On Fri, Oct 27, 2000 at 11:56:06PM +0100, David Pick wrote:
>
> > I see to have hit an interesting problem with openssh-2.1.1p1-1 and X
> > forwarding. When I use the directions in the file
> > /usr/doc/openssh-2.1.1p1/README.Ylonen, I get different results:
> >
> > root@charlesc # ssh server echo $DISPLAY
> > root@server's password:
> > charlesc:0.0
>
> Note that this is to be expected because $DISPLAY gets expanded by the
> shell on "charlesc" and the command passed to "server" is:
> echo charlesc:0.0
Duh! Thank you.
root@charlesc # ssh server echo $DISPLAY
root@server's password:
charlesc:0.0
root@charlesc # ssh server 'echo $DISPLAY'
root@server's password:
server:0.0
root@charlesc #
>
> > root@charlesc # ssh -f server emacs
> > root@server's password:
> > _X11TransSocketINETConnect: Can't connect: errno =3D 111
> > _X11TransSocketINETConnect: Can't connect: errno =3D 111
> > _X11TransSocketINETConnect: Can't connect: errno =3D 111
> > _X11TransSocketINETConnect: Can't connect: errno =3D 111
> > _X11TransSocketINETConnect: Can't connect: errno =3D 111
> > _X11TransSocketINETConnect: Can't connect: errno =3D 111
> > emacs: Cannot connect to X server server:0.0.
> > Check the DISPLAY environment variable or use `-d'.
> > Also use the `xhost' program to verify that it is set to permit
> > connections from your machine.
> >
> > In the first command, I have it echo $DISPLAY, which is the display on the
> > machine from which I am logging in. In the second, emacs is dying after
> > being unable to connect to an X server on the machine the client is
> > running on, server. Is this a bug in openssh-2.1.1p1-1?
>
> Make *sure* the X forwarding is enabled; different versions of ssh have
> different defaults; try:
> ssh -X -f server emacs
This is no go; same errors.
> to force X forwarding on; also check both the client and server config
> files.
xhost allows server in. In the server's config (/etc/ssh/sshd_config), I
have:
X11Forwarding yes
X11DisplayOffset 10
In the client config (/etc/ssh/ssh_config), I have:
Host *
ForwardAgent no
ForwardX11 no
FallBackToRsh no
Host server
ForwardAgent yes
ForwardX11 yes
>
> > I can get a connection by setting the server explicitly:
> >
> > root@charlesc # ssh -f server emacs -d charlesc:0.0
> > root@server's password:
> >
> > However three things:
> >
> > 1) I don't know if this is running thorugh X forwarding via SSH or
> > through the standard X client-server mechanism, and
>
> Standard X client-server in this case.
>
> > 2) ssh does not appear to be forking into the background.
> >
> > 3) ssh does not appear to be setting the variable display correctly.
> >
> > root@charlesc # ssh -f server 'echo $DISPLAY ; emacs -d charlesc:0.0'
> > root@server's password:
> > server:0.0
>
> This is correct: because of the single quote symbols the shell on "charlesc"
> will *not* expend $DISPLAY on that machine but will pass the command:
> echo $DISPLAY; emacs -d charlesc:0.0
> to "server"; the shell on "server" will interpret $DISPLAY as "server:0.0".
>
> *If* the "sshd" is behaving correctly it should be listening on port 6000+n
> for local connections which it will forward through the SSH tunnel to
> "charlesc". However, I would expect it to be listening for X display n
> where n>0 and normally about 10 rather then listening for display 0.
OK, how do I find out where it is listening? /etc/services has:
# xdmcp 177/tcp # X Display Mgr. Control Proto
# xdmcp 177/udp
and nothing I can detect on a simple text search ("60") in the 6000 on up
area.
>
> > Question: do I have to have a working X server on server for X forwarding
> > to work?
>
> No. And if you don't, display 0 should work OK for a forwarded
> connection.
BINGO! I set
X11DisplayOffset 0
for the server, and I can run "ssh -X -f server emacs" sucessfully. But:
"ssh -f server emacs" fails. As does "ssh server emacs". (And ssh never
forks into the background.)
Now, with this at least partially working, I still have some questions:
1) Should I leave the "X11DisplayOffset" value alone on server. It will
never have a X server of its own, so this is fine. Is this the
appropriate setting for a computer with no X server? But suppose later
on I want to use ssh on another machine which does have an X server?
Should I set that machine's "X11DisplayOffset" to 0 also, or leave it
at 10?
2) Assuming we get this working, is it a candidate for the FAQ?
3) When I shut down the tunneled emacs, I get:
root@charlesc # ssh -X server emacs
root@server's password:
channel 1: chan_shutdown_read: shutdown() failed for fd8 [i1 o128]: Transport endpoint
is not connected
Connection to server closed by remote host.
Is this OK? It looks like a typical abrupt shutdown to my inexpert eyes.
>
> > I do not have one on server because it is a 486, with limited
> > RAM, which I intend to use as a firewall and I have no reason to want an X
> > server. I intend to do all of my X displaying for server (mostly emacs and
> > Red Hat config tools) on charlesc.
>
> I do *exactly* what you're trying to do with a firewall myself. Except it's
> FreeBSD instead of Linux.
Ah. And does the firewall have an X server? And what is the value of its
"X11DisplayOffset"?
>
> By the way, to protect my desktop machine, my "Xservers" file has the
> parameter "-nolisten tcp" appended to the line starting the local server.
> This stops it listening for TCP connections on port 6000 from anywhere
> (either local processes or remote ones) and it only talks using the
> "unix domain" socket usually named ":0.0". SSH forwards this like any
> other X connection and it all works with less chance of a security hole
> allowing unauthorized connections to the X display server process.
I'll keep this in mind to try after ssh is working to my satisfaction.
Thank you, sir. This is a great help.
--
-- C^2
No windows were crashed in the making of this email.
Looking for fine software and/or web pages?
http://w3.trib.com/~ccurley
PGP signature
