From owner-freebsd-questions@freebsd.org Wed Apr 5 15:18:19 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70C3BD2F073 for ; Wed, 5 Apr 2017 15:18:19 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 37E3F25F for ; Wed, 5 Apr 2017 15:18:19 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-io0-x231.google.com with SMTP id f84so11811219ioj.0 for ; Wed, 05 Apr 2017 08:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=qwaXZO0MBK6mmn6Ae0wZNsrXFX/zCldmIEnr7L1gKs0=; b=VMCxZ1r/eTOsnCwJ9itklLEVC8q8fxjlobt0awo1T4zxQiHHPZqAchTCFvYA25/1zq kS+43HNCuo1rdF6aSrkEAltfg+MHzhHpPcPkutac6fenxv5ODgdqHxiNOl8FQze++1H7 MxvhiBv2DLrSrNKoPB3JKymNL66jItNHZMe1t0p5KY1yMt0Xf3YFD1GBXtrbjewPr73N dVn3k06XkDfM2WcV2mYMJ8g9xKNDeIgwPdp3EkxBk5iAwZiUwNCE/9+htcgz2Nk7jVKI xPC82WL1+H6FFOICSz4S8+BqkXsPQ8lUYbcKJdiGrbHnZ89ktfq9P4iqJ1a3ZnKhsnCc A2qA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=qwaXZO0MBK6mmn6Ae0wZNsrXFX/zCldmIEnr7L1gKs0=; b=j1JYOSAMcj6RvSpfcZKdxa+Ix3zVfgghrT7v3aNFnNBBKNgPjuHyu6/YRdd6CFdDJl iqEaUbCR6GFyo4FBIVwhnIYJd8hKzsbm+e1EQT1HZsrhPIpg8UcJHWCgAqvPXAzPcUJW zXaOg7nJWdQTjsSY2FLkGbwUL61sxv8RUVW58BzM1qQTPDLLN5N+d4QFu5BlN+6+N7QO dBuv8OOtFvNG6NF51D70suMJmvNnC1MJI0KX98vEaz97FsscShDgAOqKatAYmgxChYP0 o46iH7pjFSwg7lUW4ArbPup/a/eTV3LAVzHywI5UeyiMXTKIQVxhYf7/u6FgsYnvL+Kp gb9A== X-Gm-Message-State: AFeK/H0Px/QT5ORwSLADAQg0Y5yuWX+JFLXkghMOZ/7YqhKRBBd48zuKNklQqex22y6JLw== X-Received: by 10.107.19.142 with SMTP id 14mr26872017iot.188.1491405498588; Wed, 05 Apr 2017 08:18:18 -0700 (PDT) Received: from [10.0.10.3] (cpe-74-141-88-57.neo.res.rr.com. [74.141.88.57]) by smtp.googlemail.com with ESMTPSA id j85sm10725363iod.27.2017.04.05.08.18.17 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 05 Apr 2017 08:18:18 -0700 (PDT) Message-ID: <58E50AC2.7010909@gmail.com> Date: Wed, 05 Apr 2017 11:18:26 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: byrnejb@harte-lyne.ca CC: freebsd-questions@freebsd.org Subject: Re: X11 and ezjails References: <7f49f81e25d0eb05aad1af66df49c525.squirrel@webmail.harte-lyne.ca> <20170331204517.f30e0f3b.freebsd@edvax.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Apr 2017 15:18:19 -0000 James B. Byrne via freebsd-questions wrote: > On Fri, March 31, 2017 14:45, Polytropon wrote: >> On Fri, 31 Mar 2017 13:39:29 -0400, James B. Byrne via >> freebsd-questions wrote: >>> I would like to run gvim in an X11 window over ssh to a jailed >>> instance created with ezjail. I have set sshd_config in the jail to >>> allow X11Forwarding and I am connecting with 'ssh -Y >>> jail.domain.tld' >>> >>> However, when I log into the jail and run gvim then I see this: >>> >>> # gvim >>> X11 connection rejected because of wrong authentication. >>> E233: cannot open display >>> Press ENTER or type command to continue >>> >>> E852: The child process failed to start the GUI >>> X11 connection rejected because of wrong authentication. >>> >>> >>> I have run into this before and have attempted to apply all of the >>> previous remedies but nothing seems to work. Is there anything >>> about jails themselves that would prevent X11 forwarding? >> Just a very stupid question: You _did_ set $DISPLAY as needed? >> See "man ssh", section X11 FORWARDING. >> >> > > echo $DISPLAY > localhost:10.0 > > I have this in the local host's ssh_config: > > Host * > GSSAPIAuthentication yes > # If this option is set to yes then remote X11 clients will > # have full access to the original X11 display. As virtually > # no X11 client supports the untrusted mode correctly we set > # this to yes. > ForwardX11Trusted yes > ForwardAgent yes > # Send locale-related environment variables > SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE > SendEnv LC_MONETARY LC_MESSAGES > SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE > SendEnv XMODIFIERS > Protocol 2 > > I have this in the remote host jail /etc/ssh/sshd_config: > > GatewayPorts no > AllowTcpForwarding yes > KeepAlive yes > IgnoreRhosts yes > Banner /etc/ssh/ssh_pre_logon.txt > IgnoreUserKnownHosts no > PrintMotd yes > StrictModes yes > PubkeyAuthentication yes > RSAAuthentication no > PermitRootLogin without-password > PermitEmptyPasswords no > X11Forwarding yes > X11DisplayOffset 10 > X11UseLocalhost yes > > > I connect using this: > > ssh 192.168.209.33 -t -X 'bash || sh' > > When I attempt to run gvim over a session created with the above ssh > command then I get this > > gvim > X11 connection rejected because of wrong authentication. > E233: cannot open display > Press ENTER or type command to continue > > E852: The child process failed to start the GUIX11 connection rejected > because of wrong authentication. > > I only encounter this on jailed instances on the remote host. On the > remote host itself gvim works over ssh connections without difficulty. > > I regret the delay in returning to this issue but other matters proved > more pressing in the meantime. > > Any ideas respecting resolving this are most welcome. > > This is the problem E233: cannot open display gvim will not work if run in a jail. gvim uses x11 and x11 needs kernel access to talk to the x11 display. Jails are designed on purpose to deny kernel access to secure the host system from attack. This is why you can never get a desktop to run in a jail. The other authentication error messages are bogus and can be ignored as misleading. This is also why gvin works when run on the host system. The bottom line here is that what your trying to run in a jail will NEVER work. Ezjail has no baring on this problem, its a design feature of jsil(8).