DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=TZkKmomFwy5PHa0q
	r6NK+FumVI1epM22iS9o8mGixzCKyRgZWnDFsA0A1aL7ZXpifiCpgs9Zq2IKw4zm
	/WYhKBvxuuO/C2CLj1V96I6y0MCoXVoAE/I6MKIRYxyHSBtGlr2TuIozC7XQRdl6
	zjoGb3N0k3Z3Mc2p8I4HAlnrRHA=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Message-id: <53A39E75.5030305@cygwin.com>
Date: Thu, 19 Jun 2014 22:37:41 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-to: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Trusted vs untrusted ssh/X connections
References: <lnvgv8$j3e$1 AT ger DOT gmane DOT org>
In-reply-to: <lnvgv8$j3e$1@ger.gmane.org>
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7bit

On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
> This is something that's been bothering me for a long time and I thought I
> might look into it a little deeper. I'm not sure if I should post this here
> because it involves Cygwin/X but it also involves OpenSSh.

Actually, this is probably off-topic since I don't see anything Cygwin-
specific about setting up ssh/X connections.

> When I ssh into a Linux machine using ForwardX11 I get those familiar messages:
>
> Warning: untrusted X11 forwarding setup failed: xauth key data not generated
>
> and according to https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
> The warning can be silenced by using ssh -Y, since that
> is what ssh -X is doing now anyway.
>
> However, I find -Y to be 20 times slower to log in than -X:

This is probably a configuraton issue since when I ssh into my Linux system,
login time is roughly equivalent.

> Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
> Warning: untrusted X11 forwarding setup failed: xauth key data not generated
> Warning: No xauth data; using fake authentication data for X11 forwarding.
> /usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
> hi
>
> real    0m2.387s
> user    0m0.075s
> sys     0m0.446s
> Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
> Warning: No xauth data; using fake authentication data for X11 forwarding.
> hi
> /usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
>
> real    0m22.476s
> user    0m0.091s
> sys     0m0.477s
> Adefaria-lt:
>
> Bonus points if you can help me get right of the other errors!

I believe the error regarding the .Xauthority file has something to do with
the permissions on the file.  As for the warning, I believe you want to
unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
in your sshd_config file, and X11Forward to "yes" in you ssh_config file
(for instance) on your PC.  At least, that's what I gathered from searching
around on the net for the information. :-)

I think it goes without saying that enabling X11Forwarding opens up
some security holes in X.  Oops, looks like I said it anyway. ;-)


-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple