X11 Falha de encaminhamento apenas em um único servidor

1

Eu tenho dois computadores: PC1 e PC2. Ambos estão executando a instalação idêntica do Debian Wheezy com as últimas atualizações. A instalação no PC2 foi obtida do PC1 usando tar . As únicas diferenças entre PC1 e PC2 são entradas do grub, nome do host, conteúdo de /etc/hosts e endereço IP. A configuração SSHD dos dois computadores é idêntica:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

#AddressFamily inet

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts                                                                                                             
RhostsRSAAuthentication no                                                                                                                                                          
# similar for protocol version 2                                                                                                                                                    
HostbasedAuthentication no                                                                                                                                                          
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication                                                                                                       
#IgnoreUserKnownHosts yes                                                                                                                                                           

# To enable empty passwords, change to yes (NOT RECOMMENDED)                                                                                                                        
PermitEmptyPasswords no                                                                                                                                                             

# Change to yes to enable challenge-response passwords (beware issues with                                                                                                          
# some PAM modules and threads)                                                                                                                                                     
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Eu posso ssh de PC2 para PC1 e executar programas GUI muito bem. Mas eu não posso executar programas GUI remotamente no PC2 a partir de qualquer computador (incluindo o próprio PC2). Aqui está a saída que recebi ao tentar executar xterm após ssh -Xvvv localhost no PC2:

user@pc2:~$ xterm
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 42667
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug2: X11 connection uses different authentication protocol.
X11 connection rejected because of wrong authentication.
debug2: X11 rejected 1 i0/o0
debug2: channel 1: read failed
debug2: channel 1: close_read
debug2: channel 1: input open -> drain
debug2: channel 1: ibuf empty
debug2: channel 1: send eof
debug2: channel 1: input drain -> closed
debug2: channel 1: write failed
debug2: channel 1: close_write
debug2: channel 1: output open -> closed
debug2: X11 closed 1 i3/o3
debug2: channel 1: send close
debug2: channel 1: rcvd close
debug2: channel 1: is dead
debug2: channel 1: garbage collecting
debug1: channel 1: free: x11, nchannels 2
debug3: channel 1: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1)
  #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1)

xterm: Xt error: Can't open display: pc2:11.0

Permissões e propriedade de ~ / .Xauthority parecem normais:

user@pc2:~$ ls -l ~/.Xauthority 
-rw------- 1 user user 301 Aug 27 13:49 /home/user/.Xauthority

Estou tentando corrigir esse problema por horas pesquisando, mas parece que não estou chegando a lugar nenhum. Preciso da tua ajuda.

    
por Larssend 27.08.2014 / 09:32

1 resposta

4

Veja se você tem um arquivo ~/.ssh/rc ou /etc/ssh/sshrc no servidor. De acordo com esta pergunta , se um desses scripts existir, o sshd irá executá-lo durante inicialização de sessão eo script é responsável por chamar xauth para configurar a autenticação do X11. Se nenhum dos arquivos existir, o sshd chamará xauth diretamente. É possível que você tenha um desses arquivos no servidor remoto e não esteja fazendo o trabalho corretamente.

A página do manual do OpenSSH sshd tem um exemplo do código shell que o script rc deve executar para configurar o xauth:

If X11 forwarding is in use, it will receive the "proto cookie" pair in its standard input (and DISPLAY in its environment). The script must call xauth(1) because sshd will not run xauth automatically to add X11 cookies.

if read proto cookie && [ -n "$DISPLAY" ]; then 
    if [ 'echo $DISPLAY | cut -c1-10' = 'localhost:' ]; then 
        # X11UseLocalhost=yes 
        echo add unix:'echo $DISPLAY | 
            cut -c11-' $proto $cookie 
    else 
        # X11UseLocalhost=no 
        echo add $DISPLAY $proto $cookie 
    fi | xauth -q - 
fi
    
por 30.08.2014 / 14:12

Tags