This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Trusted vs untrusted ssh/X connections


On 06/20/2014 02:37 PM, Andrew DeFaria wrote:
On 6/19/2014 7:37 PM, Larry Hall (Cygwin) wrote:
On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
This is something that's been bothering me for a long time and I
thought I
might look into it a little deeper. I'm not sure if I should post this
here
because it involves Cygwin/X but it also involves OpenSSh.

Actually, this is probably off-topic since I don't see anything Cygwin-
specific about setting up ssh/X connections.

But I get the "untrusted X11 forwarding" error only when I ssh from Cygwin
-> Linux using -X.

OK, I see your point on this one.  But I thought that was covered in this
FAQ:

<http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-trusted-untrusted-x11-forwarding>

My understanding is that the Cygwin X server would need to be built
with the SECURITY extension but that it is not and, for reasons discussed
in the referenced email, (which you also pointed to) would not be.  If you
want to re-open this discussion, I suggest you create a new thread on the
Cygwin X list and refer back to this one (for background and continuity).
I'm not sure that there has been any big change in this area in the last 6
years but there's certainly nothing wrong with asking. :-)


When I ssh into a Linux machine using ForwardX11 I get those familiar
messages:

Warning: untrusted X11 forwarding setup failed: xauth key data not
generated

and according to
https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
The warning can be silenced by using ssh -Y, since that
is what ssh -X is doing now anyway.

However, I find -Y to be 20 times slower to log in than -X:

This is probably a configuraton issue since when I ssh into my Linux
system,
login time is roughly equivalent.

Any ideas of what configuration file I should be looking and what that
configuration option that would be?

I'm not sure.  It might be as simple as the permissions problem on
.Xauthority slowing you down.  Alternatively, you might try running
both clients with debugging and/or under strace to see if it helps
you narrow down where the time is going in the "-Y" case.

Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
Warning: untrusted X11 forwarding setup failed: xauth key data not
generated
Warning: No xauth data; using fake authentication data for X11
forwarding.
/usr/bin/xauth:  error in locking authority file
/home/adefaria/.Xauthority
hi

real    0m2.387s
user    0m0.075s
sys     0m0.446s
Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
Warning: No xauth data; using fake authentication data for X11
forwarding.
hi
/usr/bin/xauth:  error in locking authority file
/home/adefaria/.Xauthority

real    0m22.476s
user    0m0.091s
sys     0m0.477s
Adefaria-lt:

Bonus points if you can help me get right of the other errors!

I believe the error regarding the .Xauthority file has something to do with
the permissions on the file.  As for the warning, I believe you want to
unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
in your sshd_config file, and X11Forward to "yes" in you ssh_config file
(for instance) on your PC.  At least, that's what I gathered from searching
around on the net for the information. :-)

My experience with this is that if DISPLAY is not set and you ssh -X (or -Y)
then on the other side DISPLAY is not set:

Adefaria-lt:echo $DISPLAY
:0
Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
localhost:11.0
Adefaria-lt:unset DISPLAY
Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'

Adefaria-lt:

That's not what the man page says and doesn't match my experience either.
Check out 'man ssh' and search for the section on "X11 FORWARDING".  It
has a section on what's supposed to happen and what needs to be set on the
client side to make this happen.  That handles the client-side
requirements.  Then there's the "X11Forwarding" on the server side that
needs to be set too, like I mentioned above.  If this is how you're running
things but still having troubles, I would recommend contacting the OpenSSH
folks.  They may have specific ideas about what else could cause the
behavior you see despite the recommended settings.

--
Larry

_____________________________________________________________________

A: Yes.
> Q: Are you sure?
>> A: Because it reverses the logical flow of conversation.
>>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]