROTECTED]> wrote: > > > > > > On the remote Xubuntu ("Misty"), logged in with ssh -X: > > > [EMAIL PROTECTED]:~$ sudo netstat -tlp > > > Active Internet connections (only servers) > > > Proto Recv-Q Send-Q Local Address Foreign Address > > > State PID/Program name > > > tcp0 0 localhost:2208*:* LISTEN 3795/hpiod > > > tcp0 0 *:sunrpc *:* LISTEN 3062/portmap > > > tcp0 0 *:x11 *:* LISTEN 3520/X > > > tcp0 0 localhost:ipp *:* LISTEN 3776/cupsd > > > tcp0 0 localhost:60924 *:* LISTEN 3804/python > > > tcp6 0 0 *:x11 *:* LISTEN 3520/X > > > tcp60 0 *:ssh *:* LISTEN 4223/sshd > > > > > > So it looks like the -X request doesn't get handled by sshd on the > > other side, or at least it doesn't listen on a TCP port for you, so > > your problem is more foundamental than not having the $DISPLAY set. > > > > Run "sshd -ddd" on a seprate port on Misty and try to connect to it > > ("-p" parameter to ssh client). > > Be careful to do it that way instead of killing the standard sshd > > daemon - read sshd(8) about "-d" carefully before doing that. > > OK, I'll try to give that a go later in the day. > > > > > > It's digging like this that teaches you the most about > > Linux/networking/tools/debugging methods, so keep digging. > > True, so true. I'm learning a lot more about ssh than I ever wanted to > know :-) > > Thanks for the help, Amos. > > > > > > Cheers, > > > > --Amos > > -- > > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > > > > > -- > Alan L Tyreehttp://www2.austlii.edu.au/~alan > Tel: +61 2 4782 2670Mobile: +61 427 486 206 > Fax: +61 2 4782 7092FWD: 615662 > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Re: [SLUG] ssh and vnc
On 31/01/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: you can also get around it with: AllowTcpForwarding yes<-- I assume the default of this is no as well. I forgot about that one but the manual says that the default is "yes". You still need to enable the X11Forwarding which is a separate flag as you stated. but would have to deal with the security yourself in that case. You already seem to have your X server listening on a TCP port so you are OK there (the default these days is to use a unix socket I think) That's not relevant - once the X11 connection is forwarded to the local ssh client, the ssh client can use UNIX-domain sockets to connect to the local X11 server just like any other local X11 client. If all of that fails then the sshd -ddd looks like a plan to me, use a different port (e.g. -p 5022) - you will need to run this after you ssh'ed in of course. And make sure the port is accessible through any firewall on the way (you DO have iptables set up, do you?) Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html