I upgraded OpenSSH and X11 forwarding now fails with "X11 connection rejected because of wrong authentication". Lets say you upgraded OpenSSH on machine1 and you now try to ssh to machine2 and X11 forward fails. You get the following errors seen below.
user@machine:~$ ssh -X user@machine2
user@machine2's password:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
The error you see when trying to open a program expecting X11 forwarding is the following.
user@machine2:~$ xterm
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
I figured out the problem seems to be trusted X11 forwarding is turned off or disabled. To fix it you have to ssh with the -Y parameter instead of the -X. The other thing you could do is edit your /etc/ssh/ssh_config file on machine1 and set "ForwardX11Trusted" to "yes". Which would look like "ForwardX11Trusted yes".
Del.icio.us! | Digg Me! | Reddit!
This is an install of OpenSSH from source on CentOS 4.5. It is not so much of an upgrade as it is a seperate install. SSH is your gateway into your machine. It is the access point for your machine over the network. Therefore it needs one of the most secure parts of your system. When a vulnerability comes out for it you have to update it ASAP. Problem is most distros don't make haste in getting packages out that update it. So your stuck with updating it yourself. So that rpm or deb package you installed is useless now that is vulnerable.
So what we are going to do is compile and install our own OpenSSH in the /opt tree (or wherever you want). Then whenever OpenSSL, OpenSSH, or Zlib have a security problem we can just quickly patch, recompile, and install a new version of any of them. No dependence on the distro's packages and their slower response times. The install below is what versions of the packages where avaliable at the time so change those accordingly.
First we download and install zlib. It does not seem to change version much so you might not need to do this each time.
cd /tmp
mkdir -p /opt/zlib
mkdir zlib1.23
cd zlib1.23/
wget http://www.zlib.net/zlib123.zip
unzip zlib123.zip
make
make install prefix=/opt/zlib/
Next we download and install OpenSSL.
cd /tmp
mkdir -p /opt/openssl
wget http://www.openssl.org/source/openssl-0.9.8e.tar.gz
tar xvzf openssl-0.9.8e.tar.gz
cd openssl-0.9.8e
./config --prefix=/opt/openssl --openssldir=/opt/openssl
make
make test
make install
Now we download and install OpenSSH. This version is for linux so it will come from the portable code base. In the configure section we are pointing to the OpenSSL and zlib installs we did above. You also want to check to see where your xauth file is and put that path in accordingly. I just did the command "which xauth" and got the path but you might need to do a "find / -name xauth" to find it.
cd /tmp
mkdir -p /opt/openssh
wget ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-4.7p1.tar.gz
tar xvzf openssh-4.7p1.tar.gz
cd openssh-4.7p1
./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl --with-xauth=/usr/X11R6/bin/xauth --with-zlib=/opt/zlib
make
make install
We are going to use the SSHD init.d script to start and stop our version of SSH. This script comes with CentOS 4.5. To use it we need to change some paths. Check /etc/init.d/sshd make sure these point to /opt/openssh.
# Some functions to make the below more readable KEYGEN=/opt/openssh/bin/ssh-keygen SSHD=/opt/openssh/sbin/sshd RSA1_KEY=/opt/openssh/etc/ssh_host_key RSA_KEY=/opt/openssh/etc/ssh_host_rsa_key DSA_KEY=/opt/openssh/etc/ssh_host_dsa_key
Then restart SSH.
/etc/init.d/sshd restart
Check with telnet that your SSH is giving out the right version number of the one you just installed. You can do this by telnetting to your OpenSSH server.telnet localhost 22
We should get a response with "OpenSSH_4.7" in the title. The same version that was just installed.
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
SSH-2.0-OpenSSH_4.7
Del.icio.us! | Digg Me! | Reddit!
SSH'ed to a machine (using -X) to start a qemu session and this is the nasty error that I got
X Error of failed request: BadWindow (invalid Window parameter) Major opcode of failed request: 25 (X_SendEvent) Resource id in failed request: 0x9e Serial number of failed request: 19 Current serial number in output stream: 22
But starting xterm or xclock worked perfectly fine. So some X programs worked fine while qemu did not. Thing was it was just one machine that could not bring up qemu forwarding X through SSH. It would get the above message. The thing that was killing me is that it could bring up all other X programs fine. Finally after searching the answer was as simple as using -Y instead of -X to forward X. -Y is enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls. Go figure.
Del.icio.us! | Digg Me! | Reddit!