# X11 forwarding with ssh doesnt work ...

## bmichaelsen

Hi!

I have in /etc/ssh/sshd_config:

```
X11Forwarding yes

X11DisplayOffset 10

Protocol 2

UsePAM yes

```

and in /etc/ssh/ssh_config:

```
ForwardX11 yes
```

I did stop iptables on both systems, and did:

```
xhost +localhost

xhost +little

xhost +lord
```

on both systems, then I did a 

```
ssh -Xvv lord

```

on little.

Then in the remote shell a:

```
bjoern@lord ~ % xterm                                    

xterm Xt error: Can't open display: little.sinclair:0.0
```

Shouldnt this be little.sinclair:10.0 ?

Anyway, as you see it doesnt work. Can anybody help me?

Thanks, Björn

```
bjoern@little ~ % grep X11 ssh.log

debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-eXldiK6625/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null

debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-eXldiK6625/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null

debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-eXldiK6625/xauthfile list :0.0 . 2>/dev/null

debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-eXldiK6625/xauthfile list :0.0 . 2>/dev/null

debug1: Requesting X11 forwarding with authentication spoofing.

debug1: Requesting X11 forwarding with authentication spoofing.

```

----------

## NeddySeagoon

bmichaelsen,

It works by default here if I give the -X option to ssh when I login.

----------

## bmichaelsen

Well, it should here too, but it doesnt.

----------

## ppurka

u could try using 

```

ssh -Y <hostname>

```

it solved this problem in my case.

----------

## bmichaelsen

It is getting even more weird: When I ssh from lord to little it works with -X and with -Y. But it fails the other way (and that what Im after).

From the debug output (working lord->little):

```
debug2: ssh_session2_setup: id 0

debug2: channel 0: request pty-req

debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-DIAmB13202/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null

debug2: x11_get_proto: /usr/X11R6/bin/xauth -f /tmp/ssh-DIAmB13202/xauthfile list :0.0 . 2>/dev/null

debug1: Requesting X11 forwarding with authentication spoofing.

debug2: channel 0: request x11-req

debug2: channel 0: request shell

debug2: fd 3 setting TCP_NODELAY

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768
```

non-working (little->lord):

```
debug2: ssh_session2_setup: id 0

debug2: channel 0: request pty-req

debug2: x11_get_proto: /usr/X11R6/bin/xauth  list :0.0 . 2>/dev/null

debug1: Requesting X11 forwarding with authentication spoofing.

debug2: channel 0: request x11-req

debug2: channel 0: request shell

debug2: fd 3 setting TCP_NODELAY

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: channel 0: rcvd adjust 131072

```

There is something different here, but I dont know how to fix it ...

----------

## justanothergentoofanatic

Have you tried turning off UsePAM?

-Mike

----------

## bmichaelsen

 *Quote:*   

> Have you tried turning off UsePAM? 

 

Yes -And now it works! Still I wonder why it didnt before ...

And:

Is this a security risk?

----------

## justanothergentoofanatic

>Yes -And now it works! Still I wonder why it didnt before ... 

PAM support in sshd is very buggy -- the sshd developers do not seem to like PAM and do not recommend using it.  I'm not sure why this didn't work for you before; maybe it was turning off PAM in combination with the -Y option? 

> Is this a security risk?

Not unless you were doing something special with PAM that you really needed. But if you were, then you'd probably know it.

-Mike

----------

## bmichaelsen

 *Quote:*   

> PAM support in sshd is very buggy -- the sshd developers do not seem to like PAM and do not recommend using it.

 

it might also be the changing of some USE-Flags - ufed b0rked my /etc/make.conf and had to restore them afterwards.

 *Quote:*   

> maybe it was turning off PAM in combination with the -Y option? 

 

It work basically with -X too. However, gtk apps crash on a mouseover a toolbar. Doesnt happen with -Y.

 *Quote:*   

> Not unless you were doing something special with PAM that you really needed. But if you were, then you'd probably know it.

 

Thanks for your help!

Björn

----------

## Athaphian

Hello everyone.... this is my first post here.

I have been searching the internet for 3 hours now and did not find a working solution for my problem so here it goes:

I have two gentoo-linux machines here:

192.168.1.6 (webserver) and 192.168.1.150 (laptop)

I want to remotly access my webserver using my laptop. On both machines XFree is successfully installed and running.

SSH also works fine, so I enabled both X11Forwarding an ran xhost hostname so the access is right etc etc etc... but it didnt work.. so to test if the connection actually works I try to remotly xwindow some program like xclock without using SSH, just for testing.

on 192.168.1.6 I ran: xhost 192.168.1.150 (successfully added)

and on 192.168.1.150 I ran: xclock -display 192.168.1.6:0.0

and it gave me this error:

Error: Can't open display: 192.168.1.6:0.0

I have tried logging in with SSH to start a program on the local screen with :0.0 (so no X11 over network) and this worked, so the xserver is up. It seems like it does not accept network connections or something else is still wrong here.

When I run netstat -ln (on the server) the only X11 related line is:

unix 2 [ACC] STREAM LISTENING 15532 /tmp/.X11-unix/X0

Can anyone help me please?

----------

## Athaphian

Ok, after another three hours of searching, I finally found out.

The X server is not set to listen on the TCP port 6000 which is required.

I edited the /usr/X11R6/bin/startx file and removed the -nolisten tcp line.

Hope to have helped some other people who come across this probem in the future.

----------

## bmichaelsen

You dont need to comment out the nolisten if you use ssh with X11-forwarding. ssh should setup a (virtual) X-Server on the X-Client machine (where you ssh to) and forwards it to the X-Server machine (where you ssh from). You only need

```
xhost +localhost
```

on the machine you ssh from. Ssh should set the DISPLAY var on the machine you ssh to to the virtual server (likely localhost:10.0).

This is more secure than making X listen on tcp.

----------

## Athaphian

But that didn't work.

----------

## brianshowalter

 *Athaphian wrote:*   

> SSH also works fine, so I enabled both X11Forwarding an ran xhost hostname so the access is right etc etc etc... but it didnt work.. so to test if the connection actually works I try to remotly xwindow some program like xclock without using SSH, just for testing.
> 
> 

 

Have you tried using the -Y option for ssh?  This tells ssh that you're connecting to a trusted host.  Alternatively, you could set "ForwardX11Trusted yes" in your ~/.ssh/config file for those hosts you trust, and then you wouldn't have to use the -Y flag on the command line.

BTW, there's no need for the xauth or xhosts rigmarole when you're using ssh, as it automatically takes care of Xauthority setup on the X server machine.

----------

