Mailing List Archive

On Thu, May 18, 2000 at 11:35:48AM -0400, Matthew C. Weigel wrote:
> I'm having some difficulty with X forwarding through SSH between OpenSSH and
> normal ssh. The problem system is running Red Hat 6.2, and I've seen
> several references to Red Hat clobbering $XAUTHORITY. Unfortunately, I
> can't find where this clobbering is done (someone mentioned on Mandrake 7
> it's in /etc/profile.d/, but it isn't here).

> It's causing minor problems here, where one development server that I'm in
> charge of is using OpenSSH and others (that coworkers are in charge of) are
> running regular ssh. Since we do GUI Java development, remote X display is
> essential, and X forwarding makes it easier.

It might help [a lot] if you were more specific about what the
problems were that you were experiencing and not so much about what you
think is wrong. I'm also having problems with X11 forwarding in OpenSSH
2.1.0 (which I don't THINK occured in 1.2.3) and it has nothing to
do with $XAUTHORITY. What are the errors that you are experiencing?

Oh... And, BTW, if you are loading OpenSSH 2.1.0, I noticed that
both of the new config files have X forwarding disabled. That was the
first thing I got burned on after upgrading my ssh*_config files.

> Matthew Weigel
> Programmer/Sysadmin/Student
> weigel+@pitt.edu

Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!

On Thu, May 18, 2000 at 12:02:29PM -0400, Matthew C. Weigel wrote:
> On Thu, 18 May 2000, Michael H. Warfield wrote:

> > On Thu, May 18, 2000 at 11:35:48AM -0400, Matthew C. Weigel wrote:

> > It might help [a lot] if you were more specific about what the
> > problems were that you were experiencing and not so much about what you
> > think is wrong.

> Well, judging from the archives, this is exactly the problem. For your
> perusal:

Ok... Sound's like it, I just couldn't judge from your
earlier message.

> $ ssh -v
> SSH Version OpenSSH-1.2.3, protocol version 1.5.
> Compiled with SSL.

> When connected to the Red Hat 6.2 system (synapse) running OpenSSH from an
> O2 running regular ssh:

> $ xterm
> X11 connection rejected because of wrong authentication at Thu May 18
> 11:59:20 2000.
> a
> Rejected connection at Thu May 18 11:59:20 2000: X11 connection from synapse
> port 3439

> X connection to synapse:10.0 broken (explicit kill or server shutdown).

> > I'm also having problems with X11 forwarding in OpenSSH
> > 2.1.0 (which I don't THINK occured in 1.2.3) and it has nothing to
> > do with $XAUTHORITY. What are the errors that you are experiencing?

> The error which, it is claimed in the archives, is directly attributable to
> Red Hat clobbering $XAUTHORITY: it is set automatically to
> /home/weigel/.Xauthority when I log in, but sshd sets it to
> /tmp/ssh-randomstring/cookies. I'm not familiar enough ssh to know why this
> is a problem, but it is.
>
> > Oh... And, BTW, if you are loading OpenSSH 2.1.0, I noticed that
> > both of the new config files have X forwarding disabled. That was the
> > first thing I got burned on after upgrading my ssh*_config files.

> I checked my config files and I'm not running 2.1.0 yet.

Ok... That's what I needed to know!

I've got a pretty vanilla RedHat setup... Here is what I see between
my two systems (Alcove is RedHat 6.1 and Canyon is RedHat 6.2):

[mhw@alcove mhw]$ set | grep XAUTH
XAUTHORITY=/home/mhw/.Xauthority
You have new mail in /var/spool/mail/mhw
[mhw@alcove mhw]$ ssh canyon
Last login: Tue May 16 16:17:38 2000
[mhw@canyon mhw]$ set | grep XAUTH
XAUTHORITY=/tmp/ssh-zZvc2528/cookies
[mhw@canyon mhw]$

Ok... My RedHat 6.2 did NOT clobber my XAUTHORITY variable.
Have you checked your ".profile" and ".bashrc" files? You might also
check /etc/profile and /etc/bashrc files. I don't have anything in any
of those files, but something in there could commit that act of terrorism
on you.

Also, what shell are you using? I'm using sh (bash) and it could
be different if you are using tcsh or ksh (shouldn't be, but might be).
It could influence what startup files are involved.

Unfortunately, the error that I see is NOT the error that you see.
I get this with 2.1.0:

[mhw@canyon mhw]$ xterm
channel 0: istate 4 != open
channel 0: ostate 64 != open
X connection to canyon:10.0 broken (explicit kill or server shutdown).
[mhw@canyon mhw]$

You are right about XAUTHORITY. If that gets screwed (or the
.Xauthority is hosed) then you get the "wrong authentication" that you
see. That was the tidbit (the error message) that I needed to know.

> Matthew Weigel
> Programmer/Sysadmin/Student
> weigel+@pitt.edu

Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!

On Thu, May 18, 2000 at 12:50:35PM -0400, Matthew C. Weigel wrote:

> So, have any idea how to fix it? Would upgrading to 2.1.0 fix it, or just
> give me your problem <g>?

Right at the moment, I've confirmed that the problem still exists
with 2.1.0p1 and, using a verbose mode connection, it seems to be something
weird in the authentication protocol... Here's what I get when connect
with ssh -v and then run xterm:

] [mhw@canyon mhw]$ xterm
] debug: Received X11 open request.
] debug: fd 6 setting O_NONBLOCK
] debug: channel 0: new [X11 connection from canyon port 1055]
] debug: X11 connection uses different authentication protocol.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
What the hell is this?
] debug: X11 rejected 0 i1/o16
] debug: channel 0: read failed
] debug: channel 0: input open -> drain
] debug: channel 0: close_read
] debug: channel 0: input: no drain shortcut
] debug: channel 0: ibuf empty
] debug: channel 0: input drain -> wait_oclose
] debug: channel 0: send ieof
] debug: channel 0: write failed
] debug: channel 0: output open -> wait_ieof
] debug: channel 0: send oclose
] debug: channel 0: close_write
] debug: X11 closed 0 i4/o64
] debug: channel 0: rcvd ieof
] debug: channel 0: non-open
] channel 0: istate 4 != open
] channel 0: ostate 64 != open
] debug: channel 0: rcvd oclose
] debug: channel 0: input wait_oclose -> closed
] X connection to canyon:10.0 broken (explicit kill or server shutdown).

So to answer your question? I don't know. I'm afraid that it
would just give you my problem (but it would confirm that it's not
a cockpit error on my part :-) ).

> Matthew Weigel
> Programmer/Sysadmin/Student
> weigel+@pitt.edu

Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!

On Thu, 18 May 2000, Michael H. Warfield wrote:

> On Thu, May 18, 2000 at 11:35:48AM -0400, Matthew C. Weigel wrote:

> It might help [a lot] if you were more specific about what the
> problems were that you were experiencing and not so much about what you
> think is wrong.

Well, judging from the archives, this is exactly the problem. For your
perusal:

$ ssh -v
SSH Version OpenSSH-1.2.3, protocol version 1.5.
Compiled with SSL.

When connected to the Red Hat 6.2 system (synapse) running OpenSSH from an
O2 running regular ssh:

$ xterm
X11 connection rejected because of wrong authentication at Thu May 18
11:59:20 2000.
a
Rejected connection at Thu May 18 11:59:20 2000: X11 connection from synapse
port 3439

X connection to synapse:10.0 broken (explicit kill or server shutdown).

> I'm also having problems with X11 forwarding in OpenSSH
> 2.1.0 (which I don't THINK occured in 1.2.3) and it has nothing to
> do with $XAUTHORITY. What are the errors that you are experiencing?

The error which, it is claimed in the archives, is directly attributable to
Red Hat clobbering $XAUTHORITY: it is set automatically to
/home/weigel/.Xauthority when I log in, but sshd sets it to
/tmp/ssh-randomstring/cookies. I'm not familiar enough ssh to know why this
is a problem, but it is.

> Oh... And, BTW, if you are loading OpenSSH 2.1.0, I noticed that
> both of the new config files have X forwarding disabled. That was the
> first thing I got burned on after upgrading my ssh*_config files.

I checked my config files and I'm not running 2.1.0 yet.

Matthew Weigel
Programmer/Sysadmin/Student
weigel+@pitt.edu

On Thu, 18 May 2000, Michael H. Warfield wrote:

> I've got a pretty vanilla RedHat setup... Here is what I see between
> my two systems (Alcove is RedHat 6.1 and Canyon is RedHat 6.2):
>
> [mhw@alcove mhw]$ set | grep XAUTH
> XAUTHORITY=/home/mhw/.Xauthority
> You have new mail in /var/spool/mail/mhw
> [mhw@alcove mhw]$ ssh canyon
> Last login: Tue May 16 16:17:38 2000
> [mhw@canyon mhw]$ set | grep XAUTH
> XAUTHORITY=/tmp/ssh-zZvc2528/cookies
> [mhw@canyon mhw]$
>
> Ok... My RedHat 6.2 did NOT clobber my XAUTHORITY variable.
> Have you checked your ".profile" and ".bashrc" files? You might also
> check /etc/profile and /etc/bashrc files. I don't have anything in any
> of those files, but something in there could commit that act of terrorism
> on you.

No settings in my login scripts. Hmmm... Actually, it would appear mine
isn't being clobbered either... I could have sworn it was yesterday.

The problem is still there, but $XAUTHORITY seems correct when I ssh in.

