Thursday, August 14, 2014

GCE Debian 7, X11 Forwarding over SSH problem: solved

This is my first time using Google Compute Engine.

My plan was this: using GCE running Debian, and all Graphical User Interface should be forwarded to my Microsoft Windows desktop. Of course on Debian (Linux), XWindows (X11) over SSH is the most secure and mature method to me.

Then, it became an 18-day struggle for myself, because it did not work at all!

Today, I finally installed the same Debian 7 operating system inside a virtual machine using VMware Player. Of course, with default installation, X11 forwarding over SSH works perfectly inside this virtual machine. And then, I can start to compare the differences between the working Debian and that of my GCE instance. Now I found where the problem was.

I first spotted a similar message like this one on GCE:
sshd[2050]: error: Failed to allocate internet-domain X11 display socket.
And then, I spotted IPv6 was already enabled on GCE Debian 7, but none of the interfaces were configured with IPv6 addresses. I think that was why SSH Daemon cannot bind and listen to X11 TCP port 6000 on Loopback interface.

I did not find any good ways to configure IPv6 addresses on the interfaces. I also tested that changing "/etc/hosts" did not solve this problem.

After some trial-and-errors, I now know the minimum fix to this problem was:

[Conclusion of the Fix]

Add this line at your GCE Debian 7's "/etc/ssh/sshd_config":
X11UseLocalhost no
And then reboot your GCE instance. Done.

[My Working Environment]

Screen capture on Cygwin/X site.

I used Cygwin/X at my Windows 7 side. I used "ssh -Y" command to request X11 forwarding. I also found to prevent wasting time doing "export DISPLAY", the easiest way is to just open the SSH inside my Cygwin/X Xterm.

For terminal software, Putty with Cygwin/X is not working for me at all. I do not known the cause yet. I used terminal software of Cygwin itself.

In addition, the default GCE Debian 7 image does not contain any X11 software. I did the following steps to build the working environment:
sudo apt-get update
sudo apt-get install xauth
sudo apt-get install xterm
Software "xauth" is required for X11 forwarding over SSH to work. Software "xterm" is just how I tested whether X11 is working or not.

[Note about Security]

This would add one possible security hole because now it will accept any incoming X11 connections. This is safe from Internet on GCE because you have to add additional Firewall rule statements to permit incoming TCP 6000.

I have not tested whether other GCE customers could ever come in from inside, though.


Happy using GCE!

No comments:

Post a Comment