Wednesday, December 27, 2017

How configure X11 Forwarding in RHEL7

1) Install the following packages
yum install -y xorg-x11-server-Xorg xorg-x11-xauth xorg-x11-apps
2) Enable X11 Fowarding
grep -i X11Forwarding /etc/ssh/sshd_config
Should be set to Yes
3) Logoff and login as
ssh -Y user@host
4) Test
xclock& , xeyes&
A dump of the sshd_config on my test server
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
grep -v ^#  /etc/ssh/sshd_config  | grep -v ^$
AddressFamily inet
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
SyslogFacility AUTHPRIV
LogLevel VERBOSE
PermitRootLogin without-password
MaxAuthTries 5
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding yes
UsePrivilegeSeparation yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server
Troubleshooting
xclock&
Error: Can’t open display:
To fix this, I did the following:
rm /root/.Xauthority
systemctl restart sshd
Logout and login to create new /root/.Xauthority
AddressFamily inet
For some servers it only works by forcing to IPv4 only. 
AddressFamily should be set to inet(IPv4)
grep Family /etc/ssh/sshd_config
AddressFamily inet
man sshd_config
AddressFamily
Specifies which address family should be used by sshd(8). 
Valid arguments are “any”, “inet” (use IPv4 only), or “inet6” (use IPv6 only). The default is “any”.
X11 forwarding bug in SSH if IPv6 on the system is disabled.
http://unix.stackexchange.com/a/225642/95470
It does work on a different RHEL 7.1 server though with AddressFamily set to “any”.
Still not working
May be the server is behind a firewall. Where I work, I have to authenticate 
with the firewall to get this working.

No comments: