X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=w8zBYTnbewsaKJqo
	mDoCjSVuYMCdkiLHQ0JP5P7JPAc5qT5C6fpmTd57Lv5U1v6D5ox3s2iuEjdz2+fS
	4KCZVuHnXX7+RDCwq9tkRc9XMCr+kbaBvzR+EYq9XpJTc2/Wfj59IPHb8ouvUyHg
	x88WWu7sm7SrFT4Kmsc90YMJ0lQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:reply-to:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; s=default; bh=U/HxQiPGiEFb29ZIsZeSPn
	MxF4U=; b=eAuMcyCjCk8/YMSvWe9kNXdf72HxaexQHAontlivCrR9dHqcY+hwG6
	dXA9kLZ9WVtDaEdBRa6oQJ3sHNtNnHnvVFSUKGBL8Uyw8rWLGSf5aGrfDE5Xrc1q
	uhA3zToCon7jF/MbLfH8kqskhyLl3W2OJ1VtPi06lrN49Ln7shCGg=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.0 required=5.0 tests=AWL,BAYES_50,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2
X-HELO: vms173017pub.verizon.net
Message-id: <53A634B0.4040002@cygwin.com>
Date: Sat, 21 Jun 2014 21:43:12 -0400
From: "Larry Hall (Cygwin)" <reply-to-list-only-lh AT cygwin DOT com>
Reply-to: cygwin AT cygwin DOT com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Trusted vs untrusted ssh/X connections
References: <lnvgv8$j3e$1 AT ger DOT gmane DOT org> <53A39E75 DOT 5030305 AT cygwin DOT com> <lo1v13$8kt$1 AT ger DOT gmane DOT org>
In-reply-to: <lo1v13$8kt$1@ger.gmane.org>
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7bit

On 06/20/2014 02:37 PM, Andrew DeFaria wrote:
> On 6/19/2014 7:37 PM, Larry Hall (Cygwin) wrote:
>> On 06/19/2014 04:25 PM, Andrew DeFaria wrote:
>>> This is something that's been bothering me for a long time and I
>>> thought I
>>> might look into it a little deeper. I'm not sure if I should post this
>>> here
>>> because it involves Cygwin/X but it also involves OpenSSh.
>>
>> Actually, this is probably off-topic since I don't see anything Cygwin-
>> specific about setting up ssh/X connections.
>
> But I get the "untrusted X11 forwarding" error only when I ssh from Cygwin
> -> Linux using -X.

OK, I see your point on this one.  But I thought that was covered in this
FAQ:

<http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-trusted-untrusted-x11-forwarding>

My understanding is that the Cygwin X server would need to be built
with the SECURITY extension but that it is not and, for reasons discussed
in the referenced email, (which you also pointed to) would not be.  If you
want to re-open this discussion, I suggest you create a new thread on the
Cygwin X list and refer back to this one (for background and continuity).
I'm not sure that there has been any big change in this area in the last 6
years but there's certainly nothing wrong with asking. :-)

>>
>>> When I ssh into a Linux machine using ForwardX11 I get those familiar
>>> messages:
>>>
>>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>>> generated
>>>
>>> and according to
>>> https://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html:
>>> The warning can be silenced by using ssh -Y, since that
>>> is what ssh -X is doing now anyway.
>>>
>>> However, I find -Y to be 20 times slower to log in than -X:
>>
>> This is probably a configuraton issue since when I ssh into my Linux
>> system,
>> login time is roughly equivalent.
>
> Any ideas of what configuration file I should be looking and what that
> configuration option that would be?

I'm not sure.  It might be as simple as the permissions problem on
.Xauthority slowing you down.  Alternatively, you might try running
both clients with debugging and/or under strace to see if it helps
you narrow down where the time is going in the "-Y" case.

>>> Adefaria-lt:time ssh cm-job-ldev01 echo 'hi'
>>> Warning: untrusted X11 forwarding setup failed: xauth key data not
>>> generated
>>> Warning: No xauth data; using fake authentication data for X11
>>> forwarding.
>>> /usr/bin/xauth:  error in locking authority file
>>> /home/adefaria/.Xauthority
>>> hi
>>>
>>> real    0m2.387s
>>> user    0m0.075s
>>> sys     0m0.446s
>>> Adefaria-lt:time ssh -Y cm-job-ldev01 echo 'hi'
>>> Warning: No xauth data; using fake authentication data for X11
>>> forwarding.
>>> hi
>>> /usr/bin/xauth:  error in locking authority file
>>> /home/adefaria/.Xauthority
>>>
>>> real    0m22.476s
>>> user    0m0.091s
>>> sys     0m0.477s
>>> Adefaria-lt:
>>>
>>> Bonus points if you can help me get right of the other errors!
>>
>> I believe the error regarding the .Xauthority file has something to do with
>> the permissions on the file.  As for the warning, I believe you want to
>> unset DISPLAY on your PC, set X11Forwarding to "yes" on your Linux machine
>> in your sshd_config file, and X11Forward to "yes" in you ssh_config file
>> (for instance) on your PC.  At least, that's what I gathered from searching
>> around on the net for the information. :-)
>
> My experience with this is that if DISPLAY is not set and you ssh -X (or -Y)
> then on the other side DISPLAY is not set:
>
> Adefaria-lt:echo $DISPLAY
> :0
> Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
> Warning: untrusted X11 forwarding setup failed: xauth key data not generated
> Warning: No xauth data; using fake authentication data for X11 forwarding.
> /usr/bin/xauth:  error in locking authority file /home/adefaria/.Xauthority
> localhost:11.0
> Adefaria-lt:unset DISPLAY
> Adefaria-lt:ssh cm-job-ldev01 'echo $DISPLAY'
>
> Adefaria-lt:

That's not what the man page says and doesn't match my experience either.
Check out 'man ssh' and search for the section on "X11 FORWARDING".  It
has a section on what's supposed to happen and what needs to be set on the
client side to make this happen.  That handles the client-side
requirements.  Then there's the "X11Forwarding" on the server side that
needs to be set too, like I mentioned above.  If this is how you're running
things but still having troubles, I would recommend contacting the OpenSSH
folks.  They may have specific ideas about what else could cause the
behavior you see despite the recommended settings.

-- 
Larry

_____________________________________________________________________

A: Yes.
 > Q: Are you sure?
 >> A: Because it reverses the logical flow of conversation.
 >>> Q: Why is top posting annoying in email?

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple