This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Trusted vs untrusted ssh/X connections


On 6/19/2014 7:37 PM, Larry Hall (Cygwin) wrote:
On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
This is something that's been bothering me for a long time and I
thought I
might look into it a little deeper. I'm not sure if I should post this
here
because it involves Cygwin/X but it also involves OpenSSh.

Actually, this is probably off-topic since I don't see anything Cygwin-
specific about setting up ssh/X connections.

But I get the "untrusted X11 forwarding" error only when I ssh from Cygwin -> Linux using -X.


When I ssh into a Linux machine using ForwardX11 I get those familiar
messages:

Warning: untrusted X11 forwarding setup failed: xauth key data not
generated

and according to
https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
The warning can be silenced by using ssh -Y, since that
is what ssh -X is doing now anyway.

However, I find -Y to be 20 times slower to log in than -X:

This is probably a configuraton issue since when I ssh into my Linux
system,
login time is roughly equivalent.

Any ideas of what configuration file I should be looking and what that configuration option that would be?


Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
Warning: untrusted X11 forwarding setup failed: xauth key data not
generated
Warning: No xauth data; using fake authentication data for X11
forwarding.
/usr/bin/xauth:  error in locking authority file
/home/adefaria/.Xauthority
hi

real    0m2.387s
user    0m0.075s
sys     0m0.446s
Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
Warning: No xauth data; using fake authentication data for X11
forwarding.
hi
/usr/bin/xauth:  error in locking authority file
/home/adefaria/.Xauthority

real    0m22.476s
user    0m0.091s
sys     0m0.477s
Adefaria-lt:

Bonus points if you can help me get right of the other errors!

I believe the error regarding the .Xauthority file has something to do with
the permissions on the file.  As for the warning, I believe you want to
unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
in your sshd_config file, and X11Forward to "yes" in you ssh_config file
(for instance) on your PC.  At least, that's what I gathered from searching
around on the net for the information. :-)

My experience with this is that if DISPLAY is not set and you ssh -X (or -Y) then on the other side DISPLAY is not set:

Adefaria-lt:echo $DISPLAY
:0
Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
localhost:11.0
Adefaria-lt:unset DISPLAY
Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'

Adefaria-lt:

I think it goes without saying that enabling X11Forwarding opens up
some security holes in X.  Oops, looks like I said it anyway. ;-)

Inside the intranet, this is not a concern for me.
--
Andrew DeFaria
http://defaria.com


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]