X11 connection rejected because of wrong authentication - x11

I am getting a error while accessing the firefox using X11Forwarding.
[root#station2 ~]# firefox
KiTTY X11 proxy: wrong authorisation protocol attemptedKiTTY X11 proxy: wrong authorisation protocol attemptedError: cannot open display: localhost:10.0
setup the following values: /etc/ssh/sshd_config
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
** Installed the package**
#yum install xorg-x11-xauth
#yum -y install xauth
[root#station2 .ssh]# echo $DISPLAY
localhost:10.0
#mkxauth -c
adding key for station2.example.com to /root/.Xauthority ... done

export XAUTHORITY=$HOME/.Xauthority
This fix worked for me

There is a hard, if not even impossible, to find (by search engine) scenario that may may cause that error message.
Preliminary note: The topic of this answer is not to discuss if it is a safety
risc or recommondable at all to use a graphical desktop as root on an remote, display-less, webserver.
Scenario:
A remote internet connected Linux server S has assigned the domain
name example.com to it's public IP4-address 192.0.2.1.
The /etc/hostname file on S contains the single line example.
The /etc/hosts
file on S contains the line 127.0.0.1 localhost example.com example.
The (remote) ssh access to S is by (sshd-) configuration (on S) forbidden
for root by the line DenyUsers root in /etc/ssh/sshd_config, but
allowed for a dummy user user1. From a client computer C a ssh
connection, using the ssh parameter -X or -Y, is established to S
as user user1.
Then, in a remote terminal on S owned by user1,
if any X11 related command is tried to be executed as root, may it be by
su, then trying to start the X11 desktop environment
or, as in the concrete case executing a script containing
#!/bin/bash
su --preserve-environment -c "xfce4-session &" root
the error message
X11 connection rejected because of wrong authentication.
is output and the start of any X11 related program fails.
The DISPLAY variable of root's environment contains
example.com:10.0
then.
One solution to the problem is, in this special case, to modify the line
127.0.0.1 localhost example.com example
in /etc/hosts to
127.0.0.1 localhost

Solution: run the application with the same user you are SSHing.
I have also encounter such errors while using X11.
The source of my problem was that i used SSH with my own username (which was not root).
Then, once logged in i tired running stuff with X11 while doing "su" or doing "sudo",
the problem with that is that the SSH session is configured with your own username - e.g: Raj, but then you switch to user root which is not part of the X11 session.
So what you should do is simply try to run the application (firefox in your case) with the same user you started the X11 session.
Hope this helps.
Talel.

I ran into this running gvim over ssh -t -Y and the solution that worked for me was:
xauth add $(xauth -f ~<logon_user>/.Xauthority list | tail -1) ; export NO_AT_BRIDGE=1 # gvim X11 fix for remote GUI failure after su
I do not know where I stumbled on this answer so I cannot give credit to the author.

Related

ssh forwarding from mac to ubuntu doesn't work

I'm trying to use ssh forwarding feature on mac to display remote GUI application locally.
on Mac, I installed the official xserver XQaurtz, set it up as below.
$ cat ~/.ssh/config
Host *
XAuthLocation /opt/X11/bin/xauth
ForwardAgent yes
ForwardX11 yes
Then I used "ssh -v -X user#remote_machine" to login a ubuntu machine, then used xclock to test.
$ ssh -v -X user#remote_machine
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data ~/.ssh/config
debug1: /Users/bwu/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: /etc/ssh/ssh_config line 52: Applying options for *
debug1: auto-mux: Trying existing master
On remote machine, xclock failed to launch due to $DISPLAY is empty.
$ xclock
Error: Can't open display:
I did two more tests.
From the same mac, ssh login to another centos 7 machine, it's working. $ cat /etc/ssh/sshd_config X11Forwarding yes
X11DisplayOffset 0
From a ubuntu host, ssh login to above ubuntu machine, it's working. $ cat /etc/ssh/sshd_config X11Forwarding yes X11DisplayOffset 0
So we got below results.
mac to centos, working
ubuntu to ubuntu, working
mac to ubuntu, not working
Test 1 indicates the issue might locate on remote ubuntu machine.
Test 2 indicates the issue might locate on local mac machine.
What's wrong with this? Did I miss anything?
Further update on this issue. I noticed x11 forwarding did not work "randomly" on centos or ubuntu (from my macbook), but after a couple hours it may work again.
I checked the sshd configuration on both centos and ubuntu, nothing special and they are same in x11 forwarding part. I don't know why.
X11Forwarding yes
X11DisplayOffset 0
#X11UseLocalhost yes
Here is a solution that might work. I had the same problem and this is how I solved it. Give the following solution a try.
First find the DISPLAY variable.
So in your mac if you type as a normal user
echo $DISPLAY
Then what you would get is something like the following.
/private/tmp/com.apple.launchd.0aQYNoXMFK/org.xquartz:0
Then try something like
xeyes
to see whether forwarding works. There are other apps you could try, but I like this one.
And now you know that your display is working
Now if you want to try the same as root (Please don't jump on me guys, I know some of you all are strongly against root access) echo $DISPLAY, but if does not work
then in your root prompt do the following
export DISPLAY=/private/tmp/com.apple.launchd.0aQYNoXMFK/org.xquartz:0
The same you found in your normal user account. Then copy your
.Xauthority at /Users/normal user/.Xauthority to /var/root/.
The .Xauthority file is already there, but this would over right it.
cp /Users/normal user/.Xauthority /var/root/
Of course the export might work, but there is no harm in doing the above.
Now try the following.
echo $DISPLAY
And you should see the following
/private/tmp/com.apple.launchd.0aQYNoXMFK/org.xquartz:0
If you ssh into Ubuntu from normal user prompt then you do not need to do the root part, but since, I use root to ssh into my Ubuntu systems I often have to do this.
Then when you 'ssh into Ubuntu type
echo $DISPLAY
And you would see something like the following
localhost:10.0
The above would work if you have done all those other bits like forwarding and etc.
Again, if you want to use root in your Ubuntu and if the echo $DISPLAY does not produce any response,
then try the following (Assuming you are at root prompt).
cp /home/user name/.Xauthority /root/.Xauthority
Now try
echo $DISPLAY
again and you would see something like the following
localhost:10.0
For fun try
xeyes
Of course you could try xclock or any other as well
And it works in my case. Hope this is helpful and would solve a problem like the one above or like mine that someone has come across and who spent a few hours on this problem while scratching head and trying to pull hair out like me :-)).

iTerm2 - How to pass environment-variables when started via url-scheme?

Most of you certainly now the MacOS terminal emulator iTerm 2
I want to pass my environment variables which I've set/saved in ~/.ssh/environment to iTerm2, when it (the profile) is configured as default handler for this url-scheme. ( ssh://== )
Normal example ← works
You open the app iTerm2
Enter your ssh-command:
ssh hostname
It connects into your server and you can see with the command printenv your environment-variables you've put into your local ~/.ssh/environment file.
URL-Scheme example ← doesn't work
Some external application ( like the alfred-ssh workflow from deanishe) can access your .ssh/config file to make it easier to access all your configured hosts quickly and opens them then via url-scheme.
Because iTerm2 is configured for the ssh-scheme iTerm2 starts and connects quickly to the server.
You enter printenv and doesn't find your environment-varialbes.
You realize that iTerm2 started instantly and doesn't loaded the local environment-variables. Okay, I doesn't realized this at the beginning and created an issue for the workflow I used. But the developer is right, iTerm2 starts and isn't able to load the environment variables.
I've searched already several weeks for an solution, but wasn't able to solve this problem yet. That's why I'm asking here now.
My local SSH configuration (cleaned)
Content of ~/.ssh/environment is:
echo "RMATE_HOST=localhost" > sshenv
echo "RMATE_PORT=52699" > sshenv
Content of ~/.ssh/config is:
Host *
AddKeysToAgent yes
ServerAliveInterval 120
TCPKeepAlive no
UseKeychain yes
SendEnv RMATE_*
RemoteForward 52699 localhost:52699
Host personal
HostName personal.tld
IdentityFile ~/.ssh/keyFileName1
User user
Port 22
Host work
HostName business.tld
IdentityFile ~/.ssh/keyFileName2
User user
Port 22
And yeah, indeed! I just want to pass my RMATE variables to the servers via the workflow with Alfred ;-)

PuTTY PSFTP command line works as Admin, fails as User

I have an interesting dilemma with PuTTY PSFTP.
Set up...
Pageant .60
putty .60
Used command:
D:\psftp.exe -load myserver.domain.us.com -l User1 -b MyCommand Script
This loads PuTTY PSFTP, logs in using the user ID with the help of Pageant and then sends a file using commands in the script.
This works great while logged in as an Admin on the server.
It fails while logged in as a regular user on the server:
"psftp: no hostname specified;"blah blah blah.
Including -v reveals no further messages.
What possible delta could there be with permissions or other settings between a server Admin and regular user when it comes to PuTTY?
You load PuTTY stored site myserver.domain.us.com.
That is stored in Windows registry of the local account.
If you run the script using a different account, it won't see the site definition.
You have to define the session completely on command line. What you probably even attempted.
Remove the -load;
Add -ssh to make it clear you want to use SSH (but it's default anyway)
Add -hostkey=... with a fingerprint of the SSH host key (you need the latest version of PuTTY for the -hostkey switch, but you need to upgrade anyway, the version 0.60 is not secure).
D:\psftp.exe -ssh myserver.domain.us.com -hostkey=... -l User1 -b MyCommand Script

mosh + osx + /bin/false error

I have successfully installed mosh at server and client side both. I am trying to ssh using mosh from osx but it is throwing following error:
/bin/false: No such file or directory
write: Broken pipe
/usr/local/bin/mosh: Did not find remote IP address (is SSH ProxyCommand disabled?).
I am not sure if it has anything to do with mosh, or it is general error. Please help me in setting up mosh.
This error
/bin/false: No such file or directory
most likely means the user account that you are trying to login to is disabled. You need to log in as another user, and change the shell to a valid executable
$ chsh -s /bin/bash [username]

SCP file from ssh session to localhost

I have a headless file server on which I store and manage downloads and media, but occasionally I have to transfer small files back to my computer (Mac, using bash shell). The problem is that some files have more user-friendly names and commonly have spaces in them, and they are buried in the file directory hierarchy I have set up on my server.
When I'm using scp from my local machine, I don't have tab completion, so I have to manually type out the entire path and name with spaces escaped. When I ssh into the server first, the command:
scp /home/me/files/file\ name\ with\ spaces.png Me#localhost:/Users/Me/MyDirectory
fails with the error "Permission denied, please try again" even though I'm entering my local machine user password properly.
I've learned a little bit of sftp since I've been told that may be a better tool for file transfer. However, the utility seems outdated and I still don't have tab completion after establishing a connection to the server (on my Terminal when pressing Tab I just get a tab character).
My question is this: what can I do to allow tab completion while using scp from my Mac? Or am I using incorrect syntax for scp while in an ssh session, and is there something in that command I should fix? Or, is there a (better? newer?) tool other than sftp that would offer tab completion on a server?
Finally, if none of these problems have simple solutions, is there some package I could install (e.g. a completion package from Homebrew or the like) that would facilitate better tab-completion with any of these commands?
Looks to me like this is some incorrect scping.
This is the format of the command
scp ./localFile.txt remoteUser#remoteHost:/remoteFile.txt
You were so close, but you have localhost set where you should have your remoteHost.
localhost is the name that resolves to the machine that you are currently on - so in your workflow, you are sshing to a machine, and then trying to scp that file to the same machine you are already sshd into.
What you need to do, is figure out the IP address, or the physical host name of the computer that you are trying to connect to, and use that instead.
scp ./localFile.txt remoteUser#192.168.1.100:/remoteFile.txt
# where 192.168.1.100 would be the IP of your Mac
I am assuming the reason you were getting permission denied, was because you were using your the login credentials for you mac, but unknowingly trying to login again to your headless machine.

Resources