ssh -X (xauth) and the missing SECURITY extension

Galen Sampson galen.sampson at gmail.com
Tue May 4 19:32:49 UTC 2010 

All,

I have been trying to use "ssh -X" to enable remote applications to
use my local X server.  This never works.  I would use "ssh -Y" (or
set the ForwardX11Trusted options to "yes") but the ssh man page
related to -Y kinda scares me away.

A "ssh -X -vvv" shows this xauth command being run:
/usr/local/bin/xauth -f /tmp/ssh-tmlUOx2553/xauthfile generate :0.0
MIT-MAGIC-COOKIE-1 untrusted timeout 1200

ssh shows this:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.

Graphical applications fail to start on the remote system due to this.

When xauth is run by hand, the following is displayed:
/usr/local/bin/xauth -f /tmp/xauthtest generate :0.0
MIT-MAGIC-COOKIE-1 untrusted timeout 1200
/usr/bin/xauth: (argv):1:  couldn't query Security extension on display ":0.0"

Steps to Reproduce:
1. ssh -X <machine>
2. xterm

Actual Results:
The graphical app (xterm in this case) fails to start.

Expected Results:
The app should be run and displayed on the local machine.

I have noticed that in xorg-server-1.7.5,1 the X security extension is
disabled.  If I use the patch below xauth generate (and hence ssh -X)
work as expected.

[504] testbsd:xorg-server$  /usr/local/bin/xauth -f /tmp/xauthtest
generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200
/usr/local/bin/xauth:  creating new authority file /tmp/xauthtest

<-----snip-------
--- Makefile.orig	2010-05-04 11:55:41.000000000 -0700
+++ Makefile	2010-05-03 23:10:00.000000000 -0700
@@ -38,7 +38,7 @@
 USE_PERL5_BUILD=yes
 CONFIGURE_ARGS=	--disable-dmx --disable-xvfb --disable-xnest \
 		--localstatedir=/var --without-dtrace --disable-xephyr \
-		--enable-record=yes
+		--enable-record=yes --enable-xcsecurity

 MAN1=		Xorg.1 \
 		Xserver.1 \
<-----snip-------

Maybe there is a good reason that the SECURITY extension is disabled.
I just wanted to post this here and hopefully find a way to explain
the solution to a larger community.

For what its worth I notice that many linux distro's with very new
Xorg servers still seem to have the SECURITY extension enabled.

Regards,
Galen

More information about the freebsd-x11 mailing list