X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding
	:in-reply-to; q=dns; s=default; b=fYwupg1SxqU1VWnHsBGm0Lmzi3Kfpx
	PcONaa6ibNYqWhGKW9lHk2JHPvmq2UxshHNJIxVZZLE7jGb6OD7vteEH6Ub4A5Nn
	Si3hwRCyxjSSPU4ETimIzy8gM/hck1Dbc93GaOITiTfw2/XObQLXie1V/+M2VAEv
	dFBAZK55A9pH0=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding
	:in-reply-to; s=default; bh=fWv3DTPoHYryzXvH96div9BjhAA=; b=ngb7
	liivfct7tR4ESQKNd0S/YTU61FipTVwBedcWLVxejmHU5YQXOwr1nR1BORVaW/TK
	qTEvdaZH5DVAWsj6qmsaaTykl1ZPxZCXWXGhwf1dZSKVEPny58pik0B8dI7edmrk
	QeVP7y1Uoagj5CMFqXO/SWszdsn1AvKYNpwu0/k=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.2 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS,T_FSL_HELO_BARE_IP_2,T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: plane.gmane.org
To: cygwin AT cygwin DOT com
From: Andrew DeFaria <Andrew AT DeFaria DOT com>
Subject: Re: Trusted vs untrusted ssh/X connections
Date: Fri, 20 Jun 2014 11:37:23 -0700
Lines: 91
Message-ID: <lo1v13$8kt$1@ger.gmane.org>
References: <lnvgv8$j3e$1 AT ger DOT gmane DOT org> <53A39E75 DOT 5030305 AT cygwin DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
In-Reply-To: <53A39E75.5030305@cygwin.com>
X-IsSubscribed: yes

On 6/19/2014 7:37 PM, Larry Hall (Cygwin) wrote:
> On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
>> This is something that's been bothering me for a long time and I
>> thought I
>> might look into it a little deeper. I'm not sure if I should post this
>> here
>> because it involves Cygwin/X but it also involves OpenSSh.
>
> Actually, this is probably off-topic since I don't see anything Cygwin-
> specific about setting up ssh/X connections.

But I get the "untrusted X11 forwarding" error only when I ssh from 
Cygwin -> Linux using -X.

>
>> When I ssh into a Linux machine using ForwardX11 I get those familiar
>> messages:
>>
>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>> generated
>>
>> and according to
>> https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
>> The warning can be silenced by using ssh -Y, since that
>> is what ssh -X is doing now anyway.
>>
>> However, I find -Y to be 20 times slower to log in than -X:
>
> This is probably a configuraton issue since when I ssh into my Linux
> system,
> login time is roughly equivalent.

Any ideas of what configuration file I should be looking and what that 
configuration option that would be?

>
>> Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>> generated
>> Warning: No xauth data; using fake authentication data for X11
>> forwarding.
>> /usr/bin/xauth:  error in locking authority file
>> /home/adefaria/.Xauthority
>> hi
>>
>> real    0m2.387s
>> user    0m0.075s
>> sys     0m0.446s
>> Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
>> Warning: No xauth data; using fake authentication data for X11
>> forwarding.
>> hi
>> /usr/bin/xauth:  error in locking authority file
>> /home/adefaria/.Xauthority
>>
>> real    0m22.476s
>> user    0m0.091s
>> sys     0m0.477s
>> Adefaria-lt:
>>
>> Bonus points if you can help me get right of the other errors!
>
> I believe the error regarding the .Xauthority file has something to do with
> the permissions on the file.  As for the warning, I believe you want to
> unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
> in your sshd_config file, and X11Forward to "yes" in you ssh_config file
> (for instance) on your PC.  At least, that's what I gathered from searching
> around on the net for the information. :-)

My experience with this is that if DISPLAY is not set and you ssh -X (or 
-Y) then on the other side DISPLAY is not set:

Adefaria-lt:echo $DISPLAY
:0
Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
localhost:11.0
Adefaria-lt:unset DISPLAY
Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'

Adefaria-lt:

> I think it goes without saying that enabling X11Forwarding opens up
> some security holes in X.  Oops, looks like I said it anyway. ;-)

Inside the intranet, this is not a concern for me.
-- 
Andrew DeFaria
http://defaria.com


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple