Trusted vs untrusted ssh/X connections
Larry Hall (Cygwin)
reply-to-list-only-lh@cygwin.com
Sun Jun 22 01:43:00 GMT 2014
On 06/20/2014 02:37 PM, Andrew DeFaria wrote:
> On 6/19/2014 7:37 PM, Larry Hall (Cygwin) wrote:
>> On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
>>> This is something that's been bothering me for a long time and I
>>> thought I
>>> might look into it a little deeper. I'm not sure if I should post this
>>> here
>>> because it involves Cygwin/X but it also involves OpenSSh.
>>
>> Actually, this is probably off-topic since I don't see anything Cygwin-
>> specific about setting up ssh/X connections.
>
> But I get the "untrusted X11 forwarding" error only when I ssh from Cygwin
> -> Linux using -X.
OK, I see your point on this one. But I thought that was covered in this
FAQ:
<http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-trusted-untrusted-x11-forwarding>
My understanding is that the Cygwin X server would need to be built
with the SECURITY extension but that it is not and, for reasons discussed
in the referenced email, (which you also pointed to) would not be. If you
want to re-open this discussion, I suggest you create a new thread on the
Cygwin X list and refer back to this one (for background and continuity).
I'm not sure that there has been any big change in this area in the last 6
years but there's certainly nothing wrong with asking. :-)
>>
>>> When I ssh into a Linux machine using ForwardX11 I get those familiar
>>> messages:
>>>
>>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>>> generated
>>>
>>> and according to
>>> https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
>>> The warning can be silenced by using ssh -Y, since that
>>> is what ssh -X is doing now anyway.
>>>
>>> However, I find -Y to be 20 times slower to log in than -X:
>>
>> This is probably a configuraton issue since when I ssh into my Linux
>> system,
>> login time is roughly equivalent.
>
> Any ideas of what configuration file I should be looking and what that
> configuration option that would be?
I'm not sure. It might be as simple as the permissions problem on
.Xauthority slowing you down. Alternatively, you might try running
both clients with debugging and/or under strace to see if it helps
you narrow down where the time is going in the "-Y" case.
>>> Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
>>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>>> generated
>>> Warning: No xauth data; using fake authentication data for X11
>>> forwarding.
>>> /usr/bin/xauth: error in locking authority file
>>> /home/adefaria/.Xauthority
>>> hi
>>>
>>> real 0m2.387s
>>> user 0m0.075s
>>> sys 0m0.446s
>>> Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
>>> Warning: No xauth data; using fake authentication data for X11
>>> forwarding.
>>> hi
>>> /usr/bin/xauth: error in locking authority file
>>> /home/adefaria/.Xauthority
>>>
>>> real 0m22.476s
>>> user 0m0.091s
>>> sys 0m0.477s
>>> Adefaria-lt:
>>>
>>> Bonus points if you can help me get right of the other errors!
>>
>> I believe the error regarding the .Xauthority file has something to do with
>> the permissions on the file. As for the warning, I believe you want to
>> unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
>> in your sshd_config file, and X11Forward to "yes" in you ssh_config file
>> (for instance) on your PC. At least, that's what I gathered from searching
>> around on the net for the information. :-)
>
> My experience with this is that if DISPLAY is not set and you ssh -X (or -Y)
> then on the other side DISPLAY is not set:
>
> Adefaria-lt:echo $DISPLAY
> :0
> Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
> Warning: untrusted X11 forwarding setup failed: xauth key data not generated
> Warning: No xauth data; using fake authentication data for X11 forwarding.
> /usr/bin/xauth: error in locking authority file /home/adefaria/.Xauthority
> localhost:11.0
> Adefaria-lt:unset DISPLAY
> Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
>
> Adefaria-lt:
That's not what the man page says and doesn't match my experience either.
Check out 'man ssh' and search for the section on "X11 FORWARDING". It
has a section on what's supposed to happen and what needs to be set on the
client side to make this happen. That handles the client-side
requirements. Then there's the "X11Forwarding" on the server side that
needs to be set too, like I mentioned above. If this is how you're running
things but still having troubles, I would recommend contacting the OpenSSH
folks. They may have specific ideas about what else could cause the
behavior you see despite the recommended settings.
--
Larry
_____________________________________________________________________
A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list