OpenSSH V8.9-1I01 and X11 Port Forwarding Feature on x86-64 V9.2-2UP2 + DWMOTIF V1.8

All types of networks, network stacks, and protocols supported by OpenVMS.
Post Reply
User avatar

Topic author
m_detommaso
Master
Posts: 121
Joined: Thu Jun 06, 2019 6:57 am
Reputation: 1
Location: Brindisi (Italy)
Status: Offline
Contact:

OpenSSH V8.9-1I01 and X11 Port Forwarding Feature on x86-64 V9.2-2UP2 + DWMOTIF V1.8

Post by m_detommaso » Thu Aug 22, 2024 11:24 am


OpenSSH V8.9-1I01 introduced support for X11 Port Forwarding on the server side (X11 Port Forwarding via OpenSSH enables users to connect to an SSH server on the VSI OpenVMS host and run X11 client programs, which will appear on their local display).

In the past few days I have been unsuccessfully testing this new feature using VMS x86-64 V9.2-2UPD2 + DWMOTIF V1.8 + OpenSSH V8.9-1I01 + SSL3 V3.0-14 + MobaXterm Professional Edition v24.0 build 52.04.

Even though the openssh seems to be configured correctly and decw$xauth adds the security records correctly, I always get the same error when I try to run any graphical application:

Xlib: connection to "_WSAx:" refused by server
Xlib: MoTTY X11 proxy: No authorisation provided
%DECW-E-CANT_OPEN_DISPL, Can't open display


Code: Select all

system_dirac_opa0 >product show product vms/full
------------------------------------ ----------- --------- ------------------------------------ ------------------------------------
PRODUCT                              KIT TYPE    STATE     MAINTENANCE                          REFERENCED BY
------------------------------------ ----------- --------- ------------------------------------ ------------------------------------
VSI X86VMS VMS V9.2-2                Oper System Installed VSI X86VMS VMS922X_PCSI V1.0         VSI X86VMS DWMOTIF V1.8
                                                           VSI X86VMS VMS922X_UPDATE V2.0       VSI X86VMS KERBEROS V3.3-2A
                                                           VSI X86VMS VMS922X_UPDATE V1.0       VSI X86VMS OPENVMS V9.2-2
                                                                                                VSI X86VMS TCPIP V6.0-25
------------------------------------ ----------- --------- ------------------------------------ ------------------------------------
1 item found

VMSINSTAL history file DISK$DIRAC_X86SYS:[VMS$COMMON.][SYSUPD]VMSINSTAL.HISTORY;1 contains additional information


system_dirac_opa0 >product sho product *
------------------------------------ ----------- ---------
PRODUCT                              KIT TYPE    STATE
------------------------------------ ----------- ---------
VSI X86VMS DECNET_PHASE_IV V9.2-2    Full LP     Installed
VSI X86VMS DWMOTIF V1.8              Full LP     Installed
VSI X86VMS DWMOTIF_SUPPORT V9.2-2    Full LP     Installed
VSI X86VMS KERBEROS V3.3-2A          Full LP     Installed
VSI X86VMS OPENSSH V8.9-1I01         Full LP     Installed
VSI X86VMS OPENVMS V9.2-2            Platform    Installed
VSI X86VMS SSL111 V1.1-1W            Full LP     Installed
VSI X86VMS SSL3 V3.0-14              Full LP     Installed
VSI X86VMS SSL31 V3.1-4              Full LP     Installed
VSI X86VMS T4 V4.4-E                 Full LP     Installed
VSI X86VMS TCPIP V6.0-25             Full LP     Installed
VSI X86VMS VMS V9.2-2                Oper System Installed
VSI X86VMS VMSI18N V9.2              Full LP     Installed
------------------------------------ ----------- ---------

system_dirac_opa0 >product sho his *ssh*/since
------------------------------------ ----------- ----------- --- -----------
PRODUCT                              KIT TYPE    OPERATION   VAL DATE
------------------------------------ ----------- ----------- --- -----------
VSI X86VMS OPENSSH V8.9-1I01         Full LP     Install     Val 19-AUG-2024
VSI X86VMS OPENSSH V8.9-1H           Full LP     Remove       -  19-AUG-2024
------------------------------------ ----------- ----------- --- -----------
2 items found



system_dirac_opa0 >sshver

Information on DIRAC for OpenVMS images installed on this system:

 Name                                      Version       Build      Link date
----------------------------------------- ------------- ---------- -------------
 SSH$SCP.EXE                               V8.9-1I04     00000000   12-AUG-2024
 SSH$SFTP.EXE                              V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-ADD.EXE                           V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-AGENT.EXE                         V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-KEYGEN.EXE                        V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-KEYSCAN.EXE                       V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH.EXE                               V8.9-1I04     00000000   12-AUG-2024
 SSH$SFTP-SERVER.EXE                       V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-KEYSIGN.EXE                       V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-PKCS11-HELPER.EXE                 V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-SK-HELPER.EXE                     V8.9-1I04     00000000   12-AUG-2024
 SSH$SSHD.EXE                              V8.9-1I04     00000000   12-AUG-2024


system_dirac_opa0 >type ssh$root:[etc]sshd_config.
...
#---
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
#---

system_dirac >sho disp

    Device:    WSA1:  [user]
    Node:      dirac.digital.com
    Transport: TCPIP
    Server:    10
    Screen:    0

system_dirac_opa0 >mc decw$xauth list
dirac.digital.com:10  MIT-MAGIC-COOKIE-1  f074476f32c1fd7ad44a5ded9560f93f
dirac.digital.com:11  MIT-MAGIC-COOKIE-1  c6f4b69bff6c0fbb1bc37e40756ccac9


system_dirac_opa0 >search dirac_hpe-cnd1483thp_00000444.log "xauth" /windows=(2,5)
debug1: channel 1: new [X11 inet listener]
debug3: vms_change_process_owner: Switching owner to user system
debug1: Running xauth  "-q" add dirac.digital.com:10 MIT-MAGIC-COOKIE-1 f074476f32c1fd7ad44a5ded9560f93f
debug3: vms_change_process_owner: Restoring owner of user
debug3: send packet: type 99
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
...
ssh_x11forwarding_issues_922.PNG



However, using the same openssh configuration settings with the VMS field test release E9.2-3 + DWMOTIF V1.8-1 (and obviously OpenSSH V8.9-1I01 + SSL3 V3.0-14 + MobaXterm Professional Edition v24.0 build 52.04), the X11 ssh Port Forwarding functionality works perfectly and without errors.

Code: Select all

system_ft923> product show product vms/full
------------------------------------ ----------- --------- ------------------------------------ ------------------------------------
PRODUCT                              KIT TYPE    STATE     MAINTENANCE                          REFERENCED BY
------------------------------------ ----------- --------- ------------------------------------ ------------------------------------
VSI X86VMS VMS E9.2-3                Oper System Installed                                      VSI X86VMS DWMOTIF V1.8-1
                                                                                                VSI X86VMS KERBEROS V3.3-3
                                                                                                VSI X86VMS OPENVMS E9.2-3
                                                                                                VSI X86VMS TCPIP V6.0-25
------------------------------------ ----------- --------- ------------------------------------ ------------------------------------
1 item found


system_ft923> product sho product *
------------------------------------ ----------- ---------
PRODUCT                              KIT TYPE    STATE
------------------------------------ ----------- ---------
VMSPORTS X86VMS PERL534 T5.34-0      Full LP     Installed
VSI X86VMS AVAIL_MAN_BASE E9.2-3     Full LP     Installed
VSI X86VMS DECNET_PHASE_IV E9.2-3    Full LP     Installed
VSI X86VMS DWMOTIF V1.8-1            Full LP     Installed
VSI X86VMS DWMOTIF_SUPPORT E9.2-3    Full LP     Installed
VSI X86VMS KERBEROS V3.3-3           Full LP     Installed
VSI X86VMS OPENSSH V8.9-1I01         Full LP     Installed
VSI X86VMS OPENVMS E9.2-3            Platform    Installed
VSI X86VMS SSL111 V1.1-1W            Full LP     Installed
VSI X86VMS SSL3 V3.0-14              Full LP     Installed
VSI X86VMS TCPIP V6.0-25             Full LP     Installed
VSI X86VMS VMS E9.2-3                Oper System Installed
------------------------------------ ----------- ---------



system_ft923> product sho hist *ssl*/sin
------------------------------------ ----------- ----------- --- -----------
PRODUCT                              KIT TYPE    OPERATION   VAL DATE
------------------------------------ ----------- ----------- --- -----------
VSI X86VMS SSL3 V3.0-14              Full LP     Install     Val 21-AUG-2024
VSI X86VMS SSL3 V3.0-13              Full LP     Remove       -  21-AUG-2024
------------------------------------ ----------- ----------- --- -----------
2 items found



system_ft923> sshver

Information on FT923 for OpenVMS images installed on this system:

 Name                                      Version       Build      Link date
----------------------------------------- ------------- ---------- -------------
 SSH$SCP.EXE                               V8.9-1I04     00000000   12-AUG-2024
 SSH$SFTP.EXE                              V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-ADD.EXE                           V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-AGENT.EXE                         V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-KEYGEN.EXE                        V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-KEYSCAN.EXE                       V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH.EXE                               V8.9-1I04     00000000   12-AUG-2024
 SSH$SFTP-SERVER.EXE                       V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-KEYSIGN.EXE                       V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-PKCS11-HELPER.EXE                 V8.9-1I04     00000000   12-AUG-2024
 SSH$SSH-SK-HELPER.EXE                     V8.9-1I04     00000000   12-AUG-2024
 SSH$SSHD.EXE                              V8.9-1I04     00000000   12-AUG-2024


system_ft923> type ssh$root:[etc]sshd_config.

...
#---
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no
#---
...

system_ft923> mc decw$xauth list
ft923.digital.com:10  MIT-MAGIC-COOKIE-1  1c599c71bc1641f642da4dd01a5d85a9
ft923.digital.com:11  MIT-MAGIC-COOKIE-1  4799e01248ef5a8d1f911854185630af



system_ft923> search ft923_192_168_1_3_00000430.log "xauth" /windows=(2,5)
debug1: channel 1: new [X11 inet listener]
debug3: vms_change_process_owner: Switching owner to user system
debug1: Running xauth  "-q" add ft923.digital.com:10 MIT-MAGIC-COOKIE-1 1c599c71bc1641f642da4dd01a5d85a9
debug3: vms_change_process_owner: Restoring owner of user
debug3: send packet: type 99
debug3: receive packet: type 98
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
...
ssh_x11forwarding_issues_923.PNG

Considering that the OpenSSH 8.9-1I01 release notes state that X11 Port Forwarding Feature is fully supported starting with VMS x86-64 V9.2-1 and later along with VSI SSL3 V3.0-13 and later and DWMotif V1.8, I am starting to suspect that I am missing some undocumented setting in the V9.2-2 environment or that X11 ssh Port Forwarding effectively requires Motif 1.8-1 and/or some libraries present only in E9.2-3.


Any suggestions will be greatly appreciated,
/Maurizio


gcalliet
Contributor
Posts: 11
Joined: Mon Aug 05, 2024 11:13 am
Reputation: 0
Status: Offline

Re: OpenSSH V8.9-1I01 and X11 Port Forwarding Feature on x86-64 V9.2-2UP2 + DWMOTIF V1.8

Post by gcalliet » Mon Sep 23, 2024 6:36 am

Hello,

I tested with OpenVMS 9.2-3. (And all recent packages ssh, dwmotif).
The display is not even created. (With 9.2-2 I have seen a display, and got the authorization problem).

In the ssh log I see the message :
vms_update_sysuaf_valid_access: vms_add_login_msg failed with status 0

Any suggestion?

User avatar

Topic author
m_detommaso
Master
Posts: 121
Joined: Thu Jun 06, 2019 6:57 am
Reputation: 1
Location: Brindisi (Italy)
Status: Offline
Contact:

Re: OpenSSH V8.9-1I01 and X11 Port Forwarding Feature on x86-64 V9.2-2UP2 + DWMOTIF V1.8

Post by m_detommaso » Mon Sep 23, 2024 8:55 am

Please post the contents of the ssh configuration file "ssh$root:[etc]sshd_config." and the output of the following command :

$ product sho product *

Which product are you using as Xserver ?

/Maurizio


gcalliet
Contributor
Posts: 11
Joined: Mon Aug 05, 2024 11:13 am
Reputation: 0
Status: Offline

Re: OpenSSH V8.9-1I01 and X11 Port Forwarding Feature on x86-64 V9.2-2UP2 + DWMOTIF V1.8

Post by gcalliet » Mon Sep 23, 2024 9:50 am

Hello,

I use Xming on windows, or xorg on ubuntu. The two work fine using ssh x11 tuneling.

When I tried the last version of openssh with x11 forwarding; I had the problem you have documented. But I could see that a display was automaticly created on VMS, when I used a x11 forwarding.

After I read your post, I installed the VMS 9.2-3. And I see that the display is not created.
In the ssh log I see :
""vms_update_sysuaf_valid_access: vms_add_login_msg failed with status 0""
This was not on the log when the display could be created.



