From owner-freebsd-stable@freebsd.org Sun Mar 20 03:21:23 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5968AAD673F for ; Sun, 20 Mar 2016 03:21:23 +0000 (UTC) (envelope-from marius@alchemy.franken.de) Received: from alchemy.franken.de (alchemy.franken.de [194.94.249.214]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "alchemy.franken.de", Issuer "alchemy.franken.de" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 05E8E306; Sun, 20 Mar 2016 03:21:22 +0000 (UTC) (envelope-from marius@alchemy.franken.de) Received: from alchemy.franken.de (localhost [127.0.0.1]) by alchemy.franken.de (8.15.2/8.15.2/ALCHEMY.FRANKEN.DE) with ESMTPS id u2K3KZma061108 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 20 Mar 2016 04:20:35 +0100 (CET) (envelope-from marius@alchemy.franken.de) Received: (from marius@localhost) by alchemy.franken.de (8.15.2/8.15.2/Submit) id u2K3KZVa061107; Sun, 20 Mar 2016 04:20:35 +0100 (CET) (envelope-from marius) Date: Sun, 20 Mar 2016 04:20:35 +0100 From: Marius Strobl To: Erich Dollansky Cc: Ian Lepore , freebsd-stable@freebsd.org Subject: Re: DISPLAY not set inside jails after update to 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297043 Message-ID: <20160320032035.GA60753@alchemy.franken.de> References: <20160319134806.6e53295a@X220.alogt.com> <1458397389.68920.65.camel@freebsd.org> <20160320074758.42991a98@X220.alogt.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Content-Disposition: inline In-Reply-To: <20160320074758.42991a98@X220.alogt.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (alchemy.franken.de [0.0.0.0]); Sun, 20 Mar 2016 04:20:36 +0100 (CET) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Mar 2016 03:21:23 -0000 --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 20, 2016 at 07:47:58AM +0800, Erich Dollansky wrote: > Hi, >=20 > On Sat, 19 Mar 2016 08:23:09 -0600 > Ian Lepore wrote: >=20 > > On Sat, 2016-03-19 at 13:48 +0800, Erich Dollansky wrote: > > >=20 > > > nothing else was changed on the machine except the update. I could > > > use > > >=20 > > > ssh 192.168.12.12 > > >=20 > > > to connect to a jail running under that IP address before the update > > > without problems. > > >=20 > > > It works now only with > > >=20 > > > ssh -Y 192.168.12.12 > > >=20 > > > The /etc/ssh/ssh_config file says: > > >=20 > > > Host * > > > ForwardX11 yes > > >=20 > > > So, it should allow to connect to all machines providing ssh and > > > forward X11. > > >=20 > > > What did I miss? > >=20 > > If -Y works, the ssh config file option that corresponds to that is > > ForwardX11Trusted. ForwardX11 corresponds to -X. (Not sure what > > changed, just throwing out the one little crumb of info I've got.) > >=20 > I got this as an off-list reply: >=20 > Could this be related to FreeBSD-SA-16:14.openssh? Not FreeBSD-SA-16:14.openssh and CVE-2016-3115 respectively, but most likely the changes for CVE-2016-1908 which came in as part of the upgrade to OpenSSH 7.2p2, i. e. (among others): https://anongit.mindrot.org/openssh.git/commit/?id=3Ded4ce82dbfa8a3a3c8ea6f= a0db113c71e234416c The xorg-server port is built with the X11 SECURITY extension disabled. I just can suspect that the intent is to use a nested X server such as Xephyr for securely running applications instead. Actually, I'm surprised that such a fallback to trusted forwarding existed. I believe it wasn't present back when ForwardX11Trusted was introduced, essentially already causing the trouble you're now hitting. Marius --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJW7hb/XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1M0Q5QjQzNTVGOTU5ODBGQzVENzZCMDIy MEI3MERFMTNGMUQxRTRGAAoJECC3DeE/HR5PblYP/Az8UigBt3aDxGJijCaZthPA YXSgO622HPELTc9YIRrcKLoDJJvQttu+gHEAMKZweixrmoWg9ygIm4xerWViZe9h zn/j/++1+ztEuyDeqADqo+cdZqZYQ+bFQ/04ln/mvjCkH4XhzajK3VPIY+l1t/Me AcM5WIS7ppdq7wY+oZFqXYpFpkuBMNLaJm/v4KwRNWWg7hguoIkkki0AgZrAh4/A JYVLxYOhK/OxPRfEHroXRsBtaP7uRfvOCmjhUmbwjwzNN9AJxOGQBE8ngCAkMrYw uY0fSETS0VcW23TFyajzyagAd0p0RUzqNHVynJzSHMZmfthN7/xTjQOvFKWTaySa zG+D9qXS8JaQ7wl/Ig8hZv62z8HvyhuUGEa7IS3CbYUfvC7NrqWSwUDgZYZhJbqt nysa5qWfDlC8pWp2rSI0WAMrjl03tIxoIR9/yIKjW7zMjJvZZHzrPmQr0WT/vvE4 8CcsVzjFM72YS4KhNSgxgY+2z9H3oypuGr/6VPGoLnVham8/5mLG0XNuxRThw3BF BNeKH+R4HXeh4QhHVoeTa/zQoWLsDByaKT63Jmu0//Rlg/Azp13lgDlifa9sQA7j BS1CgY5X1rsoIfNnAJGsKyQ/KFJoQJWKrqAON7waQK6p0XTwyjdxbCEY2vkj8MCf ve/ACHQuJVYpdIWW+KVR =czZa -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl--