Web lists-archives.com

Re: SSH X forwarding going awry FIXED (Was: Why does Debian allow all incoming traffic by default)




On Sunday 23 September 2018 05:35:41 Étienne Mollier wrote:

> Good Day,
>
> On 9/22/18 10:15 PM, Gene Heskett wrote:
> > I would certainly hope so, AND give due consideration to just
> > how big a headache any change means for the users.
>
> That is an understatement, this headache thing.
>
> > They have over the last two "upgrades" from wheezy to jessie
> > and on to stretch, totally disabled any attempts to forward x
> > to another machine, I suppose based on someones idea of
> > security and my questions about fixing that pain in the arse,
> > so it works once again, have been totally ignored.  They HAVE
> > been asked, but never acknowledged with the courtesy of even a
> > reply with a link to a tut.
>
> If this can help, since Debian Jessie, SSH server is configured
> by default to listen to both IPv4 and v6 interfaces.  When v6
> links are unavailable, for /some reason/ (I don't recall the
> details), X forwarding attempts are prevented, but normal SSH
> continues as usual (with a warning about X11 forwarding having
> failed to start).
>
> To fix this, two different solutions are available:
>
> - make IPv6 interfaces available on SSH server side (and
>   maybe on client side too, I haven't tested that solution
>   extensively, it just works as is at home);
>
> - or simply configure sshd to listen only on IPv4 with the
>   following directive in “/etc/ssh/sshd_config”:
>
> 	AddressFamiliy inet

On the pi-3b, running jessie, that line did not exist. Added it, 
restarted ssh, tried geany while logged into the pi with ssh, AND IT 
WORKS! Thats the important app, synaptic-pkexec still doesn't.

=============
pi@picnc:~ $ synaptic-pkexec
==== AUTHENTICATING FOR com.ubuntu.pkexec.synaptic ===
Authentication is required to run the Synaptic Package Manager
Multiple identities can be used for authentication:
 1.  ,,, (pi)
 2.  root
Choose identity to authenticate as (1-2): 1
Password:
polkit-agent-helper-1: error response to PolicyKit daemon: 
GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for 
cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.
pi@picnc:~ $ synaptic-pkexec
==== AUTHENTICATING FOR com.ubuntu.pkexec.synaptic ===
Authentication is required to run the Synaptic Package Manager
Multiple identities can be used for authentication:
 1.  ,,, (pi)
 2.  root
Choose identity to authenticate as (1-2): 2
Password:
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.
=================================================

So I'm still restricted to doing updates with apt. 
not a show stopper, but the rock64 can do that 20x faster.

In this case I believe pam is the culprit. And again, the docs are top 
secret... Spit...

Unforch, it did not work on the rock64, "cannot open display". It has 
other problems too, so its not usable to me yet. And until support is 
forthcoming from the armbian camp, its likely I've wasted 100+ dollars 
for 2 of them. Vastly more powerfull than a pi, its severely crippled by 
its broken usb-3 port, and total absence of a usable SPI driver, and 
docs on how to use what it does have.

>   By default it is set to “any”, and X forwarding doesn't seem
>   to like not finding any IPv6 interface at all.
>
> No idea if this is intelligent security design, or just a bug,
> but that caused quite some headaches in IPv4 only networks
> indeed.

Indeed. Other that the local net here at home the nearest ipv6 address is 
proabably 100 miles southwest in Charleston, or 150 miles northeast in 
Pittsburg PA. I don't think it even makes it thru my cable modem.  I've 
found before that ipv6 stuff, in an ipv4 environment is a right pain in 
the arse. My whole network here, hiding behind dd-wrt, is ipv4 only.

My /etc/hosts files have had the ipv6 stuffs commented out as it greatly 
simplifies the internal networking setups. ipv6, when and if it ever 
arrives in small town USA, it may well be a working thing, but until its 
available from my cable modem, it will continue to be Excedrin headache 
#1 here. Sorely needed: a single point config option to shut it off.

> Maybe your problem is unrelated, especially if IPv6 is already
> available in your network, yet I hope this helps.
>
> Kind Regards,

And many many thanks from me, and likely from others whose ipv6 
connectivity is hundreds of miles away.

-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>