Ssh X11 forwarding stoped working

rfkspada · September 14, 2022, 1:52pm

Hi all,

Today, the ssh X11 forwarding stoped working. When I login via ssh (with -Y or -X), I get the message:

X11 forwarding request failed on channel 0

I did the configuration as explained here:

https://docs.01.org/clearlinux/latest/guides/network/openssh-server.html

and my /etc/ssh/sshd_config file looks like:

subsystem sftp /usr/libexec/sftp-server

AllowTcpForwarding yes
X11UseLocalhost yes 
X11DisplayOffset 10
X11Forwarding yes

Was there any change on how to configure it now? Is there anybody else with the same issue?

Businux · September 15, 2022, 8:51am

add the line

AddressFamily inet

to your sshd_config.

Also try X11UseLocalhost no

rfkspada · September 15, 2022, 1:34pm

Thank you for the help, but unfortunately it didn’t work.

marioroy · September 15, 2022, 3:12pm

The tallow service consumed a CPU core recently. I was curious and looked up the manual. Perhaps the service detected failed logins and inserted an ipset entry. Edit: This is not likely the case as you’re able to ssh in.

Extract from running: man tallow:

tallow  is  a daemon that watches the systemd journal for messages from
the sshd service. It parses the messages and looks for attempted random
logins  such  as failed logins to the root account and failed logins to
invalid user accounts, and various other obviously malicious login  at‐
tempts that try things as forcing old protocols, or weak key systems.

If  such  logins were detected, the offending IP address is stored in a
list. Items from this list are regularly purged, but if the  amount  of
times  that  a  specific  IP  address  is  seen exceeds a threshold, an
ipset(1) entry is inserted in the tallow or tallow6 ipset, and  further
packets  from  that  ip  address  will  be blocked by an iptables(1) or
ip6tables(1) rule that tallow creates at startup. Additionally, certain
types of login failure will trigger a short term ban of further packets
from the offending IP address immediately.

The system administrator needs to assure that the  tallow  and  tallow6
ipsets are left alone and that the inserted iptables rules are properly
matching on packets.

Care should be taken to assure that legitimate users  are  not  blocked
inadvertently.  You  may  wish  to  list  any valid IP address with the
whitelist  option  in  tallow.conf(5).  Multiple   addresses   can   be
whitelisted.

marioroy · September 15, 2022, 3:19pm

OpenSSH was updated recently in CL-37130 from 8.9p1-87 to 9.0p1-89.

More OpenSSH updates in CL-37150, CL-37160, and CL-37170.

Maybe all is well with CL-37170.

rfkspada · September 15, 2022, 4:51pm

Hi thank you,

I have CL 37160 and OpenSSH_9.0p1 right now.

I will wait for the next update.

Thank you

rfkspada · September 15, 2022, 7:27pm

It seems that the update to CL 37170 solved the problem.

Thank you very much.