From owner-freebsd-x11@freebsd.org Fri May 11 06:27:01 2018 Return-Path: Delivered-To: freebsd-x11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2B4CFB90DB for ; Fri, 11 May 2018 06:27:01 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-ua0-x230.google.com (mail-ua0-x230.google.com [IPv6:2607:f8b0:400c:c08::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4E13A81CB9; Fri, 11 May 2018 06:27:01 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: by mail-ua0-x230.google.com with SMTP id y8-v6so2918957ual.5; Thu, 10 May 2018 23:27:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=DkcMCXaPQRbcXLTysMHUYvesz1u4sh7K8UGSzpN9BTQ=; b=jXSrfU7aT0lpXdNFjryr12HhoWr8bgwnIKuF91MOy9jdeNSxZv3TS3tAqim02cJiSN IQTMWMb+Z0C3E0jFPa59PE7RCLzpIaOr7zwgsBI2VdMegiHKhj57ztS8k7YnAPnZMww3 EZgWZAUxJ50x71YKEMrQnDMqGRrXBQQEBqu4DwSJuXvk/hZdsmYWi0nbLYcCtAKz+XHS yI9bZxp3Xb6LzV1+/5SLw+2OyuL6P5DeHlcX0csyC6upjOoQ/GWiRfTSHnS8PugkYGiI nuPbEL1Iqambv5v2XhZRAXnTDEndwtxE0gSLCwlOw3y3yxiKvC+3NCOzt+BXzXnkI4QG OUWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=DkcMCXaPQRbcXLTysMHUYvesz1u4sh7K8UGSzpN9BTQ=; b=BQq83SJn3POs3EKYjzt1j2PJKP5QEj3+Bgzmtb52DK8BD0+EQrGB8JhEVdZHZ0mHEQ OlhXVnC0X/jFiOFSU73JuGDJvY0IuWulEUI6qx4Xq7JU6kbDvmmkeTXjJANx9PFHODm3 lSYzndQLYu8zerb3rWHmRUjmLy6hP0oe2kmd4Ln8nb8iAo1c07j6YQqPJzs1Zwbz8Cuq duNLEhjo+Z40dno+7athMGiG+dNyOfOcCtpQoOfkA+xTE21fgBTrAMtPjFN2ErE6SXFV JEfd6IXU/d8dYk0GLIRIM8Zkj2/LsBDZXwbAdFtx3tdPrX/jl03La0eX2+YXEMSiG8wV PqAA== X-Gm-Message-State: ALKqPwdLM8GJkgBXOkZt7lFqCqRkyjDDKr30f/jJRxD40jKU7WnQnSOc GMbx5mkX+VmaQvbNB87ZDNeOrq1rAmqSgX8hfIeEvfKv X-Google-Smtp-Source: AB8JxZol1RaefdIj43OnPY2eIX59P/KOlxS4pK0LxGdUOrk2u7+f8lce3NDw4Yv15pV5rJ9CtHZktaG7oetzkkWmBF4= X-Received: by 2002:a9f:2e0f:: with SMTP id t15-v6mr466247uaj.114.1526020020426; Thu, 10 May 2018 23:27:00 -0700 (PDT) MIME-Version: 1.0 Sender: kob6558@gmail.com Received: by 10.103.81.15 with HTTP; Thu, 10 May 2018 23:26:59 -0700 (PDT) In-Reply-To: References: <20180510182928.GA3747@c720-r314251> <20180510192510.GA38033@elch.exwg.net> <20180510194701.GB38033@elch.exwg.net> <466cd23b-344a-8d8a-d936-3ac38edff4a8@daemonic.se> From: Kevin Oberman Date: Thu, 10 May 2018 23:26:59 -0700 X-Google-Sender-Auth: b2YVPxrjE8NW8-1z548vQw65sLI Message-ID: Subject: Re: ssh -X remote does not work due to problem with xauth To: Jan Beich Cc: Niclas Zeising , "freebsd-x11@freebsd.org" Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 May 2018 06:27:02 -0000 On Thu, May 10, 2018 at 10:35 PM, Jan Beich wrote: > Niclas Zeising writes: > > > On 05/10/18 21:47, Christoph Moench-Tegeder wrote: > > > >> ## Christoph Moench-Tegeder (cmt@burggraben.net): > >> > >>> I haven't yet checked what causes these differing defaults. > >> > >> Well, now that I thought about it: most Linux distributions build their > >> X server with "--enable-xcsecurity" in the configure flags. FreeBSD > >> does not set that flag, as far as I can see. Next question: why? > >> > > > > Hi! > > It could be because of backwards compatibility, or, because at least I > > wasn't really aware of that flag. Is it for xserver or some other > > package? > > See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221984 > I'm a bit confused. I always have found that the simple solution to this was the '-Y' option as described in the man page for ssh. -X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring. For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information. IIRC, FreeBSD (and OpenBSD) chose to require -Y to emphasize the risks involved. I'm guessing that des@ was responsible on the FreeBSD side.