From owner-freebsd-x11@FreeBSD.ORG Tue May 4 19:32:49 2010 Return-Path: Delivered-To: x11@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D2493106564A for ; Tue, 4 May 2010 19:32:49 +0000 (UTC) (envelope-from galen.sampson@gmail.com) Received: from mail-qy0-f201.google.com (mail-qy0-f201.google.com [209.85.221.201]) by mx1.freebsd.org (Postfix) with ESMTP id 944DF8FC19 for ; Tue, 4 May 2010 19:32:47 +0000 (UTC) Received: by qyk39 with SMTP id 39so6008277qyk.8 for ; Tue, 04 May 2010 12:32:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type:content-transfer-encoding; bh=LlgH8bxJ9FrJ0n7IqqNET8FifbeAbMwuFhXuX0LzMZw=; b=oI6Mh0lOTRc2jY4agKKgf0mqS9glW1/8v4RobkvFAIVhD4uwYSENNBjCRe5iMy/mf3 HVZUmcUnLsd8I7H0yVnlzy7TqxOLFb1jhGRDdNB9MttBYMIDmQqiApqpGqebJ/iyq4l7 B84mw7ttTh1/6i3kLFVh6TYdqBtVNQIxrbt7g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=pFHOsk4Su28kh4S6grw7AuFFDpM0IfC/JtObJWI3HJQOkWPKsrrJMD6yglAYY8yC4Q d2+J5SkiLIJbQokRzSDNCLYv8WwpznYFVr8pSHIs6WVryIIUkPto1wpNdHc96E4DtYHc mTO0Iu5AOo0HlRgRfQXy6LOb4IiPJqGZ+M0C4= MIME-Version: 1.0 Received: by 10.224.83.83 with SMTP id e19mr4746922qal.157.1272999896080; Tue, 04 May 2010 12:04:56 -0700 (PDT) Received: by 10.229.226.20 with HTTP; Tue, 4 May 2010 12:04:56 -0700 (PDT) Date: Tue, 4 May 2010 12:04:56 -0700 Message-ID: From: Galen Sampson To: x11@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: ssh -X (xauth) and the missing SECURITY extension X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 May 2010 19:32:49 -0000 All, I have been trying to use "ssh -X" to enable remote applications to use my local X server.=A0 This never works. I would use "ssh -Y" (or set the ForwardX11Trusted options to "yes") but the ssh man page related to -Y kinda scares me away. A "ssh -X -vvv" shows this xauth command being run: /usr/local/bin/xauth -f /tmp/ssh-tmlUOx2553/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 ssh shows this: Warning: untrusted X11 forwarding setup failed: xauth key data not generate= d Warning: No xauth data; using fake authentication data for X11 forwarding. Graphical applications fail to start on the remote system due to this. When xauth is run by hand, the following is displayed: /usr/local/bin/xauth -f /tmp/xauthtest generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 /usr/bin/xauth: (argv):1: couldn't query Security extension on display ":0= .0" Steps to Reproduce: 1. ssh -X 2. xterm Actual Results: The graphical app (xterm in this case) fails to start. Expected Results: The app should be run and displayed on the local machine. I have noticed that in xorg-server-1.7.5,1 the X security extension is disabled.=A0 If I use the patch below xauth generate (and hence ssh -X) work as expected. [504] testbsd:xorg-server$=A0 /usr/local/bin/xauth -f /tmp/xauthtest generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 /usr/local/bin/xauth:=A0 creating new authority file /tmp/xauthtest <-----snip------- --- Makefile.orig 2010-05-04 11:55:41.000000000 -0700 +++ Makefile 2010-05-03 23:10:00.000000000 -0700 @@ -38,7 +38,7 @@ USE_PERL5_BUILD=3Dyes CONFIGURE_ARGS=3D --disable-dmx --disable-xvfb --disable-xnest \ --localstatedir=3D/var --without-dtrace --disable-xephyr \ - --enable-record=3Dyes + --enable-record=3Dyes --enable-xcsecurity MAN1=3D Xorg.1 \ Xserver.1 \ <-----snip------- Maybe there is a good reason that the SECURITY extension is disabled. I just wanted to post this here and hopefully find a way to explain the solution to a larger community. For what its worth I notice that many linux distro's with very new Xorg servers still seem to have the SECURITY extension enabled. Regards, Galen