This content has been marked as final. Show 18 replies
Then as a part of requirement and as per Oracle support's advise, ....Are you in contact with Oracle support?
Do you have X11 Forwarding enabled in the sshd config file? What happens if you do a ssh -X to the remote system and start xclock? The thing to keep in mind is that xclock will run on the remote server system, but using the X-server and display on your client side. When using ssh -X you should not configure any Display environment variables. How do you login? e.g. you cannot use "su", e.g. login as root and use "su - oracle" on the remote system as it will break X11 forwarding.
<<<<Are you in contact with Oracle support?>>>>
I have raised a SR with Oracle Support. Waiting for their response.
<<<<Do you have X11 Forwarding enabled in the sshd config file? What happens if you do a ssh -X to the remote system and start xclock? The thing to keep in mind is that xclock will run on the remote server system, but using the X-server and display on your client side. When using ssh -X you should not configure any Display environment variables. How do you login? e.g. you cannot use "su", e.g. login as root and use "su - oracle" on the remote system as it will break X11 forwarding. >>>>
I have now commented the sftp jailing code from the sshd_config files and brought it in sync with sshd_config of other server where i could run xclock successfully. Even after that the effected server fails to execute xclock.
I don't use root or oracle useraccounts, I use my personal account to login and execute xclock. I open Exceed HummingBird tool to enter the IP address, username, password, enter xclock as the cmd to be executed. I used the same approach to install the ODI on the affected server. But post SSH upgrade I can't open it.
I also tried doing ssh -X login to execute xclock and still come across the same error.
Tried but still same error.
Affected servers's sshd_config is as below:
[root@apssvrX]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# HostKey for protocol version 1
# HostKeys for protocol version 2
# Lifetime and size of ephemeral version 1 server key
# obsoletes QuietMode and FascistLogging
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# similar for protocol version 2
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
# Don't read the user's ~/.rhosts and ~/.shosts files
# To disable tunneled clear text passwords, change to no here!
# Change to no to disable s/key passwords
# Kerberos options
# GSSAPI options
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
# no default banner path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
## Commented the sftp jailing configuration
##Subsystem sftp internal-sftp
##Match Group sftponly
## ChrootDirectory %h
## X11Forwarding no
## AllowTcpForwarding no
## ForceCommand internal-sftp
Did Oracle support get back with a solution.
Btw, I use the same ssh version and have no trouble at all. $ ssh -V
OpenSSH_5.2p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Apparently X11Forwarding is set to no by default (?!). I have temporarily copied your sshd_config file and restarted the ssh daemon: # service sshd restart
Then I log out and back in again using ssh -X email@example.com
xclock is working - So I don't think the problem is your sshd_config file, not after enabling X11Forwarding.
Did anything else change, e.g firewall, network, IP address of your client, server?
Can you execute *xhost +* on your client system to disable access control and try again?
Can you disable your firewall?
Edited by: Dude on Dec 28, 2010 5:45 AM
.... updated my previous response.
I'm on a Mac here, which does not need 3rd party ssh or X11 software, so i cannot test your client. But, there are also other products available for windows, for free, with good feedback, e.g. http://mobaxterm.mobatek.net/en/ in case your problem boils down to Exceed.
Edited by: Dude on Dec 28, 2010 6:13 AM
Why even bother with X11 over ssh tunnels back to some MS Windows X server. Just start a vncserver on the Linux system, and connect to it with vncviewer from the Windows PC. Much simpler, and if for some reason your network connection isn't terribly reliable, your applications aren't killed when the connection is dropped. You just reconnect, and it's all there.
I am afraid, VNC is something that I cannot try as it is a strict no no in my project. Not sure why, I guess it's for security reasons. I tried to execute xclock from Kea!X and Exceed tools on the server in question, but all my attempts were unsuccessful.
Both kea!x and Exceed are able to execute xclock on another server where SSH is on 4.2p1, but not on the server with 5.2p1 OpenSSH ???? Apparently both are of same build OELu3. So, my suspicion is that it has to do with the upgrade of SSH.
So far Oracle Support has been of little help. So, have to try something on my own.
Does anyone of you know where I can find the RPMs to upgrade the SSH from 5.2p1 to 5.3 or even higher versions?
Also, if you can advise whether it is safe to remove the 3 RPMs installed for 5.2p1??
Edited by: user8776510 on 31-Dec-2010 04:25
Edited by: user8776510 on 31-Dec-2010 04:29
What was your actual reason for upgrade? Openssh is such a common software that I would rather suspect a problem external to it. What about you Exceed Hummingbird X-server configuration. Does your login do a "su" command that could break X-forwarding? What about DNS or Firewall issues?
Can you use -v to show verbose information? This might give you some clue what's happening, e.g.:
# ssh -v -X firstname.lastname@example.org
Output, when logging in and running xclock be similar to:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting email@example.com
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
Last login: Fri Dec 31 02:08:04 2010 from 10.0.0.1
[root@ol55 ~]# xclock
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 11370
debug1: channel 1: new [x11]
debug1: confirm x11
Edited by: Dude on Jan 1, 2011 3:10 AM
The OP's sshd configuration file is not the problem, at least the same worked on my system.
Does OpenSSH allow X Windows forwarding without TCP forwarding enabled?yes.
Port forwarding is a general TCP proxying feature that tunnels TCP connections through an SSH session. This is useful for securing otherwise insecure protocols running on top of TCP or for tunneling TCP connections through firewalls that would otherwise forbid access. X forwarding is a special case of port forwarding for X Window System connections, for which SSH has extra support. This makes it easy to secure X connections with SSH, which is good because X, while popular and useful, is notoriously insecure. Access control on forwarded ports is normally coarse, but you can achieve finer control with the TCP-wrappers feature.
Anyway, not sure if the OP still listens ;-(
Oracle Support has not come back with a solution yet. Meanwhile, I have reverted my SSH from 5.2p1 to 4.3p2 (that came along with original build).
After reverting back to 4.3p2, I could execute the xclock. So, do you still think that its something to do with Firewall or Forwarding setup???
(1) To install the 5.2p1 packages, I downloaded the 3 RPMs from http://layer1.rack911.com/openssh/rhel5/x86_64/ and ran the "rpm" command to install them
(2) To remove the packages i used "yum remove openssh-5.2p1-1.x86_64.rpm openssh-clients-5.2p1-1.x86_64.rpm openssh-server-5.2p1-1.x86_64.rpm".
(3) To install the 4.3p2 packages, I used the yum install command.
I think I had tried the below combination already and was unsuccessful to execute xclock. Having said that, once I am back at work, I will give it another shot:
X11 Forwarding has to be set to yes - there is no doubt about it. AllowTcpForwarding yes does not apply since it is maintained by X11 Forwarding. Sorry, but in my opinion, just because the old ssh works, does not necessarily mean ssh is the culprit. There are a couple of software components, computers and network involved that add their part to the game. The network or firewall, depending on your organization, can be a problem, e.g. sophisticated setup with packet inspection, limited Port forwarding resources, severe network performance and timeout issues because of duplex mismatch, just to name a few. Maybe openssh-5.2p1 is a problem in your particular setup, but it does not seem a general issue with the software. What about your exceed hummingbird configuration, did you check it? Are you setting any DISPLAY variables in your Linux shell or Exceed? Anyway, I did not invent ssh.
The following link looks useful for troubleshooting Exceed http://www.uic.edu/depts/accc/software/exceed/sshexceed.html
Edited by: Dude on Jan 4, 2011 5:00 AM