This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: X11Forward and xauth problems


On 3/26/2015 12:12 PM, Jon TURNEY wrote:
On 25/03/2015 17:40, Andrew DeFaria wrote:
Prediction: This problem probably will end up having something to do
with the permissions and file system that ~/.Xauthority resides on,
which is, I believe, a NetApp. This file system is the file system for
the Linux Home directories (Windows "home" directories are somewhere
else). In an attempt to have a transparently workable environment I set
my Cygwin home directory to access the same directory my Linux servers
use for the home directory - this NetApp. If you need more information
about that then let me know and perhaps tell me how I can get that.

This seems very plausible.

If I am understanding you correctly, ~/.Xauthority is the same file on
the NetApp at both ends.  I think perhaps that is somehow the cause of
the problem.

Yes.


The sequence of actions is something like:

- startx(|win) generates a random cookie and stores it in
~/.serverauth.<pid> and uses that file as the server -auth option
- it also uses 'xauth add' to put that cookie into ~/.Xauthority for the
display (e.g. :0)

I'm not using startx - I just do C:\Cygwin\bin\XWin.exe -multiwindow -listen tcp

Note I don't see a ~/.serverauth. Maybe this file is created just for this purpose and quickly removed?

- ssh reads that cookie out of ~/.Xauthority using 'xauth list' and
sends it to the far end
- sshd tries to store that cookie using xauth for the proxy display (e.g
:10)

Reading the source of xauth [1], it does try to lock the ~/.Xauthority
file for up to 20 seconds before giving up, which perhaps corresponds to
the delay you see?

Sounds plausible. Is that configurable?

However, the "unable to link authority file .Xauthority, use
.Xauthority-n" message indicates that the working file .Xauthority-n
cannot renamed as .Xauthority (xauth tries both to hard-link it as
.Xauthority, and to rename it)

After I ssh -X to this system I do see ~/.Xauthority and ~/.Xauthority-n. They are the same size but differ binarily. I can do mv ~/.Xauthority-n ~/.Xauthority without issue. Why can't sshd do that?

Once I rename the file X clients work! From that machine...

So I thought this might be a crude workaround and put this in my .bashrc:

# Hack to fix ~/.Xauthority
if [ -f $HOME/.Xauthority-n ]; then
  mv $HOME/.Xauthority-n $HOME/.Xauthority
  echo "Fixed ~/.Xauthority"
fi

and then thought, "What happens when I ssh into yet another Linux machine that shares this home directory" and when I tried to ssh -X to another machine I got (with a little instrumentation):

Adefaria-lt:id
uid=20393(adefaria) gid=10513(Domain Users) groups=10513(Domain Users),0(root),545(Users)
Adefaria-lt:ssh -X cm-app-lprod01
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/xauth: unable to link authority file /home/adefaria/.Xauthority, use /home/adefaria/.Xauthority-n
Attempting mv /home/adefaria/.Xauthority-n /home/adefaria/.Xauthority
mv: cannot move `/home/adefaria/.Xauthority-n' to `/home/adefaria/.Xauthority': Permission denied
adefaria
uid=80176(adefaria) gid=701(Domain Users) groups=701(Domain Users),10013(CMAdmins),10014(CMMachines-admin.sec) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -rw-------. 1 adefaria Domain Users 223 Mar 26 13:25 /home/adefaria/.Xauthority -rw-------. 1 adefaria Domain Users 223 Mar 26 13:46 /home/adefaria/.Xauthority-n
Cm-app-lprod01:mv .Xauthority-n .Xauthority
Cm-app-lprod01:

So the plot thickens... Why was mv denied permission when I can easily do it once I get a prompt?

Could it be because on Cygwin my uid is 20393 and on Linux it's 80176 (and probably equivalenced by some mapping in the Netapp of 20393 <-> 80176?

Of course, sshd doesn't understand it's helpful advice to use a
different filename, so things don't work out so well. :)

Given that it works the first time, when there is no existing
~/.Xauthority, perhaps the NetApp doesn't permit this file to be renamed
over an existing file, for some reason?

But I did rename it once I got a prompt without a problem.

You can tell startx to use a different file by using the XAUTHORITY env
var, so setting that to something like ~/.Xauthority-$HOSTNAME might be
a workaround. (Some googling on 'Xauthority hostname nfs' might be
informative)

Again, I don't use startx, I simply run Xwin directly. In fact the startx command is not found! Setting XAUTHORITY didn't do anything different

Or editing startx and changing enable_xauth to 0 might also be a
workaround.

Since I don't even have startx, this is not really an option.

I need to read that googling on 'Xauthority hostname nfs'...vi

Any idea why setting ForwardX11 yes and ForwardX11Trusted don't seem to work? I thought it was that setting ForwardX11 yes is equivalent to specifying -X and setting ForwardX11Trusted yes is equivalent to specifying -Y but they are not behaving that way!

Adefaria-lt:echo "ForwardX11 yes" > ~/.ssh/config
Adefaria-lt:ssh cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
X11 forwarding request failed on channel 0
DISPLAY = ''
Adefaria-lt:echo "ForwardX11Trusted yes" > ~/.ssh/config
Adefaria-lt:ssh cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
DISPLAY = ''
Adefaria-lt:

Also why does this work:

Adefaria-lt:ssh -X cm-app-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
DISPLAY = 'localhost:11.0'
Adefaria-lt:

But this fail:

Adefaria-lt:ssh -X cm-db-ldev01 "echo DISPLAY = \'\$DISPLAY\'"
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
X11 forwarding request failed on channel 0
DISPLAY = ''
Adefaria-lt:


I find all of this behavior erratic and unreliable.
--
Andrew DeFaria
http://defaria.com


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]