ssh -X remote does not work due to problem with xauth

Fri May 11 06:27:02 UTC 2018

On Thu, May 10, 2018 at 10:35 PM, Jan Beich <jbeich at freebsd.org> wrote:

> Niclas Zeising <zeising+freebsd at daemonic.se> writes:
>
> > On 05/10/18 21:47, Christoph Moench-Tegeder wrote:
> >
> >> ## Christoph Moench-Tegeder (cmt at burggraben.net):
> >>
> >>> I haven't yet checked what causes these differing defaults.
> >>
> >> Well, now that I thought about it: most Linux distributions build their
> >> X server with "--enable-xcsecurity" in the configure flags. FreeBSD
> >> does not set that flag, as far as I can see. Next question: why?
> >>
> >
> > Hi!
> > It could be because of backwards compatibility, or, because at least I
> > wasn't really aware of that flag.  Is it for xserver or some other
> > package?
>
> See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221984
>

I'm a bit confused. I always have found that the simple solution to this
was the '-Y' option as described in the man page for ssh.

   -X      Enables X11 forwarding.  This can also be specified on a per-host
             basis in a configuration file.

             X11 forwarding should be enabled with caution.  Users with the
             ability to bypass file permissions on the remote host (for the
             user's X authorization database) can access the local X11
display
             through the forwarded connection.  An attacker may then be able
             to perform activities such as keystroke monitoring.

             For this reason, X11 forwarding is subjected to X11 SECURITY
             extension restrictions by default.  Please refer to the ssh -Y
             option and the ForwardX11Trusted directive in ssh_config(5) for
             more information.

IIRC, FreeBSD (and OpenBSD) chose to require -Y to emphasize the risks
involved. I'm guessing that des@ was responsible on the FreeBSD side.