openssh: ssh client: xauth path is invalid - "/usr/X11R6/bin/xauth"

Done

Details

3 participants

Danny Milosavljevic
Ludovic Courtès
Maxim Cournoyer

Owner: unassigned

Submitted by: Danny Milosavljevic

Severity: normal

Danny Milosavljevic wrote on 19 Apr 2016 22:39

Recipients:(address . bug-guix@gnu.org)

Message-ID:20160419223929.54f33b36@scratchpost.org

$ ssh -X daya20

Warning: untrusted X11 forwarding setup failed: xauth key data not generated

Because:

$ strings $(which ssh) |grep /xauth

/usr/X11R6/bin/xauth

%s/xauthfile

However,

$ which xauth

/home/dannym/.guix-profile/bin/xauth

Adding the following and rebuilding doesn't help either (for some reason):

Toggle diff (26 lines)diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b8f107b..d85124b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -35,6 +35,7 @@
   #:autoload   (gnu packages boost) (boost)
   #:use-module (gnu packages base)
   #:use-module (gnu packages tls)
+  #:use-module (gnu packages xorg)
   #:use-module (gnu packages)
   #:use-module (guix packages)
   #:use-module (guix download)
@@ -131,7 +132,8 @@ a server that supports the SSH-2 protocol.")
    (build-system gnu-build-system)
    (inputs `(("groff" ,groff)
              ("openssl" ,openssl)
-             ("zlib" ,zlib)))
+             ("zlib" ,zlib)
+             ("xauth" ,xauth)))
    (arguments
     `(#:test-target "tests"
       #:phases

But
  $ ssh -o XAuthLocation=$(which xauth) daya20
works.

Danny Milosavljevic wrote on 28 Apr 2016 07:30

Recipients:(address . 23317@debbugs.gnu.org)

Message-ID:20160428073041.36eb3e93@scratchpost.org

But

$ ssh -Y -o XAuthLocation=$(which xauth) daya20

works without the patch.

And

$ ssh -Y daya20

works with the patch.

But

$ ssh -X daya20

never works, with or without the patch. Huh.

Ludovic Courtès wrote on 1 Aug 2016 11:51

Recipients:(name . Danny Milosavljevic)(address . dannym@scratchpost.org)(address . 23317@debbugs.gnu.org)

Message-ID:87eg68u8ai.fsf@gnu.org

Hi!

Danny Milosavljevic <dannym@scratchpost.org> skribis:

Toggle quote (12 lines)> But
>
>   $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>
> works without the patch.
>
> And
>
>   $ ssh -Y daya20
>
> works with the patch.

I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.

This increases the closure size of OpenSSH from 89 to 118�MiB (+33%),

but I think it’s a useful addition.

Toggle quote (6 lines)

> But

> $ ssh -X daya20

> never works, with or without the patch. Huh.

I’ve straced “ssh -X”, and it shows that xauth fails like this:

Toggle snippet (8 lines)

4742 write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1: ", 78) = 78

4742 write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52

4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0

4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0

4742 umask(022) = 077

4742 exit_group(1) = ?

This is because the SECURITY extension are disabled in our xorg-server

package. We could configure it with --enable-xcsecurity, but upstream

disables it by default and it seems to be deprecated:

https://www.x.org/wiki/Development/Documentation/Security/

Thoughts?

Ludo’.

Maxim Cournoyer wrote on 20 Nov 2021 03:05

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87y25jeg4y.fsf@gmail.com

Hi,

ludo@gnu.org (Ludovic Courtès) writes:

Toggle quote (43 lines)> Hi!
>
> Danny Milosavljevic <dannym@scratchpost.org> skribis:
>
>> But
>>
>>   $ ssh -Y -o XAuthLocation=$(which xauth) daya20
>>
>> works without the patch.
>>
>> And
>>
>>   $ ssh -Y daya20
>>
>> works with the patch.
>
> I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c.
> This increases the closure size of OpenSSH from 89 to 118�MiB (+33%),
> but I think it’s a useful addition.
>
>> But
>>
>>   $ ssh -X daya20
>>
>> never works, with or without the patch. Huh.
>
> I’ve straced “ssh -X”, and it shows that xauth fails like this:
>
> 4742  write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1:  ", 78) = 78
> 4742  write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52
> 4742  unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0
> 4742  unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0
> 4742  umask(022)                        = 077
> 4742  exit_group(1)                     = ?
>
> This is because the SECURITY extension are disabled in our xorg-server
> package.  We could configure it with --enable-xcsecurity, but upstream
> disables it by default and it seems to be deprecated:
>
>   https://www.x.org/wiki/Development/Documentation/Security/
>
> Thoughts?

It seems to me that while imperfect, these security measures provide

additional security in X11 forwarding context. Also, they are enabled

in Debian [0] and Fedora [1] and many other places, so it seems

reasonable to do so too.

I've added the flag in commit 87b4c66b72 on core-updates-frozen.

Closing!

Maxim

[0] https://salsa.debian.org/xorg-team/xserver/xorg-server/-/blob/debian-unstable/debian/rules.flags#L64

[1] https://src.fedoraproject.org/rpms/xorg-x11-server/blob/rawhide/f/xorg-x11-server.spec#_350

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 23317@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 23317

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date