[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: forwarding X11 over ssh



On Tue, Feb 01, 2000 at 04:18:09PM -0500, Joseph A. Martin wrote:
> 	I maintain a Linux system at our office. Quite frequently I
> administer this system remotely via ssh. Today I wanted to try running
> an X app over the SSH link. I passed the '-X' option to ssh which the
> man page claims will forward X connections. However when I try to
> launch an X client from the remote system the client says that the
> "X11 connection rejected because of wrong authentication." As I
> understand it ssh is supposes to handle all of that for me. What do I
> need to change? How can I manually set up the correct authentication?

This is a bug in the openssh sshd. It assumes that a tcp socket will be
used by x apps attemting to talk to the ssh daemon (and to X, since the
mechanism is identical). However, if the DISPLAY variable refers to
something the system knows is the local machine (e.g. 127.0.0.1,
0.0.0.0) the X apps use a unix domain socket instead.

ssh-nonfree correctly sets up the authorization for both tcp and unix
domain sockets; openssh only sets up tcp. Since there is no auth data
for the unix domain, it sends none and ssh refuses. A quick way to fix
it is like this:
  $ xauth list 
  foo.localdomain:10  MIT-MAGIC-COOKIE-1 XXXXXXXXXXXXXXXXXXXXXXXXXXX
  $ xauth add foo/unix:10 MIT-MAGIC-COOKIE-1 XXXXXXXXXXXXXXXXXXXXXXXXXXX

A more permanant fix is to patch sshd.c to do this automagically. Look
for a line doing a popen with XAUTH_PATH as the first arg. Just below
that (inside an if), you'll see a fprintf that sets the tcp socket
authorization. Add to that these lines: (you may omit the commments)

  /* Find the colon in "foo.domain:10", then do an add with '/unix'
   * inserted just before the colon to allow X over unix domain sockets
   * to work. man 3 fprintf if you don't understand the format string:
   * in particular read the section titled "The precision"
   */
  char *colon=strchr(display, ':');
  if(colon!=NULL) fprintf(f, "add %.*s/unix%s %s %s\n", colon-display,
                                   display, colon, auth_proto, auth_data);


-- 
  finger for GPG public key.
  8 Jan 2000 - Old email addresses removed from key, new added

Attachment: pgpAhnHkGatvI.pgp
Description: PGP signature


Reply to: