X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding
	:in-reply-to; q=dns; s=default; b=wttnl1hu//tyYjpi0+T1/OtGqr3xmz
	pY6RyXoKhu488ssOi4DrbGoAnOH1pizjsGzvyCaezQC5lcaVbQsrhSCHu6mb2SxP
	IW6HqDAGdAtGJPDNDEzsa24KkI4UTntFdyL6DPkikscxRcq3+pNU7T71qm8X+C3N
	dvhxC9i5d3zFU=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding
	:in-reply-to; s=default; bh=kqay+do863l/o8ovbWXXmYzBVDM=; b=jw+e
	9C37TT7JR9lHhaO15Uk55dh8ObGEFnF318uAW74mPWXT+00RqGtjS9k+QYFXCe5S
	gaynVFY2Np+xa9j1mYA9qfS0TzY2eHrhRTfach0WqBrM8gVvGx4ZqXocFVD8qx0y
	eOaiDjhjA0OqL8IAaQUkUpbflzCPZWXqwJih15s=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=0.3 required=5.0 tests=AWL,BAYES_00,FSL_HELO_BARE_IP_2,RCVD_IN_DNSWL_LOW,RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO:	plane.gmane.org
To:	cygwin AT cygwin DOT com
From:	Andrew DeFaria <Andrew AT DeFaria DOT com>
Subject:	Re: X11Forward and xauth problems
Date:	Thu, 26 Mar 2015 15:06:42 -0700
Lines:	157
Message-ID:	<mf1vti$utq$1@ger.gmane.org>
References:	<mepu7q$9dr$1 AT ger DOT gmane DOT org> <55108046 DOT 1070206 AT dronecode DOT org DOT uk> <meq0g3$hob$1 AT ger DOT gmane DOT org> <55115B29 DOT 8000904 AT dronecode DOT org DOT uk> <meurth$g26$1 AT ger DOT gmane DOT org> <55145A0D DOT 4010406 AT dronecode DOT org DOT uk>
Mime-Version:	1.0
User-Agent:	Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
In-Reply-To:	<55145A0D.4010406@dronecode.org.uk>
X-IsSubscribed:	yes

On 3/26/2015 12:12 PM, Jon TURNEY wrote:
> On 25/03/2015 17:40, Andrew DeFaria wrote:
>> Prediction: This problem probably will end up having something to do
>> with the permissions and file system that ~/.Xauthority resides on,
>> which is, I believe, a NetApp. This file system is the file system for
>> the Linux Home directories (Windows "home" directories are somewhere
>> else). In an attempt to have a transparently workable environment I set
>> my Cygwin home directory to access the same directory my Linux servers
>> use for the home directory - this NetApp. If you need more information
>> about that then let me know and perhaps tell me how I can get that.
>
> This seems very plausible.
>
> If I am understanding you correctly, ~/.Xauthority is the same file on
> the NetApp at both ends.  I think perhaps that is somehow the cause of
> the problem.

Yes.

>
> The sequence of actions is something like:
>
> - startx(|win) generates a random cookie and stores it in
> ~/.serverauth.<pid> and uses that file as the server -auth option
> - it also uses 'xauth add' to put that cookie into ~/.Xauthority for the
> display (e.g. :0)

I'm not using startx - I just do C:\Cygwin\bin\XWin.exe -multiwindow 
-listen tcp

Note I don't see a ~/.serverauth. Maybe this file is created just for 
this purpose and quickly removed?

> - ssh reads that cookie out of ~/.Xauthority using 'xauth list' and
> sends it to the far end
> - sshd tries to store that cookie using xauth for the proxy display (e.g
> :10)
>
> Reading the source of xauth [1], it does try to lock the ~/.Xauthority
> file for up to 20 seconds before giving up, which perhaps corresponds to
> the delay you see?

Sounds plausible. Is that configurable?

