Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 10-26-2011, 08:31 AM
gfarguss gfarguss is offline
Registered User
 
Join Date: May 2009
Posts: 8
X11 port fowarding with Linux SecureCRT

Hello,

I have just loaded the Linux version of SecureCRT. I am having an issue with the forwarding of X11 packets. I have enabled X11 port forwarding from the session options menu. I have verified that the workstation can successfully display X with both ssh -X and puTTY with port forwarding enabled.

I can successfully connect with X through SecureCRT if I do an "xhost +" , but this is not an acceptable solution.

My workstation is running Fedora 10.

Here is a trace of my session:
SecureCRT - Version 6.7.2 (build 229)
[LOCAL] : SSH2Core version 6.7.0.229
[LOCAL] : Connecting to rtaxdfw01vsat01.serv.iscsys.net:22 ...
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-OpenSSH_5.1'
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : CAP : Remote can do SFTP version 4
[LOCAL] : CAP : Remote x.509v3 uses ASN.1 encoding for DSA signatures
[LOCAL] : SEND : KEXINIT
[LOCAL] : RECV : Read kexinit
[LOCAL] : Available Remote Kex Methods = diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[LOCAL] : Selected Kex Method = diffie-hellman-group14-sha1
[LOCAL] : Available Remote Host Key Algos = ssh-rsa,ssh-dss
[LOCAL] : Selected Host Key Algo = ssh-dss
[LOCAL] : Available Remote Send Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Send Cipher = aes256-ctr
[LOCAL] : Available Remote Recv Ciphers = aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
[LOCAL] : Selected Recv Cipher = aes256-ctr
[LOCAL] : Available Remote Send Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Send Mac = hmac-sha1
[LOCAL] : Available Remote Recv Macs = hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
[LOCAL] : Selected Recv Mac = hmac-sha1
[LOCAL] : Available Remote Compressors = none,zlib@openssh.com
[LOCAL] : Selected Compressor = none
[LOCAL] : Available Remote Decompressors = none,zlib@openssh.com
[LOCAL] : Selected Decompressor = none
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_KEY_EXCHANGE
[LOCAL] : SEND : KEXDH_INIT
[LOCAL] : RECV : KEXDH_REPLY
[LOCAL] : SEND : NEWKEYS
[LOCAL] : Changing state from STATE_KEY_EXCHANGE to STATE_EXPECT_NEWKEYS
[LOCAL] : RECV: Remote Hostkey: cd:b0:1e:35:f4:04:09:91:17:4b:5e:04:5a:80:d1:20
[LOCAL] : RECV : NEWKEYS
[LOCAL] : Changing state from STATE_EXPECT_NEWKEYS to STATE_CONNECTION
[LOCAL] : SEND: SERVICE_REQUEST[ssh-userauth]
[LOCAL] : RECV: SERVICE_ACCEPT[ssh-userauth] -- OK
[LOCAL] : SENT : USERAUTH_REQUEST [none]
[LOCAL] : RECV : SSH_MSG_USERAUTH_BANNER
!!! AUTHORIZED USE ONLY!!!

[LOCAL] : RECV : USERAUTH_FAILURE, continuations [publickey,gssapi-with-mic,password]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - unsigned,fingerprint: da:da:c1:b5:7a:8f:cf:ba:43:77:65:d3:7c:8a:11:85]
[LOCAL] : SENT : USERAUTH_REQUEST [publickey (ssh-rsa) - signed,May 2000 Standard]
[LOCAL] : RECV : AUTH_SUCCESS
[LOCAL] : SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
[LOCAL] : SEND[0]: Pty Request (rows: 40, cols: 132)
[LOCAL] : RECV[0]: pty request succeeded
[LOCAL] : SEND[0]: x11 forwarding request
[LOCAL] : RECV[0]: x11 request succeeded
[LOCAL] : SEND[0]: agent forwarding request
[LOCAL] : RECV[0]: agent request succeeded
[LOCAL] : SEND[0]: shell request
[LOCAL] : RECV[0]: shell request succeeded
Last login: Wed Oct 26 09:11:42 2011 from
gfarguss@server:/export/home/gfarguss> xterm[LOCAL] : RECV: CHANNEL_OPEN[x11]

