HELP!!! ssh -Y doesn't work

Question

Level 1

19 points

HELP!!! ssh -Y doesn't work

Hi,

I have new iBook with Tiger (10.4.2) and X11 (1.1 - XFree86 4.4.0). To log in to our server I tried both

ssh -X user@server and ssh -Y user@server

and no luck, cannot run emacs and so on. I'm getting the same message in both cases

[user@server]$ emacs
X11 connection rejected because of wrong authentication.
Connection lost to X server `localhost:10.0'

When I logged in using ssh -Y I also got this message

Warning: No xauth data; using fake authentication data for X11 forwarding.

Thanks for any help!

Posted on Sep 19, 2005 12:08 PM

Reply

Answer 1

Sep 19, 2005 12:55 PM in response to Puma

Do you have X11 open on the computer you're ssh-ing from? Is DISPLAY set before you try to ssh to the server?

echo $DISPLAY

What is the operating system of the server you're trying to ssh into?

Reply

Answer 2

Puma Author

Level 1

19 points

Sep 19, 2005 6:46 PM in response to Jeff Hubbach

I run X11 on my ibook

echo $DISPLAY
😮.0

I think that remote server has redhat Linux 7 . I'll check.

Reply

Answer 3

Sep 19, 2005 9:26 PM in response to Puma

Hi Puma,
Try deleting the .Xauthority in the home directory of the user, "user", and try logging in with the "-Y" again. The error message, "Warning: No xauth data; using fake authentication data for X11 forwarding." appears to be the norm rather than the exception, at least for me. If there is no .Xauthority file in the user's home directory, the above message precedes the following on my machine:

/usr/X11R6/bin/xauth: creating new authority file /home/user/.Xauthority

If this still doesn't work, make sure your firewall isn't on or if it is, make sure that ports 6000-6063 are open.
--
Gary
~~~~
It is often the case that the man who can't tell a lie thinks
he is the best judge of one.
-- Mark Twain, "Pudd'nhead Wilson's Calendar"

Reply

Answer 4

Puma Author

Level 1

19 points

Sep 19, 2005 9:47 PM in response to Gary Kerbaugh

1. I deleted the file .Xauthority and tried to log in with ssh -Y.
I did not get the message about creating the new .Xauthority you mentioned. After I tryed to run X11 I checked the usr home directory and .Xauthority was not there.

It did not work...

ssh -Y aaa@bbbb
aaa@bbbb's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
[aaa@bbbb aaa]$ gedit
X11 connection rejected because of wrong authentication.
The application 'gedit' lost its connection to the display localhost:10.0;
most likely the X server was shut down or you killed/destroyed
the application.
[aaa@bbbb aaa]$

2. We do have firewall. Could you, please, tell me how I can open ports 6000-6063?

thanks!

Reply

Answer 5

Bill Scott

Level 6

11,459 points

Sep 19, 2005 10:22 PM in response to Puma

Warning: No xauth data; using fake authentication data for X11 forwarding.

I always get that. It is meaningless (as far as functionality goes.)

Use

ssh -q -Y name@place.whatever

Reply

Answer 6

Puma Author

Level 1

19 points

Sep 19, 2005 10:46 PM in response to Bill Scott

thank you for your reply, Bill. It did not work...

ssh -q -Y aaa@bbbb
aaa@bbbb's password:
[aaa@bbbb aaa]$ gedit
The application 'gedit' lost its connection to the display localhost:11.0;
most likely the X server was shut down or you killed/destroyed
the application.
[aaa@bbbb aaa]$

Reply

Answer 7

Sep 20, 2005 1:35 AM in response to Puma

Hi Puma,

> Could you, please, tell me how I can open ports 6000-6063?

Ah, I think we've found the problem. The following command will open the port to the world:

sudo ipfw add 3900 allow tcp from any to me dst-port 6000-6063

Of course you should change the number 3900 to something more appropriate to your firewall. Changing "any" to something more specific would open the ports to fewer machines and replacing "me" with your machine's IP address would result in a faster rule. This rule opens the firewall to incoming packets. I assume outgoing packets to be covered by a different rule, like one allowing packets in established connections.
--
Gary
~~~~
You must dine in our cafeteria. You can eat dirt cheap
there!!!!

Reply

Answer 8

Puma Author

Level 1

19 points

Sep 20, 2005 6:33 AM in response to Gary Kerbaugh

Thank you, Gary. I do not know much about this stuff. I typed sudo ... did not work.

sudo ipfw add 3900 allow tcp from any to me dst-port 6000-6063

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
03900 allow tcp from any to me dst-port 6000-6063
ibook:~ aaa$ ssh -Y aaa@bbbb
aaa@bbbb's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
[aaa@bbbb aaa]$ gedit
X11 connection rejected because of wrong authentication.
The application 'gedit' lost its connection to the display localhost:10.0;
most likely the X server was shut down or you killed/destroyed
the application.
[aaa@bbbb aaa]$ emacs
X11 connection rejected because of wrong authentication.
Connection lost to X server `localhost:10.0'
[aaa@bbbb aaa]$

Will replacement "me" and "any" with appropriate numbers solve the problem?

I installed X11 1.1 from the CD that my iBook came with. I tryed to install the older version (X11 1.0) from apple downloads, but it did not allow me to do it. So I have to use 1.1 version. It has some bugs in it. For example, I need to click twice on X11 icon on the dock, to bring the terminal to the screen. Sometimes terminal just closes itself. is it something that everybody has to deal with?

Reply

Answer 9

Sep 20, 2005 8:41 AM in response to Puma

You don't need to open up the firewall. When you use SSH X11 forwarding, the X11 connections appear to come from the local computer. As long as you can open up X11 apps on your mac locally, then your mac should be fine.

Things to check and double-check:

1) Ensure that X11 is open and DISPLAY is set on the mac before attempting to ssh -Y to the server (a good way to check this is to open up something like xeyes)
2) Check in the user's home directory on the server. Is there a ~/.ssh/authorized_keys file? In that file, it is possible to disable X11 forwarding or xauth forwarding on a per-host basis.
3) Ensure that X11 Forwarding is enabled in /etc/ssh/sshd_config on the server. Also, check the other values of the X11 _ parameters in sshd_config. I'm not sure what X11UseLocalhost does, but mine is set to no.
4) ssh -Y user@server. Try to open xeyes. What's the result?

Here's some output from a test session (xeyes worked both locally and on the server) JeffPB is local, pe1750db is the server:
[jhubbach@JeffPB]~ 506 $ echo $DISPLAY
😮.0
[jhubbach@JeffPB]~ 507 $ ssh -Y chadev@pe1750db
chadev@pe1750db's password:
[chadev@pe1750db chadev]$ echo $DISPLAY
localhost:10.0

Note: I've never gotten the "X11 connection rejected because of wrong authentication" message, nor do I ever get " Warning: No xauth data; using fake authentication data for X11 forwarding."

Reply

Answer 10

Puma Author

Level 1

19 points

Sep 20, 2005 10:55 AM in response to Jeff Hubbach

Thank you Jeff, here is what I've done.

I started X11 and typed -

ibook:~ aaa$ echo $DISPLAY
😮.0
ibook:~ aaa$ xeyes &
[1] 407
ibook:~ aaa$

eyes are running on the background, No prob here.

then I ssh to the server

ibook:~ aaa$ ssh -Y aaa@bbbb
aaa@bbbb's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
[aaa@bbbb aaa]$ echo $DISPLAY
localhost:10.0
[aaa@bbbb aaa]$

Then I typed again xeyes

[aaa@bbbb aaa]$ xeyes
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
[aaa@bbbb aaa]$

regarding 2. and 3. On my server I do not have authorized_keys file
I do not have permission to look at sshd_config, but I looked at ssh_config and it has lines

Host *
ForwardX11 yes

_______________

I did not have problem on my old laptop with Panther using ssh -X to connect.

My colleague is using ssh -Y to connect to the same server and it's working for him. I know he is running Tiger, do not know what version.

Reply

Answer 11

Sep 20, 2005 11:30 AM in response to Puma

I found some info via google that may or may not be helpful. It sounds like it's an xauth thing...

Do you have an ~/.Xauthority file? what's its contents? does the other user that can successfully use Tiger have an ~/.Xauthority file?

Links:
http://www.cygwin.com//ml/cygwin-xfree/2004-10/msg00236.html
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2003-01/0298.html
http://www.sunmanagers.org/pipermail/sunmanagers/2004-April/029947.html
http://list.linux-vserver.org/archive/vserver/msg00979.html

Reply

Answer 12

Puma Author

Level 1

19 points

Sep 20, 2005 12:23 PM in response to Jeff Hubbach

I used to have it. I did cat to see what its content was and it was empty. Then I deleted it, as Gary Kerbaugh suggested earlier in this thread. Now I do not have it.

Thanks for the links! I'll let you know if anything will help to solve the problem.

Reply

Answer 13

Puma Author

Level 1

19 points

Sep 20, 2005 2:26 PM in response to Puma

THANKS TO EVERYBODY!!! It was great to have your support.

I found out what was wrong. As always, the solution was trivial. I was out of quota on our server.

ssh -Y is working now.

Reply

Answer 14

Sep 22, 2005 10:59 PM in response to Puma

What quota was it?

Total number of simultaneous logins by the same uid?

Thanks!

Reply

Answer 15

Puma Author

Level 1

19 points

Sep 23, 2005 8:39 AM in response to Don MacQueen1

I was out of disk space. I was working on the server a month ago with the code that produced lots of output data and I did not realized that the disk space for my account got filled up. System on the server does set up to not warn you about it.

Reply