Page MenuHomePhabricator
Create Task
Maniphest T196537

Cloud VPS: X11 forwarding request failed on channel 0
Open, LowPublic
Actions

Description

When trying to ssh -X to a Cloud CPS box, I get (with -v) X11 forwarding request failed on channel 0 and forwarding is not set up. The usual workarounds (installing xauth, adding X11Forwarding yes / X11UseLocalhost no to sshd_config) do not seem to work.

Event Timeline

Tgr created this task.Jun 6 2018, 11:10 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2018, 11:10 AM
Tgr added a comment.Jun 6 2018, 12:58 PM

Workaround: https://wikitech.wikimedia.org/wiki/Help:MediaWiki-Vagrant_in_Cloud_VPS#SSH_to_the_Vagrant_box

Andrew subscribed.Jun 8 2018, 2:02 PM

Can you tell me more about that -X? X11 isn't present on any of our servers by default, I don't think I've ever heard of anyone using it on a VPS before.

Tgr added a comment.Jun 10 2018, 1:45 PM

It creates a tunnel inside the SSH connection through which applications running on the remote machine can connect to the X11 server of the local machine (so you can e.g. run selenium tests on the remote and see the browser window as if the browser were running locally).

In this instance, I was just trying to forward the connection from the labs-vagrant box inside that cloud host (so ssh -X into the cloud box and then run vagrant ssh -- -X) but X11 forwarding is broken somehow. Connecting to the vagrant box directly works.

Krenair subscribed.Jun 10 2018, 4:30 PM

Um is X11 forwarding something that's secure enough to be run between labs and our own machines?

Krenair added a subscriber: MoritzMuehlenhoff.Jun 10 2018, 4:30 PM
Tgr added a comment.Jun 10 2018, 7:21 PM

AIUI an attacker could snoop on your window contents, maybe even your keystrokes while the connection is open, but that's the worst that could happen.

Krenair added a comment.EditedJun 10 2018, 10:02 PM

Of any window you have or just the ones opened through X forwarding?

Tgr added a comment.Jun 10 2018, 11:40 PM

Hm. In non-trusted mode only the ones that are forwarded from that host, but apparently Debian uses trusted mode by default...not sure what exactly that means. All keyboard events at the very least, probably screenshots too.

Apparently firejail includes an X11 sandbox which is another way to prevent access to local windows.

Vvjjkkii renamed this task from Cloud VPS: X11 forwarding request failed on channel 0 to yjbaaaaaaa.Jul 1 2018, 1:05 AM
Vvjjkkii triaged this task as High priority.
Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed a subscriber: Aklapper.
CommunityTechBot renamed this task from yjbaaaaaaa to Cloud VPS: X11 forwarding request failed on channel 0.Jul 2 2018, 3:16 PM
CommunityTechBot raised the priority of this task from High to Needs Triage.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.
CommunityTechBot added a subscriber: Aklapper.
GTirloni added a project: cloud-services-team (Kanban).Mar 24 2019, 10:12 AM
Bstorm triaged this task as Low priority.Feb 11 2020, 5:15 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 7:37 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits