X11 forwarding request failed on channel 0 after 2.5.0

chudak

After upgrading to 2.50 I see this:

X11 forwarding request failed on channel 0
pfSense - Netgate Device ID: XYZ

Not that I care much about X11 forwarding, but just sharing here.
Anybody else has seen this and knows what's up ?

Never seen on 2.4.x releases.

Thx

johnpoz

Where are you seeing that, and what exactly are you trying to do. I have never had a need/want to forward via ssh.. Since I just vpn in if I want to do anything on my local network while remote..

chudak

@johnpoz

I see it after ssh'inf to the pfsense box

ssh admin@XYZ
Password for user@XYZ:
X11 forwarding request failed on channel 0
pf - Netgate Device ID: XXX

*** Welcome to pfSense 2.5.0-RELEASE (amd64) on pfsense ***

WAN (wan) -> igb0 -> v4/DHCP4: XYZ/20
LAN (lan) -> igb1 -> v4: 192.168.10.1/24
WIFI (opt1) -> igb2 -> v4: 192.168.20.1/24

0. Logout (SSH only) 9) pfTop
1. Assign Interfaces 10) Filter Logs
2. Set interface(s) IP address 11) Restart webConfigurator
3. Reset webConfigurator password 12) PHP shell + pfSense tools
4. Reset to factory defaults 13) Update from console
5. Reboot system 14) Disable Secure Shell (sshd)
6. Halt system 15) Restore recent configuration
7. Ping host 16) Restart PHP-FPM
8. Shell

johnpoz

What are you using to ssh (what is your client? putty, securecrt, ssh)

I don't see such an error - I ssh into pfsense pretty much every day..

I even enable x11 forwarding - and still don't see such an error

chudak

@johnpoz

I ssh from ubuntu with term or terminator and never saw it before 2.5.0

I don't use putty but tried it and don't see this error

bingo600

@chudak said in X11 forwarding request failed on channel 0 after 2.5.0:

X11 forwarding request failed on channel 0

Have a look here
https://www.linuxsecrets.com/1204-how-to-fix-x11-forwarding-request-failed-on-channel-0
https://stackoverflow.com/questions/38961495/x11-forwarding-request-failed-on-channel-0

According to the above it could be localhost or ipv6 related

chudak

@bingo600 thx !

The question is - why is it popping up after 2.5.0 and never before ?

johnpoz

While it might be popping up for you - its not popping up here.. I have been unable to even get it to pop up even using ssh with -X

do a ssh -x, do you still get it? What is your client settings specifically?

Do a verbose connection -v so you see some details..

For example I can see this when do -Xv

debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: X11 forwarding requested but DISPLAY not set

chudak

@johnpoz

I don't see the error with ssh -x, nothing special about ssh client settings AFAIK

See verbose here https://pastebin.com/hTDiEfJz

johnpoz

Not seeing the rest of this - it stops where your having to auth with password. What is the rest after you auth.

chudak

@johnpoz

sorry missed that

debug1: Authentication succeeded (keyboard-interactive).
Authenticated to pfsense ([192.168.0.1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: exec
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
X11 forwarding request failed on channel 0
pfSense - Netgate Device ID:xyz

johnpoz

What is your local clients that your sshing from config

Should be on your client in /etc/ssh/ssh_config

chudak

@johnpoz said in X11 forwarding request failed on channel 0 after 2.5.0:

/etc/ssh/ssh_conf

cat /etc/ssh/ssh_config

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Include /etc/ssh/ssh_config.d/*.conf

Host *
#   ForwardAgent no
   ForwardX11 yes
   ForwardX11Trusted yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

johnpoz

@chudak said in X11 forwarding request failed on channel 0 after 2.5.0:

ForwardX11 yes
ForwardX11Trusted yes

Comment those out, or set to no and your error will go away ;)

chudak

@johnpoz said in X11 forwarding request failed on channel 0 after 2.5.0:

@chudak said in X11 forwarding request failed on channel 0 after 2.5.0:

ForwardX11 yes
ForwardX11Trusted yes

Comment those out, or set to no and your error will go away ;)

My fault after all :( has nothing to do with 2.5.0 !

Thx @johnpoz
But it's good to be sure :)

johnpoz

Did you change something there between going to 2.5? I don't think that is default on ssh install to enable that..

But if your using some gui term or package in your OS, maybe it set that?

But you mentioned you don't use X11 forwarding, and not sure how you would do X11 to pfsense anyway ;) But yeah can understand why you would want the error not to be there ;)

chudak

@johnpoz said in X11 forwarding request failed on channel 0 after 2.5.0:

Did you change something there between going to 2.5? I don't think that is default on ssh install to enable that..

But if your using some gui term or package in your OS, maybe it set that?

But you mentioned you don't use X11 forwarding, and not sure how you would do X11 to pfsense anyway ;) But yeah can understand why you would want the error not to be there ;)

Hard to say if I did change anything, but as long as it's not 2.5.0 I am happy :)

jimp

I don't recall exactly when, I thought it was in 2.4.x, but we disabled X11 forwarding in the SSH daemon on the firewall for security reasons.

The error is harmless though, you can ignore it, or like you've done, disable it on the client side.