Date: Sun, 20 Mar 2016 04:20:35 +0100 From: Marius Strobl <marius@freebsd.org> To: Erich Dollansky <erichsfreebsdlist@alogt.com> Cc: Ian Lepore <ian@freebsd.org>, freebsd-stable@freebsd.org Subject: Re: DISPLAY not set inside jails after update to 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297043 Message-ID: <20160320032035.GA60753@alchemy.franken.de> In-Reply-To: <20160320074758.42991a98@X220.alogt.com> References: <20160319134806.6e53295a@X220.alogt.com> <1458397389.68920.65.camel@freebsd.org> <20160320074758.42991a98@X220.alogt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 20, 2016 at 07:47:58AM +0800, Erich Dollansky wrote: > Hi, >=20 > On Sat, 19 Mar 2016 08:23:09 -0600 > Ian Lepore <ian@freebsd.org> wrote: >=20 > > On Sat, 2016-03-19 at 13:48 +0800, Erich Dollansky wrote: > > >=20 > > > nothing else was changed on the machine except the update. I could > > > use > > >=20 > > > ssh 192.168.12.12 > > >=20 > > > to connect to a jail running under that IP address before the update > > > without problems. > > >=20 > > > It works now only with > > >=20 > > > ssh -Y 192.168.12.12 > > >=20 > > > The /etc/ssh/ssh_config file says: > > >=20 > > > Host * > > > ForwardX11 yes > > >=20 > > > So, it should allow to connect to all machines providing ssh and > > > forward X11. > > >=20 > > > What did I miss? > >=20 > > If -Y works, the ssh config file option that corresponds to that is > > ForwardX11Trusted. ForwardX11 corresponds to -X. (Not sure what > > changed, just throwing out the one little crumb of info I've got.) > >=20 > I got this as an off-list reply: >=20 > Could this be related to FreeBSD-SA-16:14.openssh? Not FreeBSD-SA-16:14.openssh and CVE-2016-3115 respectively, but most likely the changes for CVE-2016-1908 which came in as part of the upgrade to OpenSSH 7.2p2, i. e. (among others): https://anongit.mindrot.org/openssh.git/commit/?id=3Ded4ce82dbfa8a3a3c8ea6f= a0db113c71e234416c The xorg-server port is built with the X11 SECURITY extension disabled. I just can suspect that the intent is to use a nested X server such as Xephyr for securely running applications instead. Actually, I'm surprised that such a fallback to trusted forwarding existed. I believe it wasn't present back when ForwardX11Trusted was introduced, essentially already causing the trouble you're now hitting. Marius --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJW7hb/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1M0Q5QjQzNTVGOTU5ODBGQzVENzZCMDIy MEI3MERFMTNGMUQxRTRGAAoJECC3DeE/HR5PblYP/Az8UigBt3aDxGJijCaZthPA YXSgO622HPELTc9YIRrcKLoDJJvQttu+gHEAMKZweixrmoWg9ygIm4xerWViZe9h zn/j/++1+ztEuyDeqADqo+cdZqZYQ+bFQ/04ln/mvjCkH4XhzajK3VPIY+l1t/Me AcM5WIS7ppdq7wY+oZFqXYpFpkuBMNLaJm/v4KwRNWWg7hguoIkkki0AgZrAh4/A JYVLxYOhK/OxPRfEHroXRsBtaP7uRfvOCmjhUmbwjwzNN9AJxOGQBE8ngCAkMrYw uY0fSETS0VcW23TFyajzyagAd0p0RUzqNHVynJzSHMZmfthN7/xTjQOvFKWTaySa zG+D9qXS8JaQ7wl/Ig8hZv62z8HvyhuUGEa7IS3CbYUfvC7NrqWSwUDgZYZhJbqt nysa5qWfDlC8pWp2rSI0WAMrjl03tIxoIR9/yIKjW7zMjJvZZHzrPmQr0WT/vvE4 8CcsVzjFM72YS4KhNSgxgY+2z9H3oypuGr/6VPGoLnVham8/5mLG0XNuxRThw3BF BNeKH+R4HXeh4QhHVoeTa/zQoWLsDByaKT63Jmu0//Rlg/Azp13lgDlifa9sQA7j BS1CgY5X1rsoIfNnAJGsKyQ/KFJoQJWKrqAON7waQK6p0XTwyjdxbCEY2vkj8MCf ve/ACHQuJVYpdIWW+KVR =czZa -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160320032035.GA60753>