This is the mail archive of the cygwin-xfree mailing list for the Cygwin XFree86 project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

FAQ: X11 forwarding


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

For all those having issues with untrusted X11 forwarding (IOW ssh -X):

1) First, please (re-)read this:

http://x.cygwin.com/docs/faq/cygwin-x-faq.html#remote

2) I can confirm that ssh is hardcoded to look for xauth in
/usr/X11R6/bin.  The 5.1p1-9 release should fix that; in the meantime,
you can add the following line to either ~/.ssh/config or /etc/ssh_config:

XAuthLocation /usr/bin/xauth

3) Even if you do that, you will still get a warning:

> Warning: untrusted X11 forwarding setup failed: xauth key data not generated

Which means that ssh is going to use *trusted* X11 forwarding anyway,
because *untrusted* X11 forwarding depends on the Security (aka
XC-Security) extension, which has been disabled by default upstream.

Here's why:

Trusted X11 forwarding means that you trust the server that you wish to
ssh into is not using any keyloggers, screenshot utilities, packet
sniffers, or anything else to hijack your connection, in which case X11
will allow it to do whatever a local client would be able to do.

Untrusted X11 forwarding was meant to be a way to allow logins to
unknown or insecure systems.  It generates a cookie with xauth and uses
the Security extension to limit what the remote client is allowed to do.
 But this is widely considered to be not useful, because the Security
extension uses an arbitrary and limited access control policy, which
results in a lot of applications not working correctly and what is
really a false sense of security.  This is true even today; I rebuilt
XWin with Security enabled and 'ssh -X' into my linux VM, and got
BadAccess errors from *any* GTK2 program.  More on this subject:

http://www.openssh.com/faq.html#3.13
http://www.nsa.gov/selinuX/papers/x11/x93.html

Given the limited usefulness of untrusted X11 forwarding, *upstream* has
disabled it by default in favour of other security models, but it has
not yet been removed.  So there are two options:

A) Leave things as they are now, with that warning advising people that
untrusted X11 forwarding is not available and that trusted mode is being
used instead.  The warning can be silenced by using ssh -Y, since that
is what ssh -X is doing now anyway.

B) Re-enable the Security extension together with the openssh update,
and be swamped by questions that programs aren't running under ssh -X,
and have to tell everyone that ssh -X is generally broken anyway and
they should be using ssh -Y instead.

Unless someone can show me a case where something works correctly with
option (B) where it doesn't in (A), then I may reconsider, but otherwise
everyone now understands that the Security extension is not really
useful, not to be relied upon, and therefore is not available.


Yaakov
Cygwin/X
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkkgxwEACgkQpiWmPGlmQSOrMgCg58/L1MgjOUfzfyQn8CeApyCO
jS0AoO6dCFxA16eeKkjdJiCrXk3wBetj
=w+Nv
-----END PGP SIGNATURE-----

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://x.cygwin.com/docs/
FAQ:                   http://x.cygwin.com/docs/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]