Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 355281

Summary: net-misc/openssh-5.8_p1-r1: 'ssh -Y' does not work when USE=-pam
Product: Gentoo Linux Reporter: Agostino Sarubbo <ago>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED INVALID    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: emerge --info

Description Agostino Sarubbo gentoo-dev 2011-02-17 00:16:04 UTC 
It can apparently look like a bug to be marked invalid, but since I made the latest updates on all my machines, ssh -Y not working.

I tried to recompile the older version of openssh, but it seems that the problem is not it, but some other package and I'd like to understand what does not work.

Anyone can confirm this issue?
Comment 1 Agostino Sarubbo gentoo-dev 2011-02-17 00:17:25 UTC 
my simply sshd_config that it was not changed after last updates.

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
X11Forwarding yes
PrintMotd no
PrintLastLog no
ClientAliveInterval 60
Subsystem       sftp    /usr/lib64/misc/sftp-server
Comment 2 SpanKY gentoo-dev 2011-02-17 05:11:42 UTC 
please dont assign bugs directly.  let the wranglers manage things for you.

-Y works just fine for me with with default sshd_config + enabling X11Forwarding and openssh 5.8p1 (client and server):
<localip>$ ssh -Y <someip>
<someip>$ echo $DISPLAY
localhost:11.0
<someip>$ xeyes

now xeyes is shown on my <localip>

on <someip>:
# grep -v -e '^#' -e '^ *$' /etc/ssh/sshd_config 
X11Forwarding yes
UseDNS no
Subsystem       sftp    /usr/lib64/misc/sftp-server
Comment 3 Agostino Sarubbo gentoo-dev 2011-02-17 09:06:30 UTC 
until a few days ago it worked also for me.

if I have not changed any configuration files, but I just upgraded, must be some component?
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-17 20:07:37 UTC 
1) Your `emerge --info net-misc/openssh' is missing. How else could we know what "last updates" are on your system?
2)  How does it not work? Please give us your steps to reproduce.
Comment 5 Agostino Sarubbo gentoo-dev 2011-02-18 21:51:49 UTC 
(In reply to comment #4)
> How else could we know what "last updates" are on your system?

I mean that I have all update systems with emerge -DuN world


> 2)  How does it not work? Please give us your steps to reproduce.
 

ago@devil ~ $ ssh ago@at -Y
Enter passphrase for key '/home/ago/.ssh/id_rsa': 
Last login: Fri Feb 18 22:38:30 CET 2011 from devil on pts/1
ago@amd64box ~ $ xchat 

(xchat:4388): Gtk-WARNING **: cannot open display: localhost:10.0
ago@amd64box ~ $ echo $DISPLAY
localhost:10.0


Are enough informations?
Comment 6 Agostino Sarubbo gentoo-dev 2011-02-18 21:51:58 UTC 
Created attachment 262961 [details]
emerge --info

(In reply to comment #4)
> 1) Your `emerge --info net-misc/openssh' is missing.

Build info of ssh are always:

net-misc/openssh-5.8_p1-r1 was built with the following:
USE="X hpn pam tcpd -X509 -kerberos -ldap -libedit (-selinux) -skey -static"
Comment 7 Agostino Sarubbo gentoo-dev 2011-02-18 21:54:32 UTC 
(In reply to comment #2)
> -Y works just fine for me with with default sshd_config + enabling
> X11Forwarding and openssh 5.8p1 (client and server):

I try also to use default sshd_config + X11Forwarding yes also with precedent stable version of openssh but the reponse is the same
Comment 8 Wormo (RETIRED) gentoo-dev 2011-02-19 00:04:17 UTC 
That looks like some good information to start with. Assigning to maintainers.
Comment 9 SpanKY gentoo-dev 2011-02-19 18:18:24 UTC 
and you have xauth installed right ?

from `ssh -ddddd -Y <someip>`:
...
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/bin/xauth  list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 0
debug2: client_session2_setup: id 0
...
Comment 10 Agostino Sarubbo gentoo-dev 2011-02-19 19:48:16 UTC 
(In reply to comment #9)
> and you have xauth installed right ?

Yes on all machines

What do you mean with:
> from `ssh -ddddd -Y <someip>`:
> ...
> debug1: Entering interactive session.
> debug2: callback start
> debug2: x11_get_proto: /usr/bin/xauth  list :0 2>/dev/null
> debug1: Requesting X11 forwarding with authentication spoofing.
> debug2: channel 0: request x11-req confirm 0
> debug2: client_session2_setup: id 0
> ...
> 

And how i can see this output?
Comment 11 Agostino Sarubbo gentoo-dev 2011-02-26 18:16:01 UTC 
ok, i see debug info, anyway is different:


ago@devil ~ $ ssh ago@at -Y -v
OpenSSH_5.8p1-hpn13v10, OpenSSL 1.0.0c 2 Dec 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to at [192.168.2.3] port 22.
debug1: Connection established.
debug1: identity file /home/ago/.ssh/id_rsa type 1
debug1: identity file /home/ago/.ssh/id_rsa-cert type -1
debug1: identity file /home/ago/.ssh/id_dsa type -1
debug1: identity file /home/ago/.ssh/id_dsa-cert type -1
debug1: identity file /home/ago/.ssh/id_ecdsa type -1
debug1: identity file /home/ago/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1-hpn13v10lpk
debug1: match: OpenSSH_5.8p1-hpn13v10lpk pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1-hpn13v10
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA f6:a2:a3:bd:a8:9f:4c:ad:aa:ae:6e:9b:93:36:1e:0d
debug1: Host 'at' is known and matches the ECDSA host key.
debug1: Found key in /home/ago/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ago/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 535
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/ago/.ssh/id_rsa': ###PUTTING IN MY PASSWD

debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to at ([192.168.2.3]:22).
debug1: Final hpn_buffer_size = 131072
debug1: HPN Disabled: 0, HPN Buffer Size: 131072
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling

debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
Comment 12 Agostino Sarubbo gentoo-dev 2011-03-16 09:55:08 UTC 
use pam NO is the problem...setting it to yes works.
Comment 13 SpanKY gentoo-dev 2011-03-21 05:10:24 UTC 
pam should not be a requirement for X forwarding
Comment 14 Agostino Sarubbo gentoo-dev 2012-10-11 18:35:38 UTC 
I checked better. There was my bad in my sshd_config