X-Recipient: archive-cygwin AT delorie DOT com DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:date:message-id:references :mime-version:content-type:content-transfer-encoding :in-reply-to; q=dns; s=default; b=wttnl1hu//tyYjpi0+T1/OtGqr3xmz pY6RyXoKhu488ssOi4DrbGoAnOH1pizjsGzvyCaezQC5lcaVbQsrhSCHu6mb2SxP IW6HqDAGdAtGJPDNDEzsa24KkI4UTntFdyL6DPkikscxRcq3+pNU7T71qm8X+C3N dvhxC9i5d3zFU= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:to:from:subject:date:message-id:references :mime-version:content-type:content-transfer-encoding :in-reply-to; s=default; bh=kqay+do863l/o8ovbWXXmYzBVDM=; b=jw+e 9C37TT7JR9lHhaO15Uk55dh8ObGEFnF318uAW74mPWXT+00RqGtjS9k+QYFXCe5S gaynVFY2Np+xa9j1mYA9qfS0TzY2eHrhRTfach0WqBrM8gVvGx4ZqXocFVD8qx0y eOaiDjhjA0OqL8IAaQUkUpbflzCPZWXqwJih15s= Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=0.3 required=5.0 tests=AWL,BAYES_00,FSL_HELO_BARE_IP_2,RCVD_IN_DNSWL_LOW,RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD autolearn=no version=3.3.2 X-HELO: plane.gmane.org To: cygwin AT cygwin DOT com From: Andrew DeFaria Subject: Re: X11Forward and xauth problems Date: Thu, 26 Mar 2015 15:06:42 -0700 Lines: 157 Message-ID: References: <55108046 DOT 1070206 AT dronecode DOT org DOT uk> <55115B29 DOT 8000904 AT dronecode DOT org DOT uk> <55145A0D DOT 4010406 AT dronecode DOT org DOT uk> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 In-Reply-To: <55145A0D.4010406@dronecode.org.uk> X-IsSubscribed: yes On 3/26/2015 12:12 PM, Jon TURNEY wrote: > On 25/03/2015 17:40, Andrew DeFaria wrote: >> Prediction: This problem probably will end up having something to do >> with the permissions and file system that ~/.Xauthority resides on, >> which is, I believe, a NetApp. This file system is the file system for >> the Linux Home directories (Windows "home" directories are somewhere >> else). In an attempt to have a transparently workable environment I set >> my Cygwin home directory to access the same directory my Linux servers >> use for the home directory - this NetApp. If you need more information >> about that then let me know and perhaps tell me how I can get that. > > This seems very plausible. > > If I am understanding you correctly, ~/.Xauthority is the same file on > the NetApp at both ends. I think perhaps that is somehow the cause of > the problem. Yes. > > The sequence of actions is something like: > > - startx(|win) generates a random cookie and stores it in > ~/.serverauth. and uses that file as the server -auth option > - it also uses 'xauth add' to put that cookie into ~/.Xauthority for the > display (e.g. :0) I'm not using startx - I just do C:\Cygwin\bin\XWin.exe -multiwindow -listen tcp Note I don't see a ~/.serverauth. Maybe this file is created just for this purpose and quickly removed? > - ssh reads that cookie out of ~/.Xauthority using 'xauth list' and > sends it to the far end > - sshd tries to store that cookie using xauth for the proxy display (e.g > :10) > > Reading the source of xauth [1], it does try to lock the ~/.Xauthority > file for up to 20 seconds before giving up, which perhaps corresponds to > the delay you see? Sounds plausible. Is that configurable? > However, the "unable to link authority file .Xauthority, use > .Xauthority-n" message indicates that the working file .Xauthority-n > cannot renamed as .Xauthority (xauth tries both to hard-link it as > .Xauthority, and to rename it) After I ssh -X to this system I do see ~/.Xauthority and ~/.Xauthority-n. They are the same size but differ binarily. I can do mv ~/.Xauthority-n ~/.Xauthority without issue. Why can't sshd do that? Once I rename the file X clients work! From that machine... So I thought this might be a crude workaround and put this in my .bashrc: # Hack to fix ~/.Xauthority if [ -f $HOME/.Xauthority-n ]; then mv $HOME/.Xauthority-n $HOME/.Xauthority echo "Fixed ~/.Xauthority" fi and then thought, "What happens when I ssh into yet another Linux machine that shares this home directory" and when I tried to ssh -X to another machine I got (with a little instrumentation): Adefaria-lt:id uid=20393(adefaria) gid=10513(Domain Users) groups=10513(Domain Users),0(root),545(Users) Adefaria-lt:ssh -X cm-app-lprod01 Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. /usr/bin/xauth: unable to link authority file /home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n Attempting mv /home/adefaria/.Xauthority-n /home/adefaria/.Xauthority mv: cannot move `/home/adefaria/.Xauthority-n' to `/home/adefaria/.Xauthority': Permission denied adefaria uid=80176(adefaria) gid=701(Domain Users) groups=701(Domain Users),10013(CMAdmins),10014(CMMachines-admin.sec) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -rw-------. 1 adefaria Domain Users 223 Mar 26 13:25 /home/adefaria/.Xauthority -rw-------. 1 adefaria Domain Users 223 Mar 26 13:46 /home/adefaria/.Xauthority-n Cm-app-lprod01:mv .Xauthority-n .Xauthority Cm-app-lprod01: So the plot thickens... Why was mv denied permission when I can easily do it once I get a prompt? Could it be because on Cygwin my uid is 20393 and on Linux it's 80176 (and probably equivalenced by some mapping in the Netapp of 20393 <-> 80176? > Of course, sshd doesn't understand it's helpful advice to use a > different filename, so things don't work out so well. :) > > Given that it works the first time, when there is no existing > ~/.Xauthority, perhaps the NetApp doesn't permit this file to be renamed > over an existing file, for some reason? But I did rename it once I got a prompt without a problem. > You can tell startx to use a different file by using the XAUTHORITY env > var, so setting that to something like ~/.Xauthority-$HOSTNAME might be > a workaround. (Some googling on 'Xauthority hostname nfs' might be > informative) Again, I don't use startx, I simply run Xwin directly. In fact the startx command is not found! Setting XAUTHORITY didn't do anything different > Or editing startx and changing enable_xauth to 0 might also be a > workaround. Since I don't even have startx, this is not really an option. I need to read that googling on 'Xauthority hostname nfs'...vi Any idea why setting ForwardX11 yes and ForwardX11Trusted don't seem to work? I thought it was that setting ForwardX11 yes is equivalent to specifying -X and setting ForwardX11Trusted yes is equivalent to specifying -Y but they are not behaving that way! Adefaria-lt:echo "ForwardX11 yes" > ~/.ssh/config Adefaria-lt:ssh cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'" Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. X11 forwarding request failed on channel 0 DISPLAY = '' Adefaria-lt:echo "ForwardX11Trusted yes" > ~/.ssh/config Adefaria-lt:ssh cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'" DISPLAY = '' Adefaria-lt: Also why does this work: Adefaria-lt:ssh -X cm-app-ldev01 "echo DISPLAY = \'\$DISPLAY\'" Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. DISPLAY = 'localhost:11.0' Adefaria-lt: But this fail: Adefaria-lt:ssh -X cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'" Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. X11 forwarding request failed on channel 0 DISPLAY = '' Adefaria-lt: I find all of this behavior erratic and unreliable. -- Andrew DeFaria http://defaria.com -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple