ssh: why my disabled forward X11 for specific host don't work?

I use an alias for ssh

alias ssh
alias ssh='ssh -t -K -Y

I want to use ssh forwarding X11 except for one host so i did this:

vim .ssh/config

host myhost
   port 22
   ForwardX11 no
   HostkeyAlgorithms +ssh-rsa
   PubkeyAcceptedAlgorithms +ssh-rsa

but..

ssh myhost 
sh: xauth: command not found
[email protected]$ 

seems my option is ignored..why?

I also tried

   ForwardX11 no
   ForwardX11trusted no

but no success.

A workaround can be this...

\ssh myhost

so -t -K -y is ignored, but I prefer a more clean solution

I forgot: the remote server use dropbear

reading this page i see is possible to disable X11 for a specific key on server

vim .ssh/authorized_keys

no-X11-forwarding ssh-rsa......

but in this case it refuse also \ssh command!

ssh myhost
X11 forwarding request failed on channel 0
Connection to myhost closed by remote host.
Connection to myhost closed.

\ssh myhost 
Connection to myhost closed by remote host.
Connection to myhost closed.

Using this line on server works..but no for pubkey, it require the password

no-agent -forwarding, no-port-forwarding, no-x11-forwarding ssh-rsa....

Answers 1

  • Preliminary note

    You tagged but I doubt your SSH client is from Dropbear (i.e. I doubt your ssh is in fact dbclient; I guess dbclient does not even support all the options you used). Therefore this answer investigates the behavior of SSH client from OpenSSH.

    (Personally I expect any client to copy the behavior of OpenSSH in aspects that matter to the question. The point is OpenSSH is the de-facto standard for SSH implementations.)


    Analysis

    From man 5 ssh_config:

    ssh(1) obtains configuration data from the following sources in the following order:

    1. command-line options
    2. user's configuration file (~/.ssh/config)
    3. system-wide configuration file (/etc/ssh/ssh_config)

    For each parameter, the first obtained value will be used. […]

    By using the alias, you're using ssh -Y. The command-line option makes ssh ignore ForwardX11 no in your config file. If you want an option from the config file to work, you mustn't use any opposing command-line option. Command-line options matter first and this is it.


    Solution

    You wrote:

    I want to use ssh forwarding X11 except for one host

    Instead of in the alias, implement this in your config file:

    host myhost
       ForwardX11 no
    
    host *
       ForwardX11 yes
       ForwardX11Trusted yes
    

    Note the manual states:

    Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.

    This means host myhost shall be before host *, exactly like in the example above, not the other way around.


Related Questions