$ type ssh$root:[etc]sshd_config.
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /ssh$root/etc/ssh_host_rsa_key
HostKey /ssh$root/etc/ssh_host_ecdsa_key
HostKey /ssh$root/etc/ssh_host_ed25519_key

# Ciphers and keying
#Ciphers none
#MACs none

#RekeyLimit default none
KexAlgorithms +diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa,ssh-dss
PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
MaxSessions 10000

#PubkeyAuthentication yes

# The default is to check both ssh/authorized_keys and ssh/authorized_keys2
# but this is overridden so installations will only check ssh/authorized_keys
AuthorizedKeysFile ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser ssh$sshd

# For this to work you will also need host keys in /ssh$root/etc/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust /sys$login/ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's /sys$login/.rhosts and /sys$login/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp ssh$sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

#AllowUsers none
#DenyUsers none
#AllowGroups none
#DenyGroups none

# OpenVMS auditing and access control
#VmsIntrusionAuthentications publickey,password,hostbased
#VmsIntrusionIdentMethods publickey,password,hostbased
#VmsIntrusionIdentSsh publickey,password,hostbased
#VmsLogFailAuthentications publickey,password,hostbased
#VmsAccountingAuthentications publickey,password,hostbased
#VmsIntrusionAddServerAddress no

#VmsUserLoginLimit -1
#VmsNumberOfPasswordVerificationPrompts 3
#VmsAllowLoginWithExpiredPw yes
#VmsPrintSysAnnounce yes
#VmsPrintSysWelcome yes

#VmsDisallowSftpServer no
#VmsSftpDenyUsers none
#VmsSftpDenyGroups none



$ product sho product *
------------------------------------ ----------- ---------
PRODUCT KIT TYPE STATE
------------------------------------ ----------- ---------
VMSPORTS X86VMS PERL534 T5.34-0 Full LP Installed
VSI X86VMS AVAIL_MAN_BASE E9.2-3 Full LP Installed
VSI X86VMS C V7.5-9 Full LP Installed
VSI X86VMS CMS V4.8-9 Full LP Installed
VSI X86VMS CXX A10.1-2_240613 Full LP Installed
VSI X86VMS DECNET_PLUS V9.2-G Full LP Installed
VSI X86VMS DECSET V13.0-1 Platform Installed
VSI X86VMS DTM V4.5-6 Full LP Installed
VSI X86VMS DWMOTIF V1.8-1 Full LP Installed
VSI X86VMS DWMOTIF_SUPPORT E9.2-3 Full LP Installed
VSI X86VMS ENVMGR V1.9-5 Full LP Installed
VSI X86VMS KERBEROS V3.3-3 Full LP Installed
VSI X86VMS MMS V4.0-4 Full LP Installed
VSI X86VMS OPENJDK80 V8.0-372C Full LP Installed
VSI X86VMS OPENSSH V8.9-1H01 Full LP Installed
VSI X86VMS OPENVMS E9.2-3 Platform Installed
VSI X86VMS SSL111 V1.1-1W Full LP Installed
VSI X86VMS SSL3 V3.0-13 Full LP Installed
VSI X86VMS TCPIP V6.0-25 Full LP Installed
VSI X86VMS VMS E9.2-3 Oper System Installed
VSI X86VMS VMSI18N V9.2 Full LP Installed
------------------------------------ ----------- ---------
21 items found

Added in 1 hour 17 minutes 19 seconds:
My opinion is that something goes wrong accessing sysuaf. And it goes wrong from the sshd.
I found part of the message is the sshd image.

What is missing: source of openssh VMS implementation differences to understand where it goes wrong.

User avatar

Topic author
m_detommaso
Master
Posts: 121
Joined: Thu Jun 06, 2019 6:57 am
Reputation: 1
Location: Brindisi (Italy)
Status: Offline
Contact:

Re: OpenSSH V8.9-1I01 and X11 Port Forwarding Feature on x86-64 V9.2-2UP2 + DWMOTIF V1.8

Post by m_detommaso » Mon Sep 23, 2024 11:28 am


try setting :

X11UseLocalhost no

/Maurizio
Last edited by m_detommaso on Mon Sep 23, 2024 11:29 am, edited 1 time in total.


gcalliet
Contributor
Posts: 11
Joined: Mon Aug 05, 2024 11:13 am
Reputation: 0
Status: Offline

Re: OpenSSH V8.9-1I01 and X11 Port Forwarding Feature on x86-64 V9.2-2UP2 + DWMOTIF V1.8

Post by gcalliet » Mon Sep 23, 2024 11:51 am

X11UseLocalhost no
same problem.

however, thanks.

I tried the new openvms version on another computer. Perhaps I could try an upgrade on the first computer, who created the (not usable) display. I prefer to understand what goes wrong.

Post Reply