This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: X11Forward and xauth problems
- From: Andrew DeFaria <Andrew at DeFaria dot com>
- To: cygwin at cygwin dot com
- Date: Wed, 25 Mar 2015 10:40:00 -0700
- Subject: Re: X11Forward and xauth problems
- Authentication-results: sourceware.org; auth=none
- References: <mepu7q$9dr$1 at ger dot gmane dot org> <55108046 dot 1070206 at dronecode dot org dot uk> <meq0g3$hob$1 at ger dot gmane dot org> <55115B29 dot 8000904 at dronecode dot org dot uk>
On 3/24/2015 5:40 AM, Jon TURNEY wrote:
Firstly, if you don't want these warnings, use ssh -Y.
(By using ssh -X, you are asking for something which the X server can't
give you, hence the warnings. See
http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-trusted-untrusted-x11-forwarding
for more details)
Yeah but -Y gives me the same thing:
This is similar, but it is not the same.
What I mean by the same thing is that it also fails in the same manner:
Adefaria-lt:ssh -Y cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth: unable to link authority file
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:xclock
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:11.0
Cm-app-ldev01:
Prediction: This problem probably will end up having something to do
with the permissions and file system that ~/.Xauthority resides on,
which is, I believe, a NetApp. This file system is the file system for
the Linux Home directories (Windows "home" directories are somewhere
else). In an attempt to have a transparently workable environment I set
my Cygwin home directory to access the same directory my Linux servers
use for the home directory - this NetApp. If you need more information
about that then let me know and perhaps tell me how I can get that.
OK, here's an odd sequence that seems to point to the "unable to link
authority file" problem. Adefaria-lt is my Windows 7 laptop -
Cm-app-ldev01 is a Cent OS 6.5
Adefaria-lt:echo $DISPLAY
:0
Adefaria-lt:ssh -X cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth: unable to link authority file
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:echo $DISPLAY
localhost:10.0
Cm-app-ldev01:xclock
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:10.0
Cm-app-ldev01:rm .Xauthority*
Cm-app-ldev01:exit
logout
Connection to cm-app-ldev01 closed.
Adefaria-lt:ssh -X cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth: creating new authority file /home/adefaria/.Xauthority
Cm-app-ldev01:echo $DISPLAY
localhost:10.0
Cm-app-ldev01:xclock
Warning: Missing charsets in String to FontSet conversion
Cm-app-ldev01:exit
logout
Connection to cm-app-ldev01 closed.
Adefaria-lt:ls -l .Xauthority*
-rw------- 1 adefaria Domain Users 74 Mar 25 10:19 .Xauthority
Adefaria-lt:ssh -X cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth: unable to link authority file
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:echo $DISPLAY
localhost:10.0
Cm-app-ldev01:xclock
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:10.0
Cm-app-ldev01:
As you can see with my current ~/.Xauthority file things don't work. But
if I remove them, the ~/.Xauthority* files one is created at the next
login and everything works fine. Log out and back in however and it
breaks again.
Adefaria-lt:ssh -Y cm-app-ldev01
Warning: No xauth data; using fake authentication data for X11
forwarding.
/usr/bin/xauth: unable to link authority file
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:
I think this last message here is unusual, and is coming from xauth
running on the remote server. Can you you give a few more details on
what OS that is running?
Cent OS 6.5
If you connect using ssh -vv -Y, you should be able to see the xauth
commands that sshd is running, and if those, or some other step in the
connection, is the cause of the delay.
Adefaria-lt:ssh -vv -Y cm-app-ldev01
OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 51: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to cm-app-ldev01 [10.252.8.152] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_rsa-cert type -1
debug1: identity file /home/adefaria/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/adefaria/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client aes128-ctr umac-64@openssh.com none
debug1: kex: client->server aes128-ctr umac-64@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 1544/3072
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ssh-rsa
SHA256:FM8zkVJ3lA+qEuWC0l+NV1szCmrG+f5czMTo2s6JZZ8
debug1: Host 'cm-app-ldev01' is known and matches the RSA host key.
debug1: Found key in /home/adefaria/.ssh/known_hosts:41
debug2: bits set: 1540/3072
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/adefaria/.ssh/id_rsa (0x0),
debug2: key: /home/adefaria/.ssh/id_dsa (0x60005f0f0),
debug2: key: /home/adefaria/.ssh/id_ecdsa (0x0),
debug2: key: /home/adefaria/.ssh/id_ed25519 (0x0),
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/adefaria/.ssh/id_rsa
debug1: Offering DSA public key: /home/adefaria/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 435
debug2: input_userauth_pk_ok: fp
SHA256:ZijSNCmYg0tL2z4LIcRGLDS+AF3Ms+8Md93qGF5zHtc
debug1: Authentication succeeded (publickey).
Authenticated to cm-app-ldev01 ([10.252.8.152]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/bin/xauth list :0 2>/dev/null
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
/usr/bin/xauth: unable to link authority file
/home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Cm-app-ldev01:
You might also try running those xauth commands in the terminal to
investigate further.
Cm-app-ldev01:xauth list :0
Cm-app-ldev01:echo $?
0
Adefaria-lt:xhost +
access control disabled, clients can connect from any host
Adefaria-lt:ssh cm-app-ldev01
Cm-app-ldev01:export DISPLAY=adefaria-lt:0
Cm-app-ldev01:xclock
Error: Can't open display: adefaria-lt:0
Cm-app-ldev01:
If you want this to work, you will now (since X server 1.17) need to
start the server with the option '-listen tcp'.
Restarted Xwin with -multimonitor and -listen tcp. Now I get:
Sorry for any ambiguity, but you have misunderstood what I wrote.
If you want explicitly setting DISPLAY and allowing access using xhost
to work, you must start the server with the option '-listen tcp'.
Sorry I misunderstood. This works for me and is a work around. But I
wish I could get that xauth thing working correctly.
--
Andrew DeFaria
http://defaria.com
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple