DISPLAY not set inside jails after update to 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297043

Marius Strobl marius at freebsd.org
Sun Mar 20 03:21:23 UTC 2016


On Sun, Mar 20, 2016 at 07:47:58AM +0800, Erich Dollansky wrote:
> Hi,
> 
> On Sat, 19 Mar 2016 08:23:09 -0600
> Ian Lepore <ian at freebsd.org> wrote:
> 
> > On Sat, 2016-03-19 at 13:48 +0800, Erich Dollansky wrote:
> > > 
> > > nothing else was changed on the machine except the update. I could
> > > use
> > > 
> > > ssh 192.168.12.12
> > > 
> > > to connect to a jail running under that IP address before the update
> > > without problems.
> > > 
> > > It works now only with
> > > 
> > > ssh -Y 192.168.12.12
> > > 
> > > The /etc/ssh/ssh_config file says:
> > > 
> > > Host *
> > > ForwardX11 yes
> > > 
> > > So, it should allow to connect to all machines providing ssh and
> > > forward X11.
> > > 
> > > What did I miss?
> > 
> > If -Y works, the ssh config file option that corresponds to that is
> > ForwardX11Trusted.  ForwardX11 corresponds to -X.  (Not sure what
> > changed, just throwing out the one little crumb of info I've got.)
> > 
> I got this as an off-list reply:
> 
> Could this be related to FreeBSD-SA-16:14.openssh?

Not FreeBSD-SA-16:14.openssh and CVE-2016-3115 respectively, but
most likely the changes for CVE-2016-1908 which came in as part
of the upgrade to OpenSSH 7.2p2, i. e. (among others):
https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c
The xorg-server port is built with the X11 SECURITY extension
disabled. I just can suspect that the intent is to use a nested
X server such as Xephyr for securely running applications instead.
Actually, I'm surprised that such a fallback to trusted forwarding
existed. I believe it wasn't present back when ForwardX11Trusted
was introduced, essentially already causing the trouble you're now
hitting.

Marius

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20160320/2351a149/attachment.sig>


More information about the freebsd-stable mailing list