[Gllug] X problem

damion.yates at gmail.com damion.yates at gmail.com
Mon Nov 6 04:15:20 UTC 2006


On Sun, 5 Nov 2006, Ian Northeast wrote:

> Khusro Jaleel wrote:
> > Maybe you have X11Forwarding disabled in your
> > /etc/ssh/sshd_config, just as John said? I recently started seeing
> > this message too, and I think that was the problem.
> 
> Having X11 forwarding disabled on the target machine is indeed the
> most likely explanation. It's also possible to disable it at the
> client end (ssh_config) but this is less common. It's quite common
> for the ssh server end to default to no X forwarding, it's sometimes
> perceived as a security risk. IMO it's more secure than any
> alternative so I always enable it.

I agree this is the most likely.  If you're not root on the remote box
you'll need to run your own sshd with this option enabled, on a port
above 1023.
 
> Another possible cause is "xauth" missing on the target machine. I
> don't think I've ever seen this in Linux though. It's not uncommon
> in AIX as a default "without graphics" installation doesn't include
> it.

I've have recently seen this as the cause of the problem originally
stated, on a Debian server.  What was really annoying is that I'd
expected a log somewhere on the remote box to have said that sshd had
failed to spawn xauth.  It was just a hunch that the xclients hadn't
been installed that led to my eventual solution as it was just
silently failing.

To be honest I would hope to see a lack of X clients on any tight,
secure server build.  I'm normally a Slackware user and you'd
typically only install something like A, maybe AP, L and N install
series, for a server (X stuff comes in the X series).  Although I've
heard that to be a standards base complient install you need things
like libopengl.so and most of a cups install!?
 
One extra thing to check that I thought I'd add to the mix, is to
check that the local shell you're initiating the ssh connection from,
has $DISPLAY correctly set in the first place.  If you've 'su'ed a few
times or started screen or similar, you can easily lose this value.
The fastest check is just to run and kill xterm before making the
connection.

Damion

-- 
Damion Yates - damion.yates at gmail.com
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list