GNU bug report logs -
#23317
openssh: ssh client: xauth path is invalid - "/usr/X11R6/bin/xauth"
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 23317 in the body.
You can then email your comments to 23317 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#23317
; Package
guix
.
(Tue, 19 Apr 2016 20:40:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Danny Milosavljevic <dannym <at> scratchpost.org>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Tue, 19 Apr 2016 20:40:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
$ ssh -X daya20
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Because:
$ strings $(which ssh) |grep /xauth
/usr/X11R6/bin/xauth
%s/xauthfile
However,
$ which xauth
/home/dannym/.guix-profile/bin/xauth
Adding the following and rebuilding doesn't help either (for some reason):
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b8f107b..d85124b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -35,6 +35,7 @@
#:autoload (gnu packages boost) (boost)
#:use-module (gnu packages base)
#:use-module (gnu packages tls)
+ #:use-module (gnu packages xorg)
#:use-module (gnu packages)
#:use-module (guix packages)
#:use-module (guix download)
@@ -131,7 +132,8 @@ a server that supports the SSH-2 protocol.")
(build-system gnu-build-system)
(inputs `(("groff" ,groff)
("openssl" ,openssl)
- ("zlib" ,zlib)))
+ ("zlib" ,zlib)
+ ("xauth" ,xauth)))
(arguments
`(#:test-target "tests"
#:phases
But
$ ssh -o XAuthLocation=$(which xauth) daya20
works.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#23317
; Package
guix
.
(Thu, 28 Apr 2016 05:31:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 23317 <at> debbugs.gnu.org (full text, mbox):
But
$ ssh -Y -o XAuthLocation=$(which xauth) daya20
works without the patch.
And
$ ssh -Y daya20
works with the patch.
But
$ ssh -X daya20
never works, with or without the patch. Huh.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#23317
; Package
guix
.
(Mon, 01 Aug 2016 09:52:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 23317 <at> debbugs.gnu.org (full text, mbox):
Hi!
Danny Milosavljevic <dannym <at> scratchpost.org> skribis:
> But
>
> $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>
> works without the patch.
>
> And
>
> $ ssh -Y daya20
>
> works with the patch.
I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
This increases the closure size of OpenSSH from 89 to 118 MiB (+33%),
but I think it’s a useful addition.
> But
>
> $ ssh -X daya20
>
> never works, with or without the patch. Huh.
I’ve straced “ssh -X”, and it shows that xauth fails like this:
--8<---------------cut here---------------start------------->8---
4742 write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1: ", 78) = 78
4742 write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52
4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
4742 umask(022) = 077
4742 exit_group(1) = ?
--8<---------------cut here---------------end--------------->8---
This is because the SECURITY extension are disabled in our xorg-server
package. We could configure it with --enable-xcsecurity, but upstream
disables it by default and it seems to be deprecated:
https://www.x.org/wiki/Development/Documentation/Security/
Thoughts?
Ludo’.
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
You have taken responsibility.
(Sat, 20 Nov 2021 02:06:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Danny Milosavljevic <dannym <at> scratchpost.org>
:
bug acknowledged by developer.
(Sat, 20 Nov 2021 02:06:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 23317-done <at> debbugs.gnu.org (full text, mbox):
Hi,
ludo <at> gnu.org (Ludovic Courtès) writes:
> Hi!
>
> Danny Milosavljevic <dannym <at> scratchpost.org> skribis:
>
>> But
>>
>> $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>>
>> works without the patch.
>>
>> And
>>
>> $ ssh -Y daya20
>>
>> works with the patch.
>
> I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
> This increases the closure size of OpenSSH from 89 to 118 MiB (+33%),
> but I think it’s a useful addition.
>
>> But
>>
>> $ ssh -X daya20
>>
>> never works, with or without the patch. Huh.
>
> I’ve straced “ssh -X”, and it shows that xauth fails like this:
>
> 4742 write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1: ", 78) = 78
> 4742 write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52
> 4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
> 4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
> 4742 umask(022) = 077
> 4742 exit_group(1) = ?
>
> This is because the SECURITY extension are disabled in our xorg-server
> package. We could configure it with --enable-xcsecurity, but upstream
> disables it by default and it seems to be deprecated:
>
> https://www.x.org/wiki/Development/Documentation/Security/
>
> Thoughts?
It seems to me that while imperfect, these security measures provide
additional security in X11 forwarding context. Also, they are enabled
in Debian [0] and Fedora [1] and many other places, so it seems
reasonable to do so too.
I've added the flag in commit 87b4c66b72 on core-updates-frozen.
Closing!
Maxim
[0] https://salsa.debian.org/xorg-team/xserver/xorg-server/-/blob/debian-unstable/debian/rules.flags#L64
[1] https://src.fedoraproject.org/rpms/xorg-x11-server/blob/rawhide/f/xorg-x11-server.spec#_350
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sat, 18 Dec 2021 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 101 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.