--- Begin Message ---
Subject: |
openssh: ssh client: xauth path is invalid - "/usr/X11R6/bin/xauth" |
Date: |
Tue, 19 Apr 2016 22:39:29 +0200 |
$ ssh -X daya20
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Because:
$ strings $(which ssh) |grep /xauth
/usr/X11R6/bin/xauth
%s/xauthfile
However,
$ which xauth
/home/dannym/.guix-profile/bin/xauth
Adding the following and rebuilding doesn't help either (for some reason):
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b8f107b..d85124b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -35,6 +35,7 @@
#:autoload (gnu packages boost) (boost)
#:use-module (gnu packages base)
#:use-module (gnu packages tls)
+ #:use-module (gnu packages xorg)
#:use-module (gnu packages)
#:use-module (guix packages)
#:use-module (guix download)
@@ -131,7 +132,8 @@ a server that supports the SSH-2 protocol.")
(build-system gnu-build-system)
(inputs `(("groff" ,groff)
("openssl" ,openssl)
- ("zlib" ,zlib)))
+ ("zlib" ,zlib)
+ ("xauth" ,xauth)))
(arguments
`(#:test-target "tests"
#:phases
But
$ ssh -o XAuthLocation=$(which xauth) daya20
works.
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#23317: openssh: ssh client: xauth path is invalid - "/usr/X11R6/bin/xauth" |
Date: |
Fri, 19 Nov 2021 21:05:01 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
ludo@gnu.org (Ludovic Courtès) writes:
> Hi!
>
> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>
>> But
>>
>> $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>>
>> works without the patch.
>>
>> And
>>
>> $ ssh -Y daya20
>>
>> works with the patch.
>
> I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
> This increases the closure size of OpenSSH from 89 to 118 MiB (+33%),
> but I think it’s a useful addition.
>
>> But
>>
>> $ ssh -X daya20
>>
>> never works, with or without the patch. Huh.
>
> I’ve straced “ssh -X”, and it shows that xauth fails like this:
>
> 4742 write(2,
> "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1:
> ", 78) = 78
> 4742 write(2, "couldn't query Security extension on display \":0.0\"\n", 52)
> = 52
> 4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
> 4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
> 4742 umask(022) = 077
> 4742 exit_group(1) = ?
>
> This is because the SECURITY extension are disabled in our xorg-server
> package. We could configure it with --enable-xcsecurity, but upstream
> disables it by default and it seems to be deprecated:
>
> https://www.x.org/wiki/Development/Documentation/Security/
>
> Thoughts?
It seems to me that while imperfect, these security measures provide
additional security in X11 forwarding context. Also, they are enabled
in Debian [0] and Fedora [1] and many other places, so it seems
reasonable to do so too.
I've added the flag in commit 87b4c66b72 on core-updates-frozen.
Closing!
Maxim
[0]
https://salsa.debian.org/xorg-team/xserver/xorg-server/-/blob/debian-unstable/debian/rules.flags#L64
[1]
https://src.fedoraproject.org/rpms/xorg-x11-server/blob/rawhide/f/xorg-x11-server.spec#_350
--- End Message ---