openssh: ssh client: xauth path is invalid - "/usr/X11R6/bin/xauth"

  • Done
  • quality assurance status badge
Details
3 participants
  • Danny Milosavljevic
  • Ludovic Courtès
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Danny Milosavljevic
Severity
normal
D
D
Danny Milosavljevic wrote on 19 Apr 2016 22:39
(address . bug-guix@gnu.org)
20160419223929.54f33b36@scratchpost.org
$ ssh -X daya20
Warning: untrusted X11 forwarding setup failed: xauth key data not generated

Because:

$ strings $(which ssh) |grep /xauth
/usr/X11R6/bin/xauth
%s/xauthfile

However,

$ which xauth
/home/dannym/.guix-profile/bin/xauth

Adding the following and rebuilding doesn't help either (for some reason):
Toggle diff (26 lines)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b8f107b..d85124b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -35,6 +35,7 @@
#:autoload (gnu packages boost) (boost)
#:use-module (gnu packages base)
#:use-module (gnu packages tls)
+ #:use-module (gnu packages xorg)
#:use-module (gnu packages)
#:use-module (guix packages)
#:use-module (guix download)
@@ -131,7 +132,8 @@ a server that supports the SSH-2 protocol.")
(build-system gnu-build-system)
(inputs `(("groff" ,groff)
("openssl" ,openssl)
- ("zlib" ,zlib)))
+ ("zlib" ,zlib)
+ ("xauth" ,xauth)))
(arguments
`(#:test-target "tests"
#:phases

But
$ ssh -o XAuthLocation=$(which xauth) daya20
works.
D
D
Danny Milosavljevic wrote on 28 Apr 2016 07:30
(address . 23317@debbugs.gnu.org)
20160428073041.36eb3e93@scratchpost.org
But

$ ssh -Y -o XAuthLocation=$(which xauth) daya20

works without the patch.

And

$ ssh -Y daya20

works with the patch.

But

$ ssh -X daya20

never works, with or without the patch. Huh.
L
L
Ludovic Courtès wrote on 1 Aug 2016 11:51
(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 23317@debbugs.gnu.org)
87eg68u8ai.fsf@gnu.org
Hi!

Danny Milosavljevic <dannym@scratchpost.org> skribis:

Toggle quote (12 lines)
> But
>
> $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>
> works without the patch.
>
> And
>
> $ ssh -Y daya20
>
> works with the patch.

I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
This increases the closure size of OpenSSH from 89 to 118 MiB (+33%),
but I think it’s a useful addition.

Toggle quote (6 lines)
> But
>
> $ ssh -X daya20
>
> never works, with or without the patch. Huh.

I’ve straced “ssh -X”, and it shows that xauth fails like this:

Toggle snippet (8 lines)
4742 write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1: ", 78) = 78
4742 write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52
4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
4742 umask(022) = 077
4742 exit_group(1) = ?

This is because the SECURITY extension are disabled in our xorg-server
package. We could configure it with --enable-xcsecurity, but upstream
disables it by default and it seems to be deprecated:


Thoughts?

Ludo’.
M
M
Maxim Cournoyer wrote on 20 Nov 2021 03:05
(name . Ludovic Courtès)(address . ludo@gnu.org)
87y25jeg4y.fsf@gmail.com
Hi,

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (43 lines)
> Hi!
>
> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>
>> But
>>
>> $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>>
>> works without the patch.
>>
>> And
>>
>> $ ssh -Y daya20
>>
>> works with the patch.
>
> I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
> This increases the closure size of OpenSSH from 89 to 118 MiB (+33%),
> but I think it’s a useful addition.
>
>> But
>>
>> $ ssh -X daya20
>>
>> never works, with or without the patch. Huh.
>
> I’ve straced “ssh -X”, and it shows that xauth fails like this:
>
> 4742 write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1: ", 78) = 78
> 4742 write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52
> 4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
> 4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
> 4742 umask(022) = 077
> 4742 exit_group(1) = ?
>
> This is because the SECURITY extension are disabled in our xorg-server
> package. We could configure it with --enable-xcsecurity, but upstream
> disables it by default and it seems to be deprecated:
>
> https://www.x.org/wiki/Development/Documentation/Security/
>
> Thoughts?

It seems to me that while imperfect, these security measures provide
additional security in X11 forwarding context. Also, they are enabled
in Debian [0] and Fedora [1] and many other places, so it seems
reasonable to do so too.

I've added the flag in commit 87b4c66b72 on core-updates-frozen.

Closing!

Maxim

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 23317@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 23317
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch