Date: Wed, 05 Apr 2017 11:18:26 -0400 From: Ernie Luzar <luzar722@gmail.com> To: byrnejb@harte-lyne.ca Cc: freebsd-questions@freebsd.org Subject: Re: X11 and ezjails Message-ID: <58E50AC2.7010909@gmail.com> In-Reply-To: <af012e38f42d0eac2190c87c0a523276.squirrel@webmail.harte-lyne.ca> References: <7f49f81e25d0eb05aad1af66df49c525.squirrel@webmail.harte-lyne.ca> <20170331204517.f30e0f3b.freebsd@edvax.de> <af012e38f42d0eac2190c87c0a523276.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
James B. Byrne via freebsd-questions wrote: > On Fri, March 31, 2017 14:45, Polytropon wrote: >> On Fri, 31 Mar 2017 13:39:29 -0400, James B. Byrne via >> freebsd-questions wrote: >>> I would like to run gvim in an X11 window over ssh to a jailed >>> instance created with ezjail. I have set sshd_config in the jail to >>> allow X11Forwarding and I am connecting with 'ssh -Y >>> jail.domain.tld' >>> >>> However, when I log into the jail and run gvim then I see this: >>> >>> # gvim >>> X11 connection rejected because of wrong authentication. >>> E233: cannot open display >>> Press ENTER or type command to continue >>> >>> E852: The child process failed to start the GUI >>> X11 connection rejected because of wrong authentication. >>> >>> >>> I have run into this before and have attempted to apply all of the >>> previous remedies but nothing seems to work. Is there anything >>> about jails themselves that would prevent X11 forwarding? >> Just a very stupid question: You _did_ set $DISPLAY as needed? >> See "man ssh", section X11 FORWARDING. >> >> > > echo $DISPLAY > localhost:10.0 > > I have this in the local host's ssh_config: > > Host * > GSSAPIAuthentication yes > # If this option is set to yes then remote X11 clients will > # have full access to the original X11 display. As virtually > # no X11 client supports the untrusted mode correctly we set > # this to yes. > ForwardX11Trusted yes > ForwardAgent yes > # Send locale-related environment variables > SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE > SendEnv LC_MONETARY LC_MESSAGES > SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE > SendEnv XMODIFIERS > Protocol 2 > > I have this in the remote host jail /etc/ssh/sshd_config: > > GatewayPorts no > AllowTcpForwarding yes > KeepAlive yes > IgnoreRhosts yes > Banner /etc/ssh/ssh_pre_logon.txt > IgnoreUserKnownHosts no > PrintMotd yes > StrictModes yes > PubkeyAuthentication yes > RSAAuthentication no > PermitRootLogin without-password > PermitEmptyPasswords no > X11Forwarding yes > X11DisplayOffset 10 > X11UseLocalhost yes > > > I connect using this: > > ssh 192.168.209.33 -t -X 'bash || sh' > > When I attempt to run gvim over a session created with the above ssh > command then I get this > > gvim > X11 connection rejected because of wrong authentication. > E233: cannot open display > Press ENTER or type command to continue > > E852: The child process failed to start the GUIX11 connection rejected > because of wrong authentication. > > I only encounter this on jailed instances on the remote host. On the > remote host itself gvim works over ssh connections without difficulty. > > I regret the delay in returning to this issue but other matters proved > more pressing in the meantime. > > Any ideas respecting resolving this are most welcome. > > This is the problem E233: cannot open display gvim will not work if run in a jail. gvim uses x11 and x11 needs kernel access to talk to the x11 display. Jails are designed on purpose to deny kernel access to secure the host system from attack. This is why you can never get a desktop to run in a jail. The other authentication error messages are bogus and can be ignored as misleading. This is also why gvin works when run on the host system. The bottom line here is that what your trying to run in a jail will NEVER work. Ezjail has no baring on this problem, its a design feature of jsil(8).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58E50AC2.7010909>