openssh: ssh client: xauth path is invalid - "/usr/X11R6/bin/xauth"

Done

Details

3 participants

Danny Milosavljevic
Ludovic Courtès
Maxim Cournoyer

Owner: unassigned

Submitted by: Danny Milosavljevic

Severity: normal

Danny Milosavljevic wrote on 19 Apr 2016 22:39

Recipients:(address . bug-guix@gnu.org)

Message-ID:20160419223929.54f33b36@scratchpost.org

$ ssh -X daya20

Warning: untrusted X11 forwarding setup failed: xauth key data not generated

Because:

$ strings $(which ssh) |grep /xauth

/usr/X11R6/bin/xauth

%s/xauthfile

However,

$ which xauth

/home/dannym/.guix-profile/bin/xauth

Adding the following and rebuilding doesn't help either (for some reason):

Toggle diff (26 lines)diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b8f107b..d85124b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -35,6 +35,7 @@
   #:autoload   (gnu packages boost) (boost)
   #:use-module (gnu packages base)
   #:use-module (gnu packages tls)
+  #:use-module (gnu packages xorg)
   #:use-module (gnu packages)
   #:use-module (guix packages)
   #:use-module (guix download)
@@ -131,7 +132,8 @@ a server that supports the SSH-2 protocol.")
    (build-system gnu-build-system)
    (inputs `(("groff" ,groff)
              ("openssl" ,openssl)
-             ("zlib" ,zlib)))
+             ("zlib" ,zlib)
+             ("xauth" ,xauth)))
    (arguments
     `(#:test-target "tests"
       #:phases

But
  $ ssh -o XAuthLocation=$(which xauth) daya20
works.

Danny Milosavljevic wrote on 28 Apr 2016 07:30

Recipients:(address . 23317@debbugs.gnu.org)

Message-ID:20160428073041.36eb3e93@scratchpost.org

But

$ ssh -Y -o XAuthLocation=$(which xauth) daya20

works without the patch.

And

$ ssh -Y daya20

works with the patch.

But

$ ssh -X daya20

never works, with or without the patch. Huh.

Ludovic Courtès wrote on 1 Aug 2016 11:51

Recipients:(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 23317@debbugs.gnu.org)

Message-ID:87eg68u8ai.fsf@gnu.org

Hi!

Danny Milosavljevic <dannym@scratchpost.org> skribis:

Toggle quote (12 lines)> But
>
>   $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>
> works without the patch.
>
> And
>
>   $ ssh -Y daya20
>
> works with the patch.

I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.

This increases the closure size of OpenSSH from 89 to 118�MiB (+33%),

but I think it’s a useful addition.

Toggle quote (6 lines)

> But

> $ ssh -X daya20

> never works, with or without the patch. Huh.

I’ve straced “ssh -X”, and it shows that xauth fails like this:

Toggle snippet (8 lines)

4742 write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1: ", 78) = 78

4742 write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52

4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0

4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0

4742 umask(022) = 077

4742 exit_group(1) = ?

This is because the SECURITY extension are disabled in our xorg-server

package. We could configure it with --enable-xcsecurity, but upstream

disables it by default and it seems to be deprecated:

https://www.x.org/wiki/Development/Documentation/Security/

Thoughts?

Ludo’.

Maxim Cournoyer wrote on 20 Nov 2021 03:05

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87y25jeg4y.fsf@gmail.com

Hi,

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (43 lines)> Hi!
>
> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>
>> But
>>
>>   $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>>
>> works without the patch.
>>
>> And
>>
>>   $ ssh -Y daya20
>>
>> works with the patch.
>
> I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
> This increases the closure size of OpenSSH from 89 to 118�MiB (+33%),
> but I think it’s a useful addition.
>
>> But
>>
>>   $ ssh -X daya20
>>
>> never works, with or without the patch. Huh.
>
> I’ve straced “ssh -X”, and it shows that xauth fails like this:
>
> 4742  write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1:  ", 78) = 78
> 4742  write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52
> 4742  unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
> 4742  unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
> 4742  umask(022)                        = 077
> 4742  exit_group(1)                     = ?
>
> This is because the SECURITY extension are disabled in our xorg-server
> package.  We could configure it with --enable-xcsecurity, but upstream
> disables it by default and it seems to be deprecated:
>
>   https://www.x.org/wiki/Development/Documentation/Security/
>
> Thoughts?

It seems to me that while imperfect, these security measures provide

additional security in X11 forwarding context. Also, they are enabled

in Debian [0] and Fedora [1] and many other places, so it seems

reasonable to do so too.

I've added the flag in commit 87b4c66b72 on core-updates-frozen.

Closing!

Maxim

[0] https://salsa.debian.org/xorg-team/xserver/xorg-server/-/blob/debian-unstable/debian/rules.flags#L64

[1] https://src.fedoraproject.org/rpms/xorg-x11-server/blob/rawhide/f/xorg-x11-server.spec#_350

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 23317@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date