Bug#764608: patch for X11 forwarding when pam_namespace.so is used on SSH client

To: submit@bugs.debian.org
Subject: Bug#764608: patch for X11 forwarding when pam_namespace.so is used on SSH client
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Thu, 09 Oct 2014 16:56:48 +0200
Message-id: <[🔎] 1412866608.1722.11.camel@Nokia-N900>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 764608@bugs.debian.org

Package: openssh-client
Severity: normal
Version: 6.7
Tags: patch

I just checked debian/changelog and the 6.7 release announcement. The following issue hasn't been addressed yet in Debian, nor by upstream.

If on the SSH client side a session is running with pam_namespace.so in use, it is impossible to do X11 port forwarding. The ssh client tries to connect to /tmp/.X11-unix/X<displayport> which is out of reach with pam_namespace sessions.

Instead, ssh client should connect the X11 forwarding end point to the X11 socket in kernel namespace (@/tmp/.X11-unix/X<displayport>).

A patch is available in the Fedora OpenSSH package [1].

Greets,
Mike

[1] http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-5.5p1-x11.patch
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976148

GnuPG Key ID 0x25771B13
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Reply to:

Follow-Ups:
- Bug#764608: patch for X11 forwarding when pam_namespace.so is used on SSH client
  - From: Colin Watson <cjwatson@debian.org>
- Processed: Re: Bug#764608: patch for X11 forwarding when pam_namespace.so is used on SSH client
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processing of openssh_6.7p1-1_i386.changes
Next by Date: Accepted openssh 1:6.7p1-1 (source i386 all) into unstable
Previous by thread: Processing of openssh_6.7p1-1_i386.changes
Next by thread: Bug#764608: patch for X11 forwarding when pam_namespace.so is used on SSH client
Index(es):
- Date
- Thread