On 05.08.2015 03:30 PM, Will Smith wrote:
Dear All,
I'm having a stange problem when attemping to connect to my Centos server using x2goclients (Ubuntu & mac, 4.0.5.0). I'm running firewalld, but port 22 is unblocked and I am able to ssh into the machine and forward X traffic. When accessing from both a mac and an ubuntu client the session appears to start, but then immediately disconnects. The client logs say:
Info: Proxy running in client mode with pid '12054'. Session: Starting session at 'Wed Aug 5 12:38:47 2015'. Info: Using abstract X11 socket in kernel namespace for accessing DISPLAY=:0. Info: Connecting to remote host 'localhost:31003'. Info: Connection to remote proxy 'localhost:31003' established. Error: The remote NX proxy closed the connection. Error: Failure negotiating the session in stage '7'. Error: Wrong version or invalid session authentication cookie. Session: Terminating session at 'Wed Aug 5 12:38:53 2015'. Session: Session terminated at 'Wed Aug 5 12:38:53 2015'.
If I attempt to reconnect, I can see the session, but am unable to resume it. The strange thing is that if I stop firewalld, I'm able to access the server from both clients with no issues, which implies it's a firewall issue, but as I say port 22 is unblocked and I can forward X traffic. Is there some other obvious firewall setting I've failed do? Any assistance in fixing or diagnosing this issue would be highly appreciated.
X2Go makes extensive use of SSH tunnels. I suspect your firewall is too strict and denies access from localhost to localhost. Please make sure that locally, all connections are allowed.
Mihai
On 05.08.2015 06:37 PM, Will Smith wrote:
Dear Mahai,
Many thanks for your response. I can ssh localhost from the server no problems.
I wasn't talking just about connecting to localhost:22, but connections to localhost with random ports.
Indeed, all services on localhost are trsuted. Having investigated further, I can see that it uses the public IP address when attempting to bind to localhost rather than 127.0.0.1 when firewalld is running. Cf. with firewalld running, the logs contain
Info: Agent running with pid '204654'. Session: Starting session at 'Wed Aug 5 14:57:49 2015'. Info: Proxy running in server mode with pid '204654'. Info: Waiting for connection from 'localhost' on port '30011'. Warning: Refusing connection from '131.***.***.100'. 100' on port '30011',
Urgh, yeah. It checks whether the connection comes from 127.0.0.1. If your "localhost" entry does not map to that, connections WILL fail.
and I'm unable to connect, but after stopping the firewalld service, and reconnecting, they contain
Info: Agent running with pid '214487'. Session: Starting session at 'Wed Aug 5 15:19:53 2015'. Info: Proxy running in server mode with pid '214487'. Info: Waiting for connection from 'localhost' on port '30011'. Info: Accepted connection from '127.0.0.1'. Info: Connection with remote proxy completed.
and I can connect no problem. The routing table is the same in both cases. My /etc/hosts file contains the localhost line first and the public hostname/IP address line second. Perhaps this is more of a firewalld question, but any further light which can be shed on the issue would be most useful.
Maybe your resolver does weird things with firewalld running? In any case, whether firewalld is running or not, localhost should (not just for X2Go, but in general) not resolve to a public IP address. Sadly I have no idea what could be misbehaving, other than the resolver. The hosts file should be prioritized in /etc/nsswitch.conf, but there's probably ways to screw that up. Mihai