X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding
	:in-reply-to; q=dns; s=default; b=ELK8e5L30tEMYK4djq1NcGuRI1TVtE
	3Gn+D+JAmOlAC2YB4Sqv0tKjMZzud7dxLw72k2pyn7+7BzxRB3AU7XmUx6Fq/yFT
	WOdk0nTk3//hHvB5rvQ2r6s/Lm3TR3oTqU/VUrEA9HRYTxeudicPRZd7D+l6Jo4l
	XEjtLUtwGGmWY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:to:from:subject:date:message-id:references
	:mime-version:content-type:content-transfer-encoding
	:in-reply-to; s=default; bh=gNj+hvbE91dImO1515OEXj0/FVI=; b=A4Ei
	ZOs6/4YRJM909LuBKe8tfaNJXk7B0ZLekm6kcDP9OMM+c/rHxp5rPfBnxSeFbTs+
	+4w5PLYA0g02RUtnhDIHDyKCH9DXG+b+z288+GCH63lO6hPa4CwxqBe7SOP2da0M
	7+LUVbs3yDOWvYoIo9nqgmHOf05+BGv7EzHGOXo=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.3 required=5.0 tests=AWL,BAYES_00,FSL_HELO_BARE_IP_2,RCVD_IN_DNSWL_LOW,RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: plane.gmane.org
To: cygwin AT cygwin DOT com
From: Andrew DeFaria <Andrew AT DeFaria DOT com>
Subject: Re: X11Forward and xauth problems
Date: Wed, 25 Mar 2015 10:40:00 -0700
Lines: 257
Message-ID: <meurth$g26$1@ger.gmane.org>
References: <mepu7q$9dr$1 AT ger DOT gmane DOT org> <55108046 DOT 1070206 AT dronecode DOT org DOT uk> <meq0g3$hob$1 AT ger DOT gmane DOT org> <55115B29 DOT 8000904 AT dronecode DOT org DOT uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
In-Reply-To: <55115B29.8000904@dronecode.org.uk>
X-IsSubscribed: yes

On 3/24/2015 5:40 AM, Jon TURNEY wrote:

>>> Firstly, if you don't want these warnings, use ssh -Y.
>>>
>>> (By using ssh -X, you are asking for something which the X server can't
>>> give you, hence the warnings.  See
>>> http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-trusted-untrusted-x11-forwarding
>>>
>>>
>>> for more details)
>>
>> Yeah but -Y gives me the same thing:
>
> This is similar, but it is not the same.

What I mean by the same thing is that it also fails in the same manner:

Adefaria-lt:ssh -Y cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  unable to link authority file 
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:xclock
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:11.0
Cm-app-ldev01:

Prediction: This problem probably will end up having something to do 
with the permissions and file system that ~/.Xauthority resides on, 
which is, I believe, a NetApp. This file system is the file system for 
the Linux Home directories (Windows "home" directories are somewhere 
else). In an attempt to have a transparently workable environment I set 
my Cygwin home directory to access the same directory my Linux servers 
use for the home directory - this NetApp. If you need more information 
about that then let me know and perhaps tell me how I can get that.

OK, here's an odd sequence that seems to point to the "unable to link 
authority file" problem. Adefaria-lt is my Windows 7 laptop - 
Cm-app-ldev01 is a Cent OS 6.5

Adefaria-lt:echo $DISPLAY
:0
Adefaria-lt:ssh -X cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  unable to link authority file 
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:echo $DISPLAY
localhost:10.0
Cm-app-ldev01:xclock
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:10.0
Cm-app-ldev01:rm .Xauthority*
Cm-app-ldev01:exit
logout
Connection to cm-app-ldev01 closed.
Adefaria-lt:ssh -X cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  creating new authority file /home/adefaria/.Xauthority
Cm-app-ldev01:echo $DISPLAY
localhost:10.0
Cm-app-ldev01:xclock
Warning: Missing charsets in String to FontSet conversion
Cm-app-ldev01:exit
logout
Connection to cm-app-ldev01 closed.

Adefaria-lt:ls -l .Xauthority*
-rw------- 1 adefaria Domain Users 74 Mar 25 10:19 .Xauthority
Adefaria-lt:ssh -X cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth:  unable to link authority file 
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:echo $DISPLAY
localhost:10.0
Cm-app-ldev01:xclock
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:10.0
Cm-app-ldev01:

As you can see with my current ~/.Xauthority file things don't work. But 
if I remove them, the ~/.Xauthority* files one is created at the next 
login and everything works fine. Log out and back in however and it 
breaks again.

>> Adefaria-lt:ssh -Y cm-app-ldev01
>> Warning: No xauth data; using fake authentication data for X11
>> forwarding.
>> /usr/bin/xauth:  unable to link authority file
>> /home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
>> Cm-app-ldev01:
>
> I think this last message here is unusual, and is coming from xauth
> running on the remote server.  Can you you give a few more details on
> what OS that is running?

Cent OS 6.5

> If you connect using ssh -vv -Y, you should be able to see the xauth
> commands that sshd is running, and if those, or some other step in the
> connection, is the cause of the delay.