> However, the "unable to link authority file .Xauthority, use
> .Xauthority-n" message indicates that the working file .Xauthority-n
> cannot renamed as .Xauthority (xauth tries both to hard-link it as
> .Xauthority, and to rename it)

After I ssh -X to this system I do see ~/.Xauthority and 
~/.Xauthority-n. They are the same size but differ binarily. I can do mv 
~/.Xauthority-n ~/.Xauthority without issue. Why can't sshd do that?

Once I rename the file X clients work! From that machine...

So I thought this might be a crude workaround and put this in my .bashrc:

# Hack to fix ~/.Xauthority
if [ -f $HOME/.Xauthority-n ]; then
   mv $HOME/.Xauthority-n $HOME/.Xauthority
   echo "Fixed ~/.Xauthority"
fi

and then thought, "What happens when I ssh into yet another Linux 
machine that shares this home directory" and when I tried to ssh -X to 
another machine I got (with a little instrumentation):

Adefaria-lt:id
uid=20393(adefaria) gid=10513(Domain Users) groups=10513(Domain 
Users),0(root),545(Users)
Adefaria-lt:ssh -X cm-app-lprod01
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  unable to link authority file 
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Attempting mv /home/adefaria/.Xauthority-n /home/adefaria/.Xauthority
mv: cannot move `/home/adefaria/.Xauthority-n' to 
`/home/adefaria/.Xauthority': Permission denied
adefaria
uid=80176(adefaria) gid=701(Domain Users) groups=701(Domain 
Users),10013(CMAdmins),10014(CMMachines-admin.sec) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-rw-------. 1 adefaria Domain Users 223 Mar 26 13:25 
/home/adefaria/.Xauthority
-rw-------. 1 adefaria Domain Users 223 Mar 26 13:46 
/home/adefaria/.Xauthority-n
Cm-app-lprod01:mv .Xauthority-n .Xauthority
Cm-app-lprod01:

So the plot thickens... Why was mv denied permission when I can easily 
do it once I get a prompt?

Could it be because on Cygwin my uid is 20393 and on Linux it's 80176 
(and probably equivalenced by some mapping in the Netapp of 20393 <-> 80176?

> Of course, sshd doesn't understand it's helpful advice to use a
> different filename, so things don't work out so well. :)
>
> Given that it works the first time, when there is no existing
> ~/.Xauthority, perhaps the NetApp doesn't permit this file to be renamed
> over an existing file, for some reason?

But I did rename it once I got a prompt without a problem.

> You can tell startx to use a different file by using the XAUTHORITY env
> var, so setting that to something like ~/.Xauthority-$HOSTNAME might be
> a workaround. (Some googling on 'Xauthority hostname nfs' might be
> informative)

Again, I don't use startx, I simply run Xwin directly. In fact the 
startx command is not found! Setting XAUTHORITY didn't do anything different

> Or editing startx and changing enable_xauth to 0 might also be a
> workaround.

Since I don't even have startx, this is not really an option.

I need to read that googling on 'Xauthority hostname nfs'...vi

Any idea why setting ForwardX11 yes and ForwardX11Trusted don't seem to 
work? I thought it was that setting ForwardX11 yes is equivalent to 
specifying -X and setting ForwardX11Trusted yes is equivalent to 
specifying -Y but they are not behaving that way!

Adefaria-lt:echo "ForwardX11 yes" > ~/.ssh/config
Adefaria-lt:ssh cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
X11 forwarding request failed on channel 0
DISPLAY = ''
Adefaria-lt:echo "ForwardX11Trusted yes" > ~/.ssh/config
Adefaria-lt:ssh cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
DISPLAY = ''
Adefaria-lt:

Also why does this work:

Adefaria-lt:ssh -X cm-app-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
DISPLAY = 'localhost:11.0'
Adefaria-lt:

But this fail:

Adefaria-lt:ssh -X cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
X11 forwarding request failed on channel 0
DISPLAY = ''
Adefaria-lt:


I find all of this behavior erratic and unreliable.
-- 
Andrew DeFaria
http://defaria.com


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -