ssh -X (xauth) and the missing SECURITY extension
Galen Sampson
galen.sampson at gmail.com
Tue May 4 19:32:49 UTC 2010
All,
I have been trying to use "ssh -X" to enable remote applications to
use my local X server. This never works. I would use "ssh -Y" (or
set the ForwardX11Trusted options to "yes") but the ssh man page
related to -Y kinda scares me away.
A "ssh -X -vvv" shows this xauth command being run:
/usr/local/bin/xauth -f /tmp/ssh-tmlUOx2553/xauthfile generate :0.0
MIT-MAGIC-COOKIE-1 untrusted timeout 1200
ssh shows this:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
Graphical applications fail to start on the remote system due to this.
When xauth is run by hand, the following is displayed:
/usr/local/bin/xauth -f /tmp/xauthtest generate :0.0
MIT-MAGIC-COOKIE-1 untrusted timeout 1200
/usr/bin/xauth: (argv):1: couldn't query Security extension on display ":0.0"
Steps to Reproduce:
1. ssh -X <machine>
2. xterm
Actual Results:
The graphical app (xterm in this case) fails to start.
Expected Results:
The app should be run and displayed on the local machine.
I have noticed that in xorg-server-1.7.5,1 the X security extension is
disabled. If I use the patch below xauth generate (and hence ssh -X)
work as expected.
[504] testbsd:xorg-server$ /usr/local/bin/xauth -f /tmp/xauthtest
generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200
/usr/local/bin/xauth: creating new authority file /tmp/xauthtest
<-----snip-------
--- Makefile.orig 2010-05-04 11:55:41.000000000 -0700
+++ Makefile 2010-05-03 23:10:00.000000000 -0700
@@ -38,7 +38,7 @@
USE_PERL5_BUILD=yes
CONFIGURE_ARGS= --disable-dmx --disable-xvfb --disable-xnest \
--localstatedir=/var --without-dtrace --disable-xephyr \
- --enable-record=yes
+ --enable-record=yes --enable-xcsecurity
MAN1= Xorg.1 \
Xserver.1 \
<-----snip-------
Maybe there is a good reason that the SECURITY extension is disabled.
I just wanted to post this here and hopefully find a way to explain
the solution to a larger community.
For what its worth I notice that many linux distro's with very new
Xorg servers still seem to have the SECURITY extension enabled.
Regards,
Galen
More information about the freebsd-x11
mailing list