X11 通過 ssh 轉發僅適用於 sudo
問題
我無法再以普通使用者的身份通過 ssh 進行 X11 轉發。它在幾個月前起作用,所以無意中改變了一些東西。
我試過的
與 sudo 一起使用:
據我所知,我的 ssh 和 sshd 配置是正確的。事實上,如果我使用 sudo 以 root 身份執行,X11 會正確轉發:
$ ssh -X lm@<ip> -i <key> lm@localhost:~$ xeyes Error: Can't open display: localhost:10.0 lm@localhost:~$ sudo xeyes lm@localhost:~$
使用sudo成功轉發 X似乎是一個常見問題,但這是相反的問題。我不太了解我所看到的有關以 root 或其他使用者身份轉發 X 的資訊,而且我根本不需要以 root 或其他使用者身份轉發。那麼,我怎樣才能將其重置為正常呢?
xauth
對我來說,這是一個身份驗證問題是有道理的。不過,我不確定如何判斷它是否正確。
使用者的 .Xauthority 中有兩個條目
lm@localhost:~$ xauth info Authority file: /home/lm/.Xauthority File new: no File locked: no Number of entries: 2 Changes honored: yes Changes made: no Current input: (argv):1 lm@localhost:~$ xauth list edare-fmt17138762/unix:10 MIT-MAGIC-COOKIE-1 48081e511d8ba861ccaf146b73a01617 localhost/unix:10 MIT-MAGIC-COOKIE-1 ce23a352c8f10814e103474aa620fc31
我嘗試刪除 .Xauthority 但這並沒有解決問題。
可能相關的主機名問題
主機名應該是
edare-fmt17138762
,但每次重新啟動都會重置。我已經嘗試再次設置主機名,並將主機名完全重置為 localhost,但這些都沒有對轉發 X 產生任何影響,所以看起來主機名並不是問題所在。sshd_config 更改
我嘗試使用
X11UseLocalhost yes
沒有效果。我也試過
X11UseLocalhost no
了,它給出了額外且略有不同的錯誤:$ ssh -Y lm@192.168.0.15 -i <key> Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-93-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Last login: Thu Mar 1 14:51:41 2018 from 192.168.0.2 /usr/bin/xauth: (stdin):1: bad display name "edare-fmt17138762:10.0" in "remove" command /usr/bin/xauth: (stdin):2: bad display name "edare-fmt17138762:10.0" in "add" command lm@edare-fmt17138762:~$ xeyes Error: Can't open display: edare-fmt17138762:10.0
設置顯示
我還嘗試將 DISPLAY 變數設置為
127.0.0.1:10.0
:lm@edare-fmt17138762:~$ export DISPLAY='192.168.0.15:10.0' lm@edare-fmt17138762:~$ xeyes X11 connection rejected because of wrong authentication. Error: Can't open display: 192.168.0.15:12.0
SSH 配置
伺服器
執行標準 OpenSSH 的 Ubuntu 16.04。
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin prohibit-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes PasswordAuthentication no
客戶
幾個曾經工作過的客戶端也出現了同樣的問題:來自另一台 Ubuntu 16.04 機器的 OpenSSH 和來自 Windows 10 的 puTTy。
ssh -v
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to 192.168.0.15 [192.168.0.15] port 22. debug1: Connection established. debug1: identity file <my file> type 1 debug1: key_load_public: No such file or directory debug1: identity file <my file> type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.2 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 192.168.0.15:22 as 'lm' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256@libssh.org debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:WVq6hBhuqXF99QGeoyfeiLYk+l7fJOGqpyk52roqdcE debug1: Host '192.168.0.15' is known and matches the ECDSA host key. debug1: Found key in /home/jmilloy/.ssh/known_hosts:34 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: <my key> debug1: Server accepts key: pkalg rsa-sha2-512 blen 279 debug1: Authentication succeeded (publickey). Authenticated to 192.168.0.15 ([192.168.0.15]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: exec debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-93-generic x86_64)
關於主機名重置,請檢查您是否安裝並配置了 cloud-config 之類的東西。它確實弄亂了一些東西,您可能需要更改一些選項,例如 update_hostname 或 set_hostname。
關於這個問題,請嘗試將以下內容添加到您的 sshd_config 並重新啟動 sshd。
X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes AddressFamily inet
有同樣的問題,解決方案是:我的主機名(
cat /etc/hostname
)不在/etc/hosts
.有一個不同的名稱,其中定義了我的 IP 地址
/etc/hosts