> You are right about XAUTHORITY. If that gets screwed (or the
> .Xauthority is hosed) then you get the "wrong authentication" that you
> see. That was the tidbit (the error message) that I needed to know.

So, have any idea how to fix it? Would upgrading to 2.1.0 fix it, or just
give me your problem <g>?

Matthew Weigel
Programmer/Sysadmin/Student
weigel+@pitt.edu

On Thu, May 18, 2000 at 09:28:05PM +0200, Markus Friedl wrote:
> does this help?

Yes... That appears to fix my problem.

> Index: session.c
> ===================================================================
> RCS file: /home/markus/cvs/ssh/session.c,v
> retrieving revision 1.12
> diff -u -r1.12 session.c
> --- session.c 2000/05/03 18:03:07 1.12
> +++ session.c 2000/05/18 19:18:53
> @@ -949,13 +953,20 @@
> else {
> /* Add authority data to .Xauthority if appropriate. */
> if (auth_proto != NULL && auth_data != NULL) {
> - if (debug_flag)
> + char *screen = strchr(display, ':');
> + if (debug_flag) {
> fprintf(stderr, "Running %.100s add %.100s %.100s %.100s\n",
> - XAUTH_PATH, display, auth_proto, auth_data);
> -
> + XAUTH_PATH, display, auth_proto, auth_data);
> + if (screen != NULL)
> + fprintf(stderr, "Adding %.*s/unix%s %s %s\n",
> + screen-display, display, screen, auth_proto, auth_data);
> + }
> f = popen(XAUTH_PATH " -q -", "w");
> if (f) {
> fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data);
> + if (screen != NULL)
> + fprintf(f, "add %.*s/unix%s %s %s\n",
> + screen-display, display, screen, auth_proto, auth_data);
> pclose(f);
> } else
> fprintf(stderr, "Could not run %s -q -\n", XAUTH_PATH);

--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!

does this help?

Index: session.c
===================================================================
RCS file: /home/markus/cvs/ssh/session.c,v
retrieving revision 1.12
diff -u -r1.12 session.c
--- session.c 2000/05/03 18:03:07 1.12
+++ session.c 2000/05/18 19:18:53
@@ -949,13 +953,20 @@
else {
/* Add authority data to .Xauthority if appropriate. */
if (auth_proto != NULL && auth_data != NULL) {
- if (debug_flag)
+ char *screen = strchr(display, ':');
+ if (debug_flag) {
fprintf(stderr, "Running %.100s add %.100s %.100s %.100s\n",
- XAUTH_PATH, display, auth_proto, auth_data);
-
+ XAUTH_PATH, display, auth_proto, auth_data);
+ if (screen != NULL)
+ fprintf(stderr, "Adding %.*s/unix%s %s %s\n",
+ screen-display, display, screen, auth_proto, auth_data);
+ }
f = popen(XAUTH_PATH " -q -", "w");
if (f) {
fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data);
+ if (screen != NULL)
+ fprintf(f, "add %.*s/unix%s %s %s\n",
+ screen-display, display, screen, auth_proto, auth_data);
pclose(f);
} else
fprintf(stderr, "Could not run %s -q -\n", XAUTH_PATH);

I just got around to upgrading th 2.1.0p2-1, and X11 forwarding is working
great. Thanks all.

On Thu, 18 May 2000, Markus Friedl wrote:

> does this help?
>
> Index: session.c
> ===================================================================
> RCS file: /home/markus/cvs/ssh/session.c,v
> retrieving revision 1.12
> diff -u -r1.12 session.c
> --- session.c 2000/05/03 18:03:07 1.12
> +++ session.c 2000/05/18 19:18:53
> @@ -949,13 +953,20 @@
> else {
> /* Add authority data to .Xauthority if appropriate. */
> if (auth_proto != NULL && auth_data != NULL) {
> - if (debug_flag)
> + char *screen = strchr(display, ':');
> + if (debug_flag) {
> fprintf(stderr, "Running %.100s add %.100s %.100s %.100s\n",
> - XAUTH_PATH, display, auth_proto, auth_data);
> -
> + XAUTH_PATH, display, auth_proto, auth_data);
> + if (screen != NULL)
> + fprintf(stderr, "Adding %.*s/unix%s %s %s\n",
> + screen-display, display, screen, auth_proto, auth_data);
> + }
> f = popen(XAUTH_PATH " -q -", "w");
> if (f) {
> fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data);
> + if (screen != NULL)
> + fprintf(f, "add %.*s/unix%s %s %s\n",
> + screen-display, display, screen, auth_proto, auth_data);
> pclose(f);
> } else
> fprintf(stderr, "Could not run %s -q -\n", XAUTH_PATH);
>

Matthew Weigel
Programmer/Sysadmin/Student
weigel+@pitt.edu