HPE Community
Operating System - HP-UX
1825768 Members
2082 Online
109687 Solutions
New Discussion

Re: ssh/X11 forwarding not working on certain hosts

 
Richard I Curtis
Frequent Advisor

‎04-16-2008 06:49 AM

‎04-16-2008 06:49 AM

ssh/X11 forwarding not working on certain hosts

Hi,
I have OpenSSH_4.1p1 installed and running on HPUX 11iV1, and have "X11Forwarding yes" in my /usr/local/etc/sshd_config file.

On one of my hosts, when I ssh in (I am using SecureCRT and PuTTY), even though I have the "enable X11 forwarding" options set in the clients, I am no able to get the display to work. If I connect to a different server, at the same site, with the same settings, it works perfectly.

I have exceed running and displaying the X11 gui's from the working host, but not the other one.
I've tried it with my DISPLAY variable set and unset, and no matter what I try 4 of my 6 HPUX servers refuse to allow the display. I am sure it is not a firewall issue as the fact I can get a normal ssh session proves port 22 is open OK, and as X11 traffic is set to tunnel, as far as the firewall is concerned, everything is ssh traffic.

Anyone got any ideas ?
0 Kudos
5 REPLIES 5
OldSchool
Honored Contributor

‎04-16-2008 08:46 AM

‎04-16-2008 08:46 AM

Re: ssh/X11 forwarding not working on certain hosts

depending on the O/S, DISPLAY should contain either the IP address of the server, or "localhost"

something along the lines of

localhost:10.0 -or-
11.64.88.72:10.0

which one works seems to be related to the version of the o/s, libc, and ssh installed.

try both and see if either works.

0 Kudos
Richard I Curtis
Frequent Advisor

‎04-18-2008 06:31 AM

‎04-18-2008 06:31 AM

Re: ssh/X11 forwarding not working on certain hosts

I think this is a firewall related issue as I am unable to even ping from the remote server back to the desktop that I am trying to view the exported display on.

What firewall ports will need to be open for this to work?
I would have assumed only port 22 as it is tunneled by SSH but as I dont have access to the firewalls, I cannot check.

Does anyone know which ports are needed for tunneled X11 over SSH ?
0 Kudos
Matti_Kurkela
Honored Contributor

‎04-18-2008 06:57 AM

‎04-18-2008 06:57 AM

Re: ssh/X11 forwarding not working on certain hosts

X11 is indeed tunneled over SSH using port 22 only. So it is not a firewall issue.

When a SSH connection with X11 forwarding is established, the sshd must be able to use the "xauth" command, which writes to the ~/.Xauthority file (or the file defined in XAUTHORITY environment variable, if it exists).

If the xauth command is not available to the user at the destination host or the .Xauthority file is not writeable, the X11 forwarding will fail. This can happen if the disk containing the user's home directory is full. With HP-UX servers, this happens quite often because the default size for the /home LV is tiny by modern standards.

OpenSSH has a compile-time option for libwrap support. If this option was enabled when compiling OpenSSH, the files /etc/hosts.allow and /etc/hosts.deny can be used to control access to sshd... and it can be also used to control various forwarding options, although this feature is not too obvious.

If OpenSSH has libwrap support enabled, you may need to add a line to your /etc/hosts.allow to specifically allow SSH X forwarding. This line could be:

sshdfwd-X11: ALL

or if you want to be more specific:

sshdfwd-X11: 1.2.3.0/255.255.255.0

MK
MK
0 Kudos
Richard I Curtis
Frequent Advisor

‎04-24-2008 05:19 AM

‎04-24-2008 05:19 AM

Re: ssh/X11 forwarding not working on certain hosts

This is now resolved - I had to upgrade my OpenSSH version to a newer release (I now have the supported HP bundled one)...

Thanks for the help guys.
0 Kudos
Richard I Curtis
Frequent Advisor

‎04-24-2008 05:21 AM

‎04-24-2008 05:21 AM

Re: ssh/X11 forwarding not working on certain hosts

.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.