Re: upgrade to bookworm broke ssh x11 forwarding

[Jeffrey Walton <noloader@gmail.com>]

On Thu, Nov 9, 2023 at 6:16 PM <fxkl47BF@protonmail.com> wrote:
>
> On Thu, 9 Nov 2023, Jeffrey Walton wrote:
>
> > On Thu, Nov 9, 2023 at 11:43 AM Greg Wooledge <greg@wooledge.org> wrote:
> >>
> >> On Thu, Nov 09, 2023 at 03:01:29PM +0000, fxkl47BF@protonmail.com wrote:
> >>> i upgraded from bullseye to bookworm with no problems
> >>> when i try ssh with -X/-Y to the bookworm machine x11 forwarding fails
> >>>
> >>> debug1: Requesting X11 forwarding with authentication spoofing.
> >>> debug1: Sending environment.
> >>> debug1: Sending env LANG = en_US.UTF-8
> >>> debug1: Sending env LC_ALL = en_US.UTF-8
> >>> X11 forwarding request failed on channel 0
> >>>
> >>> the .Xauthority file is not updated
> >>> is there new security or configuration
> >>
> >> On the server, run:
> >>
> >>     grep X11 /etc/ssh/sshd_config
> >>
> >> That should tell you whether X11Forwarding and its related options have
> >> been disabled.
> >
> > Probably need a 'grep -IR' since overrides can be provided in sshd_config.d/ :
> >
> >   $ sudo ls /etc/ssh/sshd_config.d/
> >   10-pubkey_auth.conf  20-no_root_login.conf
> >
> > And:
> >
> >    $ sudo cat /etc/ssh/sshd_config.d/10-pubkey_auth.conf
> >    PasswordAuthentication no
> >    ChallengeResponseAuthentication no
> >    KerberosAuthentication no
> >    KerberosOrLocalPasswd no
> >    GSSAPIAuthentication no
> >    UsePAM no
> >    PubkeyAuthentication yes
>
> my /etc/ssh/sshd_config.d/ is empty

/etc/ssh/sshd_config.d/ is where you are supposed to make changes.
Otherwise, new config files get written during upgrades, and overwrite
the old settings. Changes in sshd_config.d always survive, and always
take precedence over the distro's settings.

Jeff