X11 forwarding request failed on channel 0

Since upgrading to Fedora 17, I've been getting this message "X11 forwarding request failed on channel 0". I haven't done anything to fix it for a while, but today I got so annoyed with this message, that I decided to fix it.

First I google'd around a bit. What does this message mean? I read a lot of reactions that suggest to fix something on ssh_config on the client side or in sshd_config on the server side. These suggestions did not work for me.

So, how do we debug this?

On the server side, open the firewall on a non-standard port. I used port 222:
iptables -I INPUT -s [client-ip] -p tcp --dport 222 -j ACCEPT
Then I ran sshd in non-forking debug mode on this port:
/usr/sbin/sshd -d -p 222
Then we login from the client, using verbose mode:
ssh -vvv [server]

This generates a lot of logs on both sides. The log on the client side contains:
debug3: Ignored env GTK_IM_MODULE
debug3: Ignored env XAUTHORITY
debug3: Ignored env CCACHE_HASHDIR
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug1: Remote: No xauth program; cannot forward with spoofing.
debug2: channel_input_status_confirm: type 100 id 0
X11 forwarding request failed on channel 0

So, what's the problem? The server has no xauth program. The old versions of the ssh client silently failed when the server had no xauth, this new version is just a little more verbose.

Solution #1: install xauth on the server.

You could install xauth on the remote side to fix the problem. On RedHat/CentOS/Fedora, this is done using the command yum install xauth. I personally suggest to use solution #2.

Solution #2: don't forward X11 for all hosts

Why would you need X11 forwarding when connecting to a random server? If you enable X11 forwarding, this means that the server can connect to your X11 display server at any time. An evil (or hacked) server can be used to hack your client.

You can prevent this by disabling X11 forwarding for all hosts and then whitelist the hosts where you do want forwarding.

Change ForwardX11 yes in /etc/ssh/ssh_config and/or ~/.ssh/config to ForwardX11. You can then enable X11 forwarding on a per-host basis by putting extra config in ~/.ssh/config, for example:
Host mailserver
ForwardX11 yes

Of course, the whitelisted servers still do need xauth.

© GeekLabInfo X11 forwarding request failed on channel 0 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5,00 out of 5)

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Verplichte velden zijn gemarkeerd met *