Re: ssh -Y and xauth
Re: ssh -Y and xauth
- Subject: Re: ssh -Y and xauth
- From: Rich Cook <email@hidden>
- Date: Thu, 16 Feb 2006 14:49:59 -0800
Hi, I'm resending this because it went over the size limit for the
list the first time.
My understanding is the the definition of "trusted" precisely is
configurable on a per-server basis. Very detailed descriptions can
be found here. The bottom line is this is part of the SECURITY
extension to X11:
<http://www.xfree86.org/current/Xserver.1.html> (search for "trusted")
<http://www.xfree86.org/current/security.pdf> (search for "trusted
client")
On Feb 12, 2006, at 1:12 PM, Alley Stoughton wrote:
Hi Rich,
I'm running Tiger. When I use ssh -Y, and then run X clients
remotely,
things work fine, but I get a warning:
Warning: No xauth data; using fake authentication data for X11
forwarding.
I can see why ssh would issue it: indeed, there is no .Xauthority
file
on my Mac. X11 on Tiger doesn't seem to use X authorization data
for local
connections.
Does everyone get this warning message, or do I have ssh configured
incorrectly?
I quickly found this on google. Thanks for asking the question,
btw, it's been bothering me.
<http://mactip.blogspot.com/>
Bottom line:
xauth generate :0 .
fixes the problem. Maybe put it in your .xinitrc? I'm not sure
where this should go. For now, I'm putting it in my .xinitrc.
Yes, I'd seen this, but I'd previously had trouble with it. However
I've now tried
xauth generate :0 . trusted
(the default being untrusted), and this seems to work fine for me.
Another question is just what is "trusted X11 forwarding". The
ssh manual page doesn't say.
Due to security concerns (highlighted by a vulnerability in using SSH
with Trusted X11 Forwarding), OpenSSH (as of version 3.8) now
supports both untrusted (-X) and trusted (-Y) X11 Forwarding. The
difference is what level of permissions the client application has on
the X-server running on the client machine. Untrusted (-X) X11
Forwarding is more secure, but unfortunatley most applications do not
support running with less priviledges as of yet. So when attempting
to remotely access applications, using Trusted (-Y) X11 Forwarding
will have less applications problems for the near future.
Yes, but can anyone point me to more information about what
"privileges"
X clients are given under the two regimes.
The trusted argument to xauth (see above) makes the xauth entry allow
trusted access to the X server. So it makes sense that when using
ssh -Y one should use xauth with this option.
Out of curiosity, does anyone know why X11 on Mac OS X doesn't
automatically create the .Xauthority file?
Thanks for your help, Rich!
Alley
--
"There's no time to stop for gas, we're already late"-- Karin Donker
--
Rich "wealthychef" Cook
<http://www.pleasantonplayhouse.com/byebyebirdie/>
925-784-3077
--
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
This email sent to email@hidden