Adefaria-lt:ssh -vv -Y cm-app-ldev01
OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 51: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to cm-app-ldev01 [10.252.8.152] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_rsa-cert type -1
debug1: identity file /home/adefaria/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
curve25519-sha256 AT libssh DOT org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: 
ssh-rsa-cert-v01 AT openssh DOT com,ssh-rsa-cert-v00 AT openssh DOT com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01 AT openssh DOT com,ecdsa-sha2-nistp384-cert-v01 AT openssh DOT com,ecdsa-sha2-nistp521-cert-v01 AT openssh DOT com,ssh-ed25519-cert-v01 AT openssh DOT com,ssh-dss-cert-v01 AT openssh DOT com,ssh-dss-cert-v00 AT openssh DOT com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm AT openssh DOT com,aes256-gcm AT openssh DOT com,chacha20-poly1305 AT openssh DOT com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc AT lysator DOT liu DOT se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm AT openssh DOT com,aes256-gcm AT openssh DOT com,chacha20-poly1305 AT openssh DOT com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc AT lysator DOT liu DOT se
debug2: kex_parse_kexinit: 
umac-64-etm AT openssh DOT com,umac-128-etm AT openssh DOT com,hmac-sha2-256-etm AT openssh DOT com,hmac-sha2-512-etm AT openssh DOT com,hmac-sha1-etm AT openssh DOT com,umac-64 AT openssh DOT com,umac-128 AT openssh DOT com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm AT openssh DOT com,hmac-ripemd160-etm AT openssh DOT com,hmac-sha1-96-etm AT openssh DOT com,hmac-md5-96-etm AT openssh DOT com,hmac-md5,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
umac-64-etm AT openssh DOT com,umac-128-etm AT openssh DOT com,hmac-sha2-256-etm AT openssh DOT com,hmac-sha2-512-etm AT openssh DOT com,hmac-sha1-etm AT openssh DOT com,umac-64 AT openssh DOT com,umac-128 AT openssh DOT com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm AT openssh DOT com,hmac-ripemd160-etm AT openssh DOT com,hmac-sha1-96-etm AT openssh DOT com,hmac-md5-96-etm AT openssh DOT com,hmac-md5,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib AT openssh DOT com,zlib
debug2: kex_parse_kexinit: none,zlib AT openssh DOT com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc AT lysator DOT liu DOT se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc AT lysator DOT liu DOT se
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 AT openssh DOT com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5,hmac-sha1,umac-64 AT openssh DOT com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib AT openssh DOT com
debug2: kex_parse_kexinit: none,zlib AT openssh DOT com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client aes128-ctr umac-64 AT openssh DOT com none
debug1: kex: client->server aes128-ctr umac-64 AT openssh DOT com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1544/3072
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa 
SHA256:FM8zkVJ3lA+qEuWC0l+NV1szCmrG+f5czMTo2s6JZZ8
debug1: Host 'cm-app-ldev01' is known and matches the RSA host key.
debug1: Found key in /home/adefaria/.ssh/known_hosts:41
debug2: bits set: 1540/3072
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/adefaria/.ssh/id_rsa (0x0),
debug2: key: /home/adefaria/.ssh/id_dsa (0x60005f0f0),
debug2: key: /home/adefaria/.ssh/id_ecdsa (0x0),
debug2: key: /home/adefaria/.ssh/id_ed25519 (0x0),
debug1: Authentications that can continue: 
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/adefaria/.ssh/id_rsa
debug1: Offering DSA public key: /home/adefaria/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 435
debug2: input_userauth_pk_ok: fp 
SHA256:ZijSNCmYg0tL2z4LIcRGLDS+AF3Ms+8Md93qGF5zHtc
debug1: Authentication succeeded (publickey).
Authenticated to cm-app-ldev01 ([10.252.8.152]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions AT openssh DOT com
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/bin/xauth  list :0 2>/dev/null
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
/usr/bin/xauth:  unable to link authority file 
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:

> You might also try running those xauth commands in the terminal to
> investigate further.

Cm-app-ldev01:xauth list :0
Cm-app-ldev01:echo $?
0

>
>>>> Adefaria-lt:xhost +
>>>> access control disabled, clients can connect from any host
>>>> Adefaria-lt:ssh cm-app-ldev01
>>>> Cm-app-ldev01:export DISPLAY=adefaria-lt:0
>>>> Cm-app-ldev01:xclock
>>>> Error: Can't open display: adefaria-lt:0
>>>> Cm-app-ldev01:
>>>
>>> If you want this to work, you will now (since X server 1.17) need to
>>> start the server with the option '-listen tcp'.
>>
>> Restarted Xwin with -multimonitor and -listen tcp. Now I get:
>
> Sorry for any ambiguity, but you have misunderstood what I wrote.
>
> If you want explicitly setting DISPLAY and allowing access using xhost
> to work, you must start the server with the option '-listen tcp'.

Sorry I misunderstood. This works for me and is a work around. But I 
wish I could get that xauth thing working correctly.
-- 
Andrew DeFaria
http://defaria.com


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple