sshj icon indicating copy to clipboard operation
sshj copied to clipboard

Published 20 hours ago verified publisher icon hierynomus

X11 forwarding doesn't work

Open Sigi33 opened this issue 3 years ago • 9 comments

Moin, X11 forwarding doesn't work in my application based on the example X11.java. 'X11 connection requested' by server until resources will be exhausted.

System: Fedora 33, SSH-server: OpenSSH_8.4p1, OpenSSL 1.1.1k sshd_config: usepam yes ignorerhosts yes pubkeyauthentication yes kerberosorlocalpasswd yes kerberosticketcleanup yes kerberosusekuserok yes gssapiauthentication yes gssapistrictacceptorcheck yes printlastlog yes x11forwarding yes permittty yes permituserrc yes tcpkeepalive yes compression yes allowtcpforwarding yes allowagentforwarding yes allowstreamlocalforwarding yes sshd_fail.log sshjTest_fail.log

Sigi33 avatar Apr 11 '21 19:04 Sigi33

Hi! Does it work with OpenSSH client? Also, try to specify AddressFamily inet in sshd_config, it might help.

vladimirlagunov avatar Apr 12 '21 04:04 vladimirlagunov

Moin, I forgot to mention it... works:

  • ssh User@localhost /usr/bin/xclock
  • ssh -Y User@localhost /usr/bin/xclock
  • ssh -X User@localhost /usr/bin/xclock

But it doesn't work with sshj.

The change of the value AddressFamily any to inet did not solve the issue.

The ssh server sends CHANNEL_OPEN requests until resource is exhausted:

debug1: channel 1007: new [X11 connection from 127.0.0.1 port 56892] debug1: X11 connection requested. accept: Too many open files

I can provide logs (eg. wireshark, ...) if needed.

Don't know how to get it working... any idea is appreciate.

Thanks,

Sigi33 avatar Apr 12 '21 20:04 Sigi33

Also, the problem might be in the X11 authentication. Try to generate a valid cookie via xauth on your SSH client (which is also the X11 server), and send it instead of the fake one.

Also, the example aims to the default X11 port, which might be overridden on your machine.

If I were you, I'd run strace /usr/sbin/sshd -o LogLevel=DEBUG2 ..., tried to connect from both clients, and compared SSH server logs via diff -u with removing various timestamps and other junk from the logs in advance.

vladimirlagunov avatar Apr 13 '21 04:04 vladimirlagunov

Moin, I did what you have suggested. New cookie were generated and used but without success. The compare of the sshd log files doesn't help me in any way. I didn't find something nor I don't know of what I have to focus on. Please, can you tell me how your sshd config/setup/environment looks like? Thanks in advance

Sigi33 avatar Apr 21 '21 19:04 Sigi33

So, we regularly check X11 forwarding support on CI with real Xorg and real OpenSSH, and of course the tests pass.

The only noticeable thing from the SSH server is AddressFamily=inet. For some reason, when I was implementing the X11 forwarding support in our products, neither OpenSSH nor PuTTY could have decided automatically if they should use IPv4 or IPv6 for X11. So, SSHJ either. However, I haven't investigated the problem deeply.

Code of the client schematically looks like:

sshClient.registerX11Forwarder { channel -> 
  // Connect to your local X11 client, presumably localhost:6000.
  // Start a thread forwarding input and output streams.
  channel.confirm()
}
val channel = sessionChannel.open()
val cookie = invokeXauthGenerateTool()
channel.reqX11Forwarding("MIT-MAGIC-COOKIE-1", cookie, 0)
channel.exec(command)

vladimirlagunov avatar Apr 22 '21 04:04 vladimirlagunov

I also have this situation. How to solve it? Thank you

liunn123 avatar Jul 12 '22 11:07 liunn123

Didn't solve it. I've tried to debug but unfortunately my knowledge about ssh & X11 forwarding is less. If you get a solution, please let me know...

Sigi33 avatar Jul 12 '22 20:07 Sigi33

没解决。我尝试过调试,但不幸的是我对 ssh 和 X11 转发的了解较少。 如果您有解决方案,请告诉我...

Well, I'll try to find it

liunn123 avatar Jul 13 '22 01:07 liunn123

Moin, have you figured out how it works or have you fixed it?

Sigi33 avatar Aug 17 '22 19:08 Sigi33