Hi, ludo@gnu.org (Ludovic Courtès) writes: > Hi! > > Danny Milosavljevic skribis: > >> But >> >> $ ssh -Y -o XAuthLocation=$(which xauth) daya20 >> >> works without the patch. >> >> And >> >> $ ssh -Y daya20 >> >> works with the patch. > > I pushed the patch as commit 683a4a34cd4a565cbdb0b46a326e30795657814c. > This increases the closure size of OpenSSH from 89 to 118 MiB (+33%), > but I think it’s a useful addition. > >> But >> >> $ ssh -X daya20 >> >> never works, with or without the patch. Huh. > > I’ve straced “ssh -X”, and it shows that xauth fails like this: > > 4742 write(2, "/gnu/store/86f0c3h99sl9z4x4w30hfy33i7nv2ik9-xauth-1.0.9/bin/xauth: (argv):1: ", 78) = 78 > 4742 write(2, "couldn't query Security extension on display \":0.0\"\n", 52) = 52 > 4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-c") = 0 > 4742 unlink("/tmp/ssh-FDByknME3mmd/xauthfile-l") = 0 > 4742 umask(022) = 077 > 4742 exit_group(1) = ? > > This is because the SECURITY extension are disabled in our xorg-server > package. We could configure it with --enable-xcsecurity, but upstream > disables it by default and it seems to be deprecated: > > https://www.x.org/wiki/Development/Documentation/Security/ > > Thoughts? It seems to me that while imperfect, these security measures provide additional security in X11 forwarding context. Also, they are enabled in Debian [0] and Fedora [1] and many other places, so it seems reasonable to do so too. I've added the flag in commit 87b4c66b72 on core-updates-frozen. Closing! Maxim [0] https://salsa.debian.org/xorg-team/xserver/xorg-server/-/blob/debian-unstable/debian/rules.flags#L64 [1] https://src.fedoraproject.org/rpms/xorg-x11-server/blob/rawhide/f/xorg-x11-server.spec#_350