Ssh

From Linuxintro

ssh is a command to control a computer over the network.

Send graphical output to ssh user

If you want to start a graphical program, e.g. kwrite, on your remote computer and get the display to your local computer, no problem. Just use:

ssh -l user server -X
xclock &

what happens

After logging in with ssh -X, xauth is called to create/modify .Xauthority. Using netstat -putan you can find out that every ssh -X session gets a socket:

remote:~ # netstat -putan
[...]
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6011          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6012          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6013          0.0.0.0:*               LISTEN      -
[...]

And $DISPLAY is set automatically.

remote:~ # echo $DISPLAY
localhost:14.0

And ssh listens on the respective port to forward X11 traffic:

remote:~ # lsof | grep 6014
sshd       5257     root    6u  IPv4 3755641440                   TCP localhost:6014 (LISTEN)

port forwarding

ssh username@server -L localport:remoteserver:remoteport

ssh verbose

ssh -v user@server
or -vv, -vvv


TroubleShooting

Remote host identification has changed

Symptom

When trying to log in via ssh you may get a message like this:

tweedleburg:~ # ssh root@192.168.0.107
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
32:78:25:83:d8:a6:de:ad:6a:0b:99:5e:05:e5:7c:e7.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:11
RSA host key for 192.168.0.107 has changed and you have requested strict checking.
Host key verification failed.
Reason

This means the key of the computer that you try to reach has changed.

Solution
$ ssh-keygen -R hostname

ssh -X does not work

If ssh -X works, but you still do not get the graphical display from your remote machine, check /etc/ssh/sshd_config. There must be a line

X11Forwarding yes

Also, there must be a binary xauth, otherwise .Xauthority cannot be created.

If you get an error message like

Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: localhost:10.0

make sure to call

xhost +

on the client machine before calling ssh.

ssh hangs

Symptom: After calling something like

ssh root@venus

Nothing seems to happen for about half a minute, then the password prompt appears.

Solution 1: Check the name server configuration. Here is an example case:

earth:~ # ssh root@192.168.0.108

Now I had to wait about 30 seconds, then I got the password prompt:

Password: 

I gave the password and inspected the name server config:

tweedleburg:~ # cat /etc/resolv.conf
[...]
nameserver 80.237.128.144
nameserver 192.168.0.1
nameserver 217.0.43.113
nameserver 217.0.43.97

Ok, let's see if the first name server is reachable:

tweedleburg:~ # ping 80.237.128.144
PING 80.237.128.144 (80.237.128.144) 56(84) bytes of data.
64 bytes from 80.237.128.144: icmp_req=1 ttl=57 time=48.4 ms
64 bytes from 80.237.128.144: icmp_req=2 ttl=57 time=48.8 ms

It is. I quit with CTRL_C.

Now let's see if you can reach the name service's port:

tweedleburg:~ # telnet 80.237.128.144 53
Trying 80.237.128.144...
 

telnet: connect to address 80.237.128.144: No route to host

No. We wait and nothing happens. This is our root cause. So let's edit /etc/resolv.conf and remove the name server 80.237.128.144

tweedleburg:~ # vi /etc/resolv.conf
tweedleburg:~ # exit
logout
Connection to 192.168.0.108 closed.
earth:~ # ssh root@192.168.0.108

And immediately I got the password prompt:

Password: 

Problem solved.

Solution 2: Stop and disable ypbind:

/etc/init.d/ypbind stop

Related

ssh-related topics: