Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ssh X11 forwarding won't work

I have been trying to get X11 port forwarding to work from my laptop. I can't figure out why it won't work.

I get this message when I try to run xterm:

X11 connection rejected because of wrong authentication.
xterm Xt error: Can't open display: localhost:10.0

I don't know if this is related or not, but when I login, I get this message:

/usr/bin/xauth:  timeout in locking authority file /home/sphillips/.Xauthority

I have wondered if the problem is that my local user on my laptop is skp and the username on this server is sphillips. I have been able to get X11 forwarding to work with my other computers that use the same skp login.

Also, the X11 port forwarding works from a Windows machine using Xming and Putty to the same server. I have to manually configure the DISPLAY variable to the IP address and display 0.0, but it works.

I have run an xhost + on my machine with the attempt to try to bypass any security issues. That still didn't work.

On the server, I check the configuration:

$ sudo grep X11Forwarding /etc/ssh/sshd_config
#X11Forwarding no
X11Forwarding yes
#   X11Forwarding no

And on my machine as well:

$ sudo grep X11Forwarding /etc/ssh/sshd_config
[sudo] password for skp: 
#X11Forwarding no
X11Forwarding yes
#   X11Forwarding no

My server is RedHat Enterprise Linux 6 and my laptop is Fedora 15.

Can anyone give me any thoughts on things to try to get SSH X11 forwarding to work from my laptop?

like image 435
digitaleagle Avatar asked Nov 16 '11 16:11

digitaleagle


People also ask

How do I enable X11 forwarding with SSH?

Enabling X11 Forwarding in your SSH Client "ssh": X11 tunneling should be enabled by default. To be certain it is enabled, you may use ssh -X. PuTTY: Prior to connection, in your connection's options, under "Tunnels", check "Enable X11 forwarding", and save your connection. MobaXterm: X11 is automatically enabled.

How do you check X11 forwarding is working?

Log in to your Windows bastion host. Then, open a fresh PuTTY session, and use a private key or password-based authentication per your organization setup. Then, test the xclock or xterm command to see x11 forwarding in action. Click the xming utility you installed on Windows bastion host and have it running.

How do I enable X11 forwarding in Windows?

Your Windows SSH client must be configured to forward X Window System communication (i.e., graphical windows) from the machine you are connecting to to your PC's display. In Putty, click on the plus sign to the left of "SSH" in the left hand pane, then click "X11" and check the box labelled "Enable X11 Forwarding".


1 Answers

I finally found the answer (at least for my situation)! The problem was SELinux. I turned off SELinux, and it worked with no problem.

If you interested in all of the gory details, you can read about it on my blog, but let me detail the pertinent facts here...

On the remote machine, I used dmesg to view the logging messages:

dmesg | tail

I found a number of messages like this:

type=1400 audit(1332520527.110:51337): avc: denied { read } for pid=25240 comm="sshd" name="authorized_keys" dev=dm-5 ino=167 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file

You can check the status of SELinux with this command:

$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted

You can turn it to permissive mode with this command:

setenforce 0

For more information on SELinux, I found Red Hat's guide helpful. Also, for other SSH issues, I found David's blog helpful for getting logging to help.

For me, after that, my X11 forwarding started working with no problem.

SELinux was preventing several other different things. It could not create the necessary files to make key authentication work. I also found it blocking ssh-keygen from creating keys in the home directory.

like image 153
digitaleagle Avatar answered Sep 28 '22 08:09

digitaleagle