1

problem

I want to run X-applications remotely on a machine C from my client A. The only way to connect to this machine is by using machine B (firewall) as a hop:

A --> B --> C

So far, simple ssh works as expected, however I can't get X11 forwarding running.

I have found some similar questions, but I think they all assume that X11 is running on B. Solutions like How to enable SSH X11 forwarding through additional server? seem not to be working with my setup.

Could it be that you need to have a X-server running on B to forward X11 from C to B and B to A?

setup

I have set up my ~./ssh/ssh_config on A according to this article: http://sshmenu.sourceforge.net/articles/transparent-mulithop.html

When I try to connect and forward X11 from C by using

$A: ssh -X C

I get connected to C through B, but without X11 forwarding (although enabled on B and C):

$C: echo $DISPLAY

$C: glxgears 
Error: couldn't open display (null)

machines used

  • A: Arch Linux 3.13.7-1-ARCH notebook running X-server/gnome
  • B: Debian 6 Linux 2.6.32-5-amd64 pc no X-server installed/running
  • C: OpenSuse 13.1 3.11.10-7-desktop pc running X-server/gnome

conclusion

I'm not sure if the problem exists because of my configuration/setup or this would not word in general... I would appreciate if anyone with similar problem/experience could help me out!

christophwu
  • 13
  • 1
  • 3

3 Answers3

1

I don't believe the X11 forwarding will work in the described multi-hop scenario.

However, if you were to first establish an ssh connection A->B with port forwarding to C:22 and then connect to C with X11 forwarding through the established 'direct' connection that should work just fine.

Something like the following:

A $ ssh -L2200:C:22 -N B (possibly putting that to the background)

followed by:

A $ ssh -X -p2200 localhost

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
1

If you are using a ProxyCommand, then don't use -X for the ProxyCommand. The ProxyCommand should leave all the advanced features disabled, you only need the bare minimum for the ProxyCommand.

When using a ProxyCommand to ssh from A to B and connect to port 22 on C using nc, the ssh client on A will be communicating with the ssh server on C. The implication of this is that nothing that happens on B can affect which features you can make use of between A and C. It would be impossible for B to have any influence, since the communication is encrypted as it passes through B.

The explanation for why X11 forwarding is not working for you has to be found on either A or C. The command you typed on A looks correct to me, so there are two explanations left, which I can think of:

  1. You did not have a DISPLAY variable in the shell, where you typed the ssh command.
  2. The ssh server on C is configured to disallow X11 forwarding. You need "X11Forwarding yes" in sshd_config on C, otherwise it won't work.
kasperd
  • 30,455
  • 17
  • 76
  • 124
  • Thanks for the detailed explanation! The problem was the missing `X11UseLocalhost no` in `sshd_config`on C. With that added and `-X` removed from ProxyCommand everything works as expected – christophwu Mar 30 '14 at 10:42
0

In a multihop setup line that with X11 forwarding you need xauth on every machine. That is the only X11 application you need on machine B. Machine A is the only machine that needs an X server. Machine C of course needs your X11 applications, but does not need a X server. In theory you could even do this with no X11 applications on Machine A.

hildred
  • 216
  • 1
  • 3
  • 8