GNU bug report logs - #23317
openssh: ssh client: xauth path is invalid - "/usr/X11R6/bin/xauth"

Previous Next

Package: guix;

Reported by: Danny Milosavljevic <dannym <at> scratchpost.org>

Date: Tue, 19 Apr 2016 20:40:01 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 23317 in the body.
You can then email your comments to 23317 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#23317; Package guix. (Tue, 19 Apr 2016 20:40:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Danny Milosavljevic <dannym <at> scratchpost.org>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 19 Apr 2016 20:40:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Danny Milosavljevic <dannym <at> scratchpost.org>
To: <bug-guix <at> gnu.org>
Subject: openssh: ssh client: xauth path is invalid - "/usr/X11R6/bin/xauth"
Date: Tue, 19 Apr 2016 22:39:29 +0200
$ ssh -X daya20
Warning: untrusted X11 forwarding setup failed: xauth key data not generated

Because:

$ strings $(which ssh) |grep  /xauth
/usr/X11R6/bin/xauth
%s/xauthfile

However,

$ which xauth
/home/dannym/.guix-profile/bin/xauth

Adding the following and rebuilding doesn't help either (for some reason):
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b8f107b..d85124b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -35,6 +35,7 @@
   #:autoload   (gnu packages boost) (boost)
   #:use-module (gnu packages base)
   #:use-module (gnu packages tls)
+  #:use-module (gnu packages xorg)
   #:use-module (gnu packages)
   #:use-module (guix packages)
   #:use-module (guix download)
@@ -131,7 +132,8 @@ a server that supports the SSH-2 protocol.")
    (build-system gnu-build-system)
    (inputs `(("groff" ,groff)
              ("openssl" ,openssl)
-             ("zlib" ,zlib)))
+             ("zlib" ,zlib)
+             ("xauth" ,xauth)))
    (arguments
     `(#:test-target "tests"
       #:phases

But
  $ ssh -o XAuthLocation=$(which xauth) daya20
works.




Information forwarded to bug-guix <at> gnu.org:
bug#23317; Package guix. (Thu, 28 Apr 2016 05:31:02 GMT) Full text and rfc822 format available.

Message #8 received at 23317 <at> debbugs.gnu.org (full text, mbox):

From: Danny Milosavljevic <dannym <at> scratchpost.org>
To: 23317 <at> debbugs.gnu.org
Subject: Re: bug#23317: openssh: ssh client: xauth path is invalid -
 "/usr/X11R6/bin/xauth"
Date: Thu, 28 Apr 2016 07:30:41 +0200
But

  $ ssh -Y -o XAuthLocation=$(which xauth) daya20

works without the patch.

And

  $ ssh -Y daya20

works with the patch.

But

  $ ssh -X daya20

never works, with or without the patch. Huh.




Information forwarded to bug-guix <at> gnu.org:
bug#23317; Package guix. (Mon, 01 Aug 2016 09:52:01 GMT) Full text and rfc822 format available.

Message #11 received at 23317 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Danny Milosavljevic <dannym <at> scratchpost.org>
Cc: 23317 <at> debbugs.gnu.org
Subject: Re: bug#23317: openssh: ssh client: xauth path is invalid -
 "/usr/X11R6/bin/xauth"
Date: Mon, 01 Aug 2016 11:51:01 +0200
Hi!

Danny Milosavljevic <dannym <at> scratchpost.org> skribis:

> But
>
>   $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>
> works without the patch.
>
> And
>
>   $ ssh -Y daya20
>
> works with the patch.

I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
This increases the closure size of OpenSSH from 89 to 118 MiB (+33%),
but I think it’s a useful addition.

> But
>
>   $ ssh -X daya20
>
> never works, with or without the patch. Huh.

I’ve straced “ssh -X”, and it shows that xauth fails like this:

--8<---------------cut here---------------start------------->8---
4742  write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1:  ", 78) = 78
4742  write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52
4742  unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
4742  unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
4742  umask(022)                        = 077
4742  exit_group(1)                     = ?
--8<---------------cut here---------------end--------------->8---

This is because the SECURITY extension are disabled in our xorg-server
package.  We could configure it with --enable-xcsecurity, but upstream
disables it by default and it seems to be deprecated:

  https://www.x.org/wiki/Development/Documentation/Security/

Thoughts?

Ludo’.




Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Sat, 20 Nov 2021 02:06:01 GMT) Full text and rfc822 format available.

Notification sent to Danny Milosavljevic <dannym <at> scratchpost.org>:
bug acknowledged by developer. (Sat, 20 Nov 2021 02:06:02 GMT) Full text and rfc822 format available.

Message #16 received at 23317-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: Danny Milosavljevic <dannym <at> scratchpost.org>, 23317-done <at> debbugs.gnu.org
Subject: Re: bug#23317: openssh: ssh client: xauth path is invalid -
 "/usr/X11R6/bin/xauth"
Date: Fri, 19 Nov 2021 21:05:01 -0500
Hi,

ludo <at> gnu.org (Ludovic Courtès) writes:

> Hi!
>
> Danny Milosavljevic <dannym <at> scratchpost.org> skribis:
>
>> But
>>
>>   $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>>
>> works without the patch.
>>
>> And
>>
>>   $ ssh -Y daya20
>>
>> works with the patch.
>
> I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
> This increases the closure size of OpenSSH from 89 to 118 MiB (+33%),
> but I think it’s a useful addition.
>
>> But
>>
>>   $ ssh -X daya20
>>
>> never works, with or without the patch. Huh.
>
> I’ve straced “ssh -X”, and it shows that xauth fails like this:
>
> 4742  write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1:  ", 78) = 78
> 4742  write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52
> 4742  unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
> 4742  unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
> 4742  umask(022)                        = 077
> 4742  exit_group(1)                     = ?
>
> This is because the SECURITY extension are disabled in our xorg-server
> package.  We could configure it with --enable-xcsecurity, but upstream
> disables it by default and it seems to be deprecated:
>
>   https://www.x.org/wiki/Development/Documentation/Security/
>
> Thoughts?

It seems to me that while imperfect, these security measures provide
additional security in X11 forwarding context.  Also, they are enabled
in Debian [0] and Fedora [1] and many other places, so it seems
reasonable to do so too.

I've added the flag in commit 87b4c66b72 on core-updates-frozen.

Closing!

Maxim

[0]  https://salsa.debian.org/xorg-team/xserver/xorg-server/-/blob/debian-unstable/debian/rules.flags#L64
[1]  https://src.fedoraproject.org/rpms/xorg-x11-server/blob/rawhide/f/xorg-x11-server.spec#_350





bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 18 Dec 2021 12:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 101 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.