On 04/10/2017 11:07, Michael Felt wrote:
I do not often use X11 - but when I do I prefer to enable
X11forwarding, and when finished - turn it off. This is preferable,
imho, to having "clear" X11 processing when local - and otherwise
impossible when working remote.
Working with openssh-7.5p2 I cannot figure out what (extra) I need to
do with sshd_config to get it working.
I know that there is a security-fix starting with openssh-7.2
(https://www.openssh.com/security.html, March 9, 2016) - and when I
load any version of openssh prior to Openssh-7.2 I get the expected
X11 behavior over an ssh(d) X11forwarding tunnel.
So, what should I be looking at on my server or client-side. Is there
a different setting I should be using? I am still using the "putty"
setting of: MIT-Magic-Cookie-1. (I'll test, in a moment using
XDM-Authorization-1). However, the hint I am hoping for is the flag to
set for sshd (e.g., -ddddd) and what debug string - to see if
X11forwarding is attempted, and if so, why it is rejected by the sshd.
Again - no changes to client-side - openssh-7.1 and earlier work,
openssh-7.2 and later do not.
If you need more verbose debug data - please say what you need specifically.
Client Side:
PUTTY-0.67
With OpenSSH-7.6p1
Event Log: Writing new session log (SSH packets mode) to file:
C:\Users\michael\Desktop\putty.log
Event Log: Looking up host "192.168.129.72"
Event Log: Connecting to 192.168.129.72 port 22
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.67
Event Log: Server version: SSH-2.0-OpenSSH_7.6
Event Log: Using SSH protocol version 2
Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
...
Incoming packet #0x9, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
00000000 00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00
................
Event Log: Opened main channel
Event Log: Requesting X11 forwarding
Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 07 78 31 31 2d 72 65 71 01
........x11-req.
00000010 00 00 00 00 12 4d 49 54 2d 4d 41 47 49 43 2d 43
.....MIT-MAGIC-C
00000020 4f 4f 4b 49 45 2d 31 XX XX XX XX XX XX XX XX XX
OOKIE-1XXXXXXXXX
00000030 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XXXXXXXXXXXXXXXX
00000040 XX XX XX XX XX XX XX XX XX XX XX 00 00 00 00 XXXXXXXXXXX....
Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01
........pty-req.
00000010 00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00
....xterm...P...
00000020 18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00
................
00000030 00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
Outgoing packet #0xb, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
Incoming packet #0xa, type 100 / 0x64 (SSH2_MSG_CHANNEL_FAILURE)
00000000 00 00 01 00 ....
Event Log: X11 forwarding refused
Incoming packet #0xb, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
00000000 00 00 01 00 ....
...
And OpenSSH-7.1
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.10.08 23:14:18
=~=~=~=~=~=~=~=~=~=~=~=
Event Log: Writing new session log (SSH packets mode) to file:
C:\Users\michael\Desktop\putty.log
Event Log: Looking up host "192.168.129.72"
Event Log: Connecting to 192.168.129.72 port 22
Event Log: We claim version: SSH-2.0-PuTTY_Release_0.67
Event Log: Server version: SSH-2.0-OpenSSH_7.1
Event Log: Using SSH protocol version 2
Outgoing packet #0x0, type 20 / 0x14 (SSH2_MSG_KEXINIT)
...
Incoming packet #0x9, type 91 / 0x5b (SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)
00000000 00 00 01 00 00 00 00 00 00 00 00 00 00 00 80 00
................
Event Log: Opened main channel
Event Log: Requesting X11 forwarding
Outgoing packet #0x9, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 07 78 31 31 2d 72 65 71 01
........x11-req.
00000010 00 00 00 00 12 4d 49 54 2d 4d 41 47 49 43 2d 43
.....MIT-MAGIC-C
00000020 4f 4f 4b 49 45 2d 31 XX XX XX XX XX XX XX XX XX
OOKIE-1XXXXXXXXX
00000030 XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX
XXXXXXXXXXXXXXXX
00000040 XX XX XX XX XX XX XX XX XX XX XX 00 00 00 00 XXXXXXXXXXX....
Outgoing packet #0xa, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 07 70 74 79 2d 72 65 71 01
........pty-req.
00000010 00 00 00 05 78 74 65 72 6d 00 00 00 50 00 00 00
....xterm...P...
00000020 18 00 00 00 00 00 00 00 00 00 00 00 10 03 00 00
................
00000030 00 7f 80 00 00 96 00 81 00 00 96 00 00 .............
Outgoing packet #0xb, type 98 / 0x62 (SSH2_MSG_CHANNEL_REQUEST)
00000000 00 00 00 00 00 00 00 05 73 68 65 6c 6c 01 ........shell.
Incoming packet #0xa, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
00000000 00 00 01 00 ....
Event Log: X11 forwarding enabled
Incoming packet #0xb, type 99 / 0x63 (SSH2_MSG_CHANNEL_SUCCESS)
00000000 00 00 01 00 ....
...
Server side:
# /opt/sbin/sshd -dddd
debug2: load_server_config: filename /var/openssh/etc/sshd_config
debug2: load_server_config: done config len = 476
debug2: parse_server_config: config /var/openssh/etc/sshd_config len 476
debug3: /var/openssh/etc/sshd_config:90 setting X11Forwarding yes
debug3: /var/openssh/etc/sshd_config:112 setting Subsystem sftp
/usr/sbin/sftp-server
debug3: /var/openssh/etc/sshd_config:127 setting ciphers
aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@xxxxxxxxxxx,aes256-cbc
debug3: /var/openssh/etc/sshd_config:136 setting KexAlgorithms
curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug3: kex names ok:
[curve25519-sha256@xxxxxxxxxx,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug3: /var/openssh/etc/sshd_config:150 setting macs
hmac-sha2-256,hmac-sha2-512,hmac-sha1-96,hmac-sha1
debug1: sshd version OpenSSH_7.1, OpenSSL 1.0.2j 26 Sep 2016
...
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request x11-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug3: sock_set_v6only: set socket 7 IPV6_V6ONLY
debug2: fd 6 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 1: new [X11 inet listener]
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 2: new [X11 inet listener]
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
+++++++
debug2: load_server_config: filename /var/openssh/etc/sshd_config
debug2: load_server_config: done config len = 215
debug2: parse_server_config: config /var/openssh/etc/sshd_config len 215
debug3: /var/openssh/etc/sshd_config:42 setting AuthorizedKeysFile
.ssh/authorized_keys
debug3: /var/openssh/etc/sshd_config:89 setting X11Forwarding yes
debug3: /var/openssh/etc/sshd_config:112 setting Subsystem sftp
/opt/libexec/sftp-server
debug1: sshd version OpenSSH_7.6, OpenSSL 1.0.2j 26 Sep 2016
...
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug3: send packet: type 91
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request x11-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug3: send packet: type 4
debug3: send packet: type 100
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug3: send packet: type 99
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
Again, thx for your time.
Thanks for you time!
Michael
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev