Trusted vs untrusted ssh/X connections

Trusted vs untrusted ssh/X connections

[Andrew DeFaria]

This is something that's been bothering me for a long time and I thought 
I might look into it a little deeper. I'm not sure if I should post this 
here because it involves Cygwin/X but it also involves OpenSSh.

When I ssh into a Linux machine using ForwardX11 I get those familiar 
messages:

Warning: untrusted X11 forwarding setup failed: xauth key data not generated

and according to 
https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html: The warning 
can be silenced by using ssh -Y, since that
is what ssh -X is doing now anyway.

However, I find -Y to be 20 times slower to log in than -X:

Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
hi

real    0m2.387s
user    0m0.075s
sys     0m0.446s
Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
Warning: No xauth data; using fake authentication data for X11 forwarding.
hi
/usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority

real    0m22.476s
user    0m0.091s
sys     0m0.477s
Adefaria-lt:

Bonus points if you can help me get right of the other errors!
-- 
Andrew DeFaria
http://defaria.com


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trusted vs untrusted ssh/X connections

[Larry Hall (Cygwin)]

On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
> This is something that's been bothering me for a long time and I thought I
> might look into it a little deeper. I'm not sure if I should post this here
> because it involves Cygwin/X but it also involves OpenSSh.

Actually, this is probably off-topic since I don't see anything Cygwin-
specific about setting up ssh/X connections.

> When I ssh into a Linux machine using ForwardX11 I get those familiar messages:
>
> Warning: untrusted X11 forwarding setup failed: xauth key data not generated
>
> and according to https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
> The warning can be silenced by using ssh -Y, since that
> is what ssh -X is doing now anyway.
>
> However, I find -Y to be 20 times slower to log in than -X:

This is probably a configuraton issue since when I ssh into my Linux system,
login time is roughly equivalent.

> Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
> Warning: untrusted X11 forwarding setup failed: xauth key data not generated
> Warning: No xauth data; using fake authentication data for X11 forwarding.
> /usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
> hi
>
> real    0m2.387s
> user    0m0.075s
> sys     0m0.446s
> Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
> Warning: No xauth data; using fake authentication data for X11 forwarding.
> hi
> /usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
>
> real    0m22.476s
> user    0m0.091s
> sys     0m0.477s
> Adefaria-lt:
>
> Bonus points if you can help me get right of the other errors!

I believe the error regarding the .Xauthority file has something to do with
the permissions on the file.  As for the warning, I believe you want to
unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
in your sshd_config file, and X11Forward to "yes" in you ssh_config file
(for instance) on your PC.  At least, that's what I gathered from searching
around on the net for the information. :-)

I think it goes without saying that enabling X11Forwarding opens up
some security holes in X.  Oops, looks like I said it anyway. ;-)


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trusted vs untrusted ssh/X connections

[Andrew DeFaria]

On 6/19/2014 7:37 PM, Larry Hall (Cygwin) wrote:
> On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
>> This is something that's been bothering me for a long time and I
>> thought I
>> might look into it a little deeper. I'm not sure if I should post this
>> here
>> because it involves Cygwin/X but it also involves OpenSSh.
>
> Actually, this is probably off-topic since I don't see anything Cygwin-
> specific about setting up ssh/X connections.

But I get the "untrusted X11 forwarding" error only when I ssh from 
Cygwin -> Linux using -X.

>
>> When I ssh into a Linux machine using ForwardX11 I get those familiar
>> messages:
>>
>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>> generated
>>
>> and according to
>> https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
>> The warning can be silenced by using ssh -Y, since that
>> is what ssh -X is doing now anyway.
>>
>> However, I find -Y to be 20 times slower to log in than -X:
>
> This is probably a configuraton issue since when I ssh into my Linux
> system,
> login time is roughly equivalent.

Any ideas of what configuration file I should be looking and what that 
configuration option that would be?

>
>> Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>> generated
>> Warning: No xauth data; using fake authentication data for X11
>> forwarding.
>> /usr/bin/xauth:  error in locking authority file
>> /home/adefaria/.Xauthority
>> hi
>>
>> real    0m2.387s
>> user    0m0.075s
>> sys     0m0.446s
>> Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
>> Warning: No xauth data; using fake authentication data for X11
>> forwarding.
>> hi
>> /usr/bin/xauth:  error in locking authority file
>> /home/adefaria/.Xauthority
>>
>> real    0m22.476s
>> user    0m0.091s
>> sys     0m0.477s
>> Adefaria-lt:
>>
>> Bonus points if you can help me get right of the other errors!
>
> I believe the error regarding the .Xauthority file has something to do with
> the permissions on the file.  As for the warning, I believe you want to
> unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
> in your sshd_config file, and X11Forward to "yes" in you ssh_config file
> (for instance) on your PC.  At least, that's what I gathered from searching
> around on the net for the information. :-)

My experience with this is that if DISPLAY is not set and you ssh -X (or 
-Y) then on the other side DISPLAY is not set:

Adefaria-lt:echo $DISPLAY
:0
Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
localhost:11.0
Adefaria-lt:unset DISPLAY
Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'

Adefaria-lt:

> I think it goes without saying that enabling X11Forwarding opens up
> some security holes in X.  Oops, looks like I said it anyway. ;-)

Inside the intranet, this is not a concern for me.
-- 
Andrew DeFaria
http://defaria.com


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Trusted vs untrusted ssh/X connections

[Larry Hall (Cygwin)]

On 06/20/2014 02:37 PM, Andrew DeFaria wrote:
> On 6/19/2014 7:37 PM, Larry Hall (Cygwin) wrote:
>> On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
>>> This is something that's been bothering me for a long time and I
>>> thought I
>>> might look into it a little deeper. I'm not sure if I should post this
>>> here
>>> because it involves Cygwin/X but it also involves OpenSSh.
>>
>> Actually, this is probably off-topic since I don't see anything Cygwin-
>> specific about setting up ssh/X connections.
>
> But I get the "untrusted X11 forwarding" error only when I ssh from Cygwin
> -> Linux using -X.

OK, I see your point on this one.  But I thought that was covered in this
FAQ:

<http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-trusted-untrusted-x11-forwarding>

My understanding is that the Cygwin X server would need to be built
with the SECURITY extension but that it is not and, for reasons discussed
in the referenced email, (which you also pointed to) would not be.  If you
want to re-open this discussion, I suggest you create a new thread on the
Cygwin X list and refer back to this one (for background and continuity).
I'm not sure that there has been any big change in this area in the last 6
years but there's certainly nothing wrong with asking. :-)

>>
>>> When I ssh into a Linux machine using ForwardX11 I get those familiar
>>> messages:
>>>
>>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>>> generated
>>>
>>> and according to
>>> https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
>>> The warning can be silenced by using ssh -Y, since that
>>> is what ssh -X is doing now anyway.
>>>
>>> However, I find -Y to be 20 times slower to log in than -X:
>>
>> This is probably a configuraton issue since when I ssh into my Linux
>> system,
>> login time is roughly equivalent.
>
> Any ideas of what configuration file I should be looking and what that
> configuration option that would be?

I'm not sure.  It might be as simple as the permissions problem on
.Xauthority slowing you down.  Alternatively, you might try running
both clients with debugging and/or under strace to see if it helps
you narrow down where the time is going in the "-Y" case.

>>> Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
>>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>>> generated
>>> Warning: No xauth data; using fake authentication data for X11
>>> forwarding.
>>> /usr/bin/xauth:  error in locking authority file
>>> /home/adefaria/.Xauthority
>>> hi
>>>
>>> real    0m2.387s
>>> user    0m0.075s
>>> sys     0m0.446s
>>> Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
>>> Warning: No xauth data; using fake authentication data for X11
>>> forwarding.
>>> hi
>>> /usr/bin/xauth:  error in locking authority file
>>> /home/adefaria/.Xauthority
>>>
>>> real    0m22.476s
>>> user    0m0.091s
>>> sys     0m0.477s
>>> Adefaria-lt:
>>>
>>> Bonus points if you can help me get right of the other errors!
>>
>> I believe the error regarding the .Xauthority file has something to do with
>> the permissions on the file.  As for the warning, I believe you want to
>> unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
>> in your sshd_config file, and X11Forward to "yes" in you ssh_config file
>> (for instance) on your PC.  At least, that's what I gathered from searching
>> around on the net for the information. :-)
>
> My experience with this is that if DISPLAY is not set and you ssh -X (or -Y)
> then on the other side DISPLAY is not set:
>
> Adefaria-lt:echo $DISPLAY
> :0
> Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
> Warning: untrusted X11 forwarding setup failed: xauth key data not generated
> Warning: No xauth data; using fake authentication data for X11 forwarding.
> /usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
> localhost:11.0
> Adefaria-lt:unset DISPLAY
> Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
>
> Adefaria-lt:

That's not what the man page says and doesn't match my experience either.
Check out 'man ssh' and search for the section on "X11 FORWARDING".  It
has a section on what's supposed to happen and what needs to be set on the
client side to make this happen.  That handles the client-side
requirements.  Then there's the "X11Forwarding" on the server side that
needs to be set too, like I mentioned above.  If this is how you're running
things but still having troubles, I would recommend contacting the OpenSSH
folks.  They may have specific ideas about what else could cause the
behavior you see despite the recommended settings.

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple