This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: X11Forward and xauth problems
- From: Andrew DeFaria <Andrew at DeFaria dot com>
- To: cygwin at cygwin dot com
- Date: Thu, 26 Mar 2015 15:06:42 -0700
- Subject: Re: X11Forward and xauth problems
- Authentication-results: sourceware.org; auth=none
- References: <mepu7q$9dr$1 at ger dot gmane dot org> <55108046 dot 1070206 at dronecode dot org dot uk> <meq0g3$hob$1 at ger dot gmane dot org> <55115B29 dot 8000904 at dronecode dot org dot uk> <meurth$g26$1 at ger dot gmane dot org> <55145A0D dot 4010406 at dronecode dot org dot uk>
On 3/26/2015 12:12 PM, Jon TURNEY wrote:
On 25/03/2015 17:40, Andrew DeFaria wrote:
Prediction: This problem probably will end up having something to do
with the permissions and file system that ~/.Xauthority resides on,
which is, I believe, a NetApp. This file system is the file system for
the Linux Home directories (Windows "home" directories are somewhere
else). In an attempt to have a transparently workable environment I set
my Cygwin home directory to access the same directory my Linux servers
use for the home directory - this NetApp. If you need more information
about that then let me know and perhaps tell me how I can get that.
This seems very plausible.
If I am understanding you correctly, ~/.Xauthority is the same file on
the NetApp at both ends. I think perhaps that is somehow the cause of
the problem.
Yes.
The sequence of actions is something like:
- startx(|win) generates a random cookie and stores it in
~/.serverauth.<pid> and uses that file as the server -auth option
- it also uses 'xauth add' to put that cookie into ~/.Xauthority for the
display (e.g. :0)
I'm not using startx - I just do C:\Cygwin\bin\XWin.exe -multiwindow
-listen tcp
Note I don't see a ~/.serverauth. Maybe this file is created just for
this purpose and quickly removed?
- ssh reads that cookie out of ~/.Xauthority using 'xauth list' and
sends it to the far end
- sshd tries to store that cookie using xauth for the proxy display (e.g
:10)
Reading the source of xauth [1], it does try to lock the ~/.Xauthority
file for up to 20 seconds before giving up, which perhaps corresponds to
the delay you see?
Sounds plausible. Is that configurable?
However, the "unable to link authority file .Xauthority, use
.Xauthority-n" message indicates that the working file .Xauthority-n
cannot renamed as .Xauthority (xauth tries both to hard-link it as
.Xauthority, and to rename it)
After I ssh -X to this system I do see ~/.Xauthority and
~/.Xauthority-n. They are the same size but differ binarily. I can do mv
~/.Xauthority-n ~/.Xauthority without issue. Why can't sshd do that?
Once I rename the file X clients work! From that machine...
So I thought this might be a crude workaround and put this in my .bashrc:
# Hack to fix ~/.Xauthority
if [ -f $HOME/.Xauthority-n ]; then
mv $HOME/.Xauthority-n $HOME/.Xauthority
echo "Fixed ~/.Xauthority"
fi
and then thought, "What happens when I ssh into yet another Linux
machine that shares this home directory" and when I tried to ssh -X to
another machine I got (with a little instrumentation):
Adefaria-lt:id
uid=20393(adefaria) gid=10513(Domain Users) groups=10513(Domain
Users),0(root),545(Users)
Adefaria-lt:ssh -X cm-app-lprod01
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth: unable to link authority file
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Attempting mv /home/adefaria/.Xauthority-n /home/adefaria/.Xauthority
mv: cannot move `/home/adefaria/.Xauthority-n' to
`/home/adefaria/.Xauthority': Permission denied
adefaria
uid=80176(adefaria) gid=701(Domain Users) groups=701(Domain
Users),10013(CMAdmins),10014(CMMachines-admin.sec)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-rw-------. 1 adefaria Domain Users 223 Mar 26 13:25
/home/adefaria/.Xauthority
-rw-------. 1 adefaria Domain Users 223 Mar 26 13:46
/home/adefaria/.Xauthority-n
Cm-app-lprod01:mv .Xauthority-n .Xauthority
Cm-app-lprod01:
So the plot thickens... Why was mv denied permission when I can easily
do it once I get a prompt?
Could it be because on Cygwin my uid is 20393 and on Linux it's 80176
(and probably equivalenced by some mapping in the Netapp of 20393 <-> 80176?
Of course, sshd doesn't understand it's helpful advice to use a
different filename, so things don't work out so well. :)
Given that it works the first time, when there is no existing
~/.Xauthority, perhaps the NetApp doesn't permit this file to be renamed
over an existing file, for some reason?
But I did rename it once I got a prompt without a problem.
You can tell startx to use a different file by using the XAUTHORITY env
var, so setting that to something like ~/.Xauthority-$HOSTNAME might be
a workaround. (Some googling on 'Xauthority hostname nfs' might be
informative)
Again, I don't use startx, I simply run Xwin directly. In fact the
startx command is not found! Setting XAUTHORITY didn't do anything different
Or editing startx and changing enable_xauth to 0 might also be a
workaround.
Since I don't even have startx, this is not really an option.
I need to read that googling on 'Xauthority hostname nfs'...vi
Any idea why setting ForwardX11 yes and ForwardX11Trusted don't seem to
work? I thought it was that setting ForwardX11 yes is equivalent to
specifying -X and setting ForwardX11Trusted yes is equivalent to
specifying -Y but they are not behaving that way!
Adefaria-lt:echo "ForwardX11 yes" > ~/.ssh/config
Adefaria-lt:ssh cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
X11 forwarding request failed on channel 0
DISPLAY = ''
Adefaria-lt:echo "ForwardX11Trusted yes" > ~/.ssh/config
Adefaria-lt:ssh cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
DISPLAY = ''
Adefaria-lt:
Also why does this work:
Adefaria-lt:ssh -X cm-app-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
DISPLAY = 'localhost:11.0'
Adefaria-lt:
But this fail:
Adefaria-lt:ssh -X cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
X11 forwarding request failed on channel 0
DISPLAY = ''
Adefaria-lt:
I find all of this behavior erratic and unreliable.
--
Andrew DeFaria
http://defaria.com
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple