ssh -Y stopped working after reboot

[Moriah]

I have a dual NIC machine I use as an internal firewall. It doesn't get rebooted often, but the other day a power failure alerted me to the fact that the last time I worked on its hardware, I plugged it into a non-battery backed up outlet (my dumb mistake), so the power failure rebooted it. After that, I can no longer forward DISPLAY with ssh -Y root@machine when I log into that machine from another machine. It worked up till the reboot.

I assume that somewhere between that reboot and the previous one (months ago) a routine update clobbered something and caused this annoyance. I checked the /etc/ssh/ files to make sure X11 forwarding was enabled. Since I do log in as root (there are no other usernames on that machine), I suspect something changed to make logging in as root an issue.

Any ideas on what it might be and how to fix this?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[dmpogo]

[pjp]

What about when you use -v, does it produce anything notable? You can try an additional 2 v's (-vv and -vvv), but the output can sometimes be excessive if fewer v's work.
_________________
Quis separabit? Quo animo?

[Moriah]

Thanks for the -v to get a debug trace. For some weird reason, xauth was missing on the machine I was loggfing into. I emerged x11-apps/xauth and now it works!
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Hu]

Perhaps xauth had been present as a dependency, some other update removed that requirement, and a later emerge --depclean removed xauth. Portage would have told you that xauth was on the list to remove, but you could have missed it.

You could check /var/log/emerge.log to see when xauth was removed.

[Moriah]

Yes, that's probably what happened. So why isn't xauth on the dependency list for ssh/sshd ?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[pjp]

That is an interesting question. My first guess would be that it isn't an upstream dependency, so it hasn't been made one for Gentoo.

From openssh build output:

[Hu]

ssh and sshd both work fine without xauth installed, for users who choose not to use X11 forwarding. For me, I do not use X11 forwarding over a WAN link, because most X11 programs are too slow to use well in that mode. (Using them over a LAN is fine.) Therefore, I need not install xauth on systems that I will only ever access over a WAN. In my opinion, it is correct that users are not forced to install xauth, and are instead given a pointed hint that it needs to be manually installed.

[CaptainBlood]

You have X11 installed?
You have x11-apps/xauth installed! (if system is up to date).

Here's

[pjp]

[Hu]

Gentoo never implemented IUSE_RUNTIME, so USE flags that don't actually influence what the ebuild does are usually discouraged, since toggling the flag will trigger a rebuild that ultimately produces the same output. The situation might be different if upstream provided a configure option that could completely disable the ability to use X11 forwarding, since you could argue that a build with that disabled has no need of xauth.

For my LAN use on systems with no X server, I need to install xauth if I want ssh X11 forwarding to work, since the lack of local graphical display support means nothing on the system forces an install of xauth. I consider this an acceptable trade, since the ebuild does display a reminder about this.

[dmpogo]