View previous topic :: View next topic |
Author |
Message |
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Tue Oct 08, 2024 9:34 pm Post subject: ssh -Y stopped working after reboot |
|
|
I have a dual NIC machine I use as an internal firewall. It doesn't get rebooted often, but the other day a power failure alerted me to the fact that the last time I worked on its hardware, I plugged it into a non-battery backed up outlet (my dumb mistake), so the power failure rebooted it. After that, I can no longer forward DISPLAY with ssh -Y root@machine when I log into that machine from another machine. It worked up till the reboot.
I assume that somewhere between that reboot and the previous one (months ago) a routine update clobbered something and caused this annoyance. I checked the /etc/ssh/ files to make sure X11 forwarding was enabled. Since I do log in as root (there are no other usernames on that machine), I suspect something changed to make logging in as root an issue.
Any ideas on what it might be and how to fix this? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
dmpogo Advocate
Joined: 02 Sep 2004 Posts: 3435 Location: Canada
|
Posted: Wed Oct 09, 2024 10:56 pm Post subject: Re: ssh -Y stopped working after reboot |
|
|
Moriah wrote: | I have a dual NIC machine I use as an internal firewall. It doesn't get rebooted often, but the other day a power failure alerted me to the fact that the last time I worked on its hardware, I plugged it into a non-battery backed up outlet (my dumb mistake), so the power failure rebooted it. After that, I can no longer forward DISPLAY with ssh -Y root@machine when I log into that machine from another machine. It worked up till the reboot.
I assume that somewhere between that reboot and the previous one (months ago) a routine update clobbered something and caused this annoyance. I checked the /etc/ssh/ files to make sure X11 forwarding was enabled. Since I do log in as root (there are no other usernames on that machine), I suspect something changed to make logging in as root an issue.
Any ideas on what it might be and how to fix this? |
You did not reboot into wayland by chance ? |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20485
|
Posted: Wed Oct 09, 2024 11:22 pm Post subject: |
|
|
What about when you use -v, does it produce anything notable? You can try an additional 2 v's (-vv and -vvv), but the output can sometimes be excessive if fewer v's work. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Wed Oct 09, 2024 11:31 pm Post subject: |
|
|
Thanks for the -v to get a debug trace. For some weird reason, xauth was missing on the machine I was loggfing into. I emerged x11-apps/xauth and now it works! _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22696
|
Posted: Thu Oct 10, 2024 5:17 pm Post subject: |
|
|
Perhaps xauth had been present as a dependency, some other update removed that requirement, and a later emerge --depclean removed xauth. Portage would have told you that xauth was on the list to remove, but you could have missed it.
You could check /var/log/emerge.log to see when xauth was removed. |
|
Back to top |
|
|
Moriah Advocate
Joined: 27 Mar 2004 Posts: 2381 Location: Kentucky
|
Posted: Thu Oct 10, 2024 5:33 pm Post subject: |
|
|
Yes, that's probably what happened. So why isn't xauth on the dependency list for ssh/sshd ? _________________ The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20485
|
Posted: Thu Oct 10, 2024 8:47 pm Post subject: |
|
|
That is an interesting question. My first guess would be that it isn't an upstream dependency, so it hasn't been made one for Gentoo.
From openssh build output: Code: | LOG: postinst
Install additional packages for optional runtime features:
x11-apps/xauth for x11 forwarding |
_________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22696
|
Posted: Thu Oct 10, 2024 9:17 pm Post subject: |
|
|
ssh and sshd both work fine without xauth installed, for users who choose not to use X11 forwarding. For me, I do not use X11 forwarding over a WAN link, because most X11 programs are too slow to use well in that mode. (Using them over a LAN is fine.) Therefore, I need not install xauth on systems that I will only ever access over a WAN. In my opinion, it is correct that users are not forced to install xauth, and are instead given a pointed hint that it needs to be manually installed. |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3881
|
Posted: Thu Oct 10, 2024 10:08 pm Post subject: |
|
|
You have X11 installed?
You have x11-apps/xauth installed! (if system is up to date).
Here's Code: | equery d x11-apps/xauth
app-emacs/xelb-0.20-r1 (x11-apps/xauth)
x11-apps/xinit-1.4.2 (x11-apps/xauth)
(x11-apps/xauth)
x11-base/xorg-server-21.1.13-r1 (>=x11-apps/xauth-1.0.3)
(>=x11-apps/xauth-1.0.3) | unconditionally, unless system is tweaked, perhaps with /etc/portage/profile/package.provided(untested)ormay help for uninstall history when installed.
Thks 4 ur attention, interest & support. _________________ USE="-* ..." in /etc/portage/make.conf here, i.e. a countermeasure to portage implicit braces, belt & diaper paradigm
LT: "I've been doing a passable imitation of the Fontana di Trevi, except my medium is mucus. Sooo much mucus. " |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20485
|
Posted: Fri Oct 11, 2024 1:12 am Post subject: |
|
|
Hu wrote: | Therefore, I need not install xauth on systems that I will only ever access over a WAN. In my opinion, it is correct that users are not forced to install xauth, and are instead given a pointed hint that it needs to be manually installed. | Sure, but that doesn't explain why there isn't - for lack of a more suitable name - an "X" USE flag to enable it for when it is wanted. At least that's why I though it was interesting why there isn't an optional dependency (other than "not upstream" answer I mentioned).
I'm not sure how CaptainBlood's comment regarding xauth being installed with X11 compares with Moriah having had to install xauth. Maybe installing xauth pulled in X? _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22696
|
Posted: Fri Oct 11, 2024 1:41 am Post subject: |
|
|
Gentoo never implemented IUSE_RUNTIME, so USE flags that don't actually influence what the ebuild does are usually discouraged, since toggling the flag will trigger a rebuild that ultimately produces the same output. The situation might be different if upstream provided a configure option that could completely disable the ability to use X11 forwarding, since you could argue that a build with that disabled has no need of xauth.
For my LAN use on systems with no X server, I need to install xauth if I want ssh X11 forwarding to work, since the lack of local graphical display support means nothing on the system forces an install of xauth. I consider this an acceptable trade, since the ebuild does display a reminder about this. |
|
Back to top |
|
|
dmpogo Advocate
Joined: 02 Sep 2004 Posts: 3435 Location: Canada
|
Posted: Fri Oct 11, 2024 7:26 am Post subject: |
|
|
Hu wrote: | ssh and sshd both work fine without xauth installed, for users who choose not to use X11 forwarding. For me, I do not use X11 forwarding over a WAN link, because most X11 programs are too slow to use well in that mode. (Using them over a LAN is fine.) Therefore, I need not install xauth on systems that I will only ever access over a WAN. In my opinion, it is correct that users are not forced to install xauth, and are instead given a pointed hint that it needs to be manually installed. |
My internet is fast enough so that it works reasonably over WAN as well |
|
Back to top |
|
|
|