[LOCAL] : SEND[1]: SSH_MSG_CHANNEL_EOF
Invalid MIT-MAGIC-COOKIE-1 keyxterm Xt error: Can't open display: localhost:10.0

Thanks

Last edited by gfarguss; 10-26-2011 at 08:35 AM.
Reply With Quote
  #2  
Old 10-26-2011, 10:12 AM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
For security reasons I can see not wanting to run xhost +, but it looks like your X11 server is blocking access. You will need to allow at least the particular host (where you're running the "xterm" command) to connect. You may be able to configure this automatically through SecureCRT through a startup script. PuTTY was running on a Windows machine, right? That's a different X11 server and environment, so not a fair comparison or accurate representation of the X11 server in question. You said ssh -X worked. If it's the same machine where you're running SecureCRT then that's a fair comparison.

Can you run the exact same test using ssh -v -X when run from the same machine, and send to support@vandyke.com with subject Forum Thread 8999?
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #3  
Old 10-26-2011, 11:45 AM
gfarguss gfarguss is offline
Registered User
 
Join Date: May 2009
Posts: 8
Thanks for the quick reply Mike.

You are not correct in the assumption that puTTY was run on a Windows workstation. All were run on a workstation running Fedora 10.

It appears that SecureCRT may be creating a corrupt .Xauthority file for the session which is why my workstation's Xserver is rejecting the request.

The remote server is running SuSE Linux Enterprise 11 patch 1

Additionally, I do not have this issue on a Windows workstation running the Windows version of SecureCRT.

Last edited by gfarguss; 10-26-2011 at 12:41 PM.
Reply With Quote
  #4  
Old 10-26-2011, 12:49 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Are you starting SecureCRT as root, or some user other than the one you've logged into Fedora as (perhaps running the command sudo SecureCRT)?

That's the only way I've been able to essentially duplicate the error you're seeing:
Quote:
[LOCAL] : RECV: CHANNEL_OPEN[x11]
[LOCAL] : SEND[1]: SSH_MSG_CHANNEL_EOF
Xlib: connection to "127.0.0.1:10.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key
xterm Xt error: Can't open display: 127.0.0.1:10.0
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]

Last edited by miked; 10-26-2011 at 12:55 PM.
Reply With Quote
  #5  
Old 10-26-2011, 12:55 PM
gfarguss gfarguss is offline
Registered User
 
Join Date: May 2009
Posts: 8
No. In all cases I am running as a regular user, not root. In all cases on the Linux workstation I'm using the same regular user.

Last edited by gfarguss; 10-26-2011 at 12:57 PM.
Reply With Quote
  #6  
Old 10-26-2011, 12:56 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Are you logging in as the same username on SUSE as you are logged in as on Fedora?
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #7  
Old 10-26-2011, 01:02 PM
gfarguss gfarguss is offline
Registered User
 
Join Date: May 2009
Posts: 8
No, but I am using a public/private key for login.

Update: I have changed the login method to UID/Password with the same results.

Last edited by gfarguss; 10-26-2011 at 01:05 PM.
Reply With Quote
  #8  
Old 10-26-2011, 01:50 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Quote:
Quote:
Are you logging in as the same username...
No, but...
It's a different username, or the same username?
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #9  
Old 10-26-2011, 02:06 PM
gfarguss gfarguss is offline
Registered User
 
Join Date: May 2009
Posts: 8
Different usernames
Reply With Quote
  #10  
Old 10-26-2011, 03:59 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
I've created a report so that our developers can investigate. We'll post a follow up message when we have further information or a solution. If you would also like to receive e-mail, please let us know and refer to forum thread 8999.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
  #11  
Old 11-03-2011, 10:16 AM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
Hi gfarguss,

Our developers have investigated and there is a possible workaround. Earlier in the thread you mentioned using xhost + as a workaround, but that is unacceptable from a security point of view. If you could restrict the xhost command to allow only a specific user, like the following, would that be acceptable for you?
xhost +SI:localuser:specific_user
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 06:06 AM.