gnuclient X11 & openssh

Jan Vroonhof vroonhof at math.ethz.ch
Mon Nov 29 05:16:29 EST 1999


The following message is a courtesy copy of an article
that has been posted to comp.emacs.xemacs as well.


[This message has been CC'ed to the OpenSSH list in a plea to at least
 consider supporting more advanced usages of Xauth]

Chris Green <sprout at dok.org> writes:

> Its not configurable behavior. It always generates a new random file
> in /tmp.

Then they should probably change that so that the user can specify a
file to use. I need several programs to
cooperate so I need a fairly central repository of cookies. It doesn't
help if everybody starts using their own files for that.

> possible cookies, or some unamed solution.  If gnuclient passes the
> creditials back to XEmacs via a unix socket everything is happy.  My
> solution doesn't work if gnuclient is being launched and expecting to
> connect to XEmacs over an unencrypted tcp socket between machines.

The problem is that gnuclient possibly uses tcp sockets to connect to
the local machine too. Figuring out reliably whether an address is local
is something I would rather not get into.

> > Does openssh at the very least copy the other cookies from the old
> > authority file, so that gnuclients's own auth cookie will be found?
> 
> I'm not sure I follow here.  The other DISPLAY's Xauth stuff is in its
> own indepedant file and I don't believe there is anyway for openssh to
> find out what the user's main XAUTHORITY is.  They've designed openssh
> to be used in conjuntion with local displays that also keep local
> cookies.  I think the gnuclient / XEmacs communication is the only way
> one display can find out about the other.

The problem here is that gnuclient itself also uses Xauth cookies to
authenticate remote links. (It works by looking up the cookie for
server-address:99). Consider the following scenario (which I use all
the time)

Open ssh tunnel from machine H to a machine A on the other network.
Use gnuclient on A to tell an XEmacs running on B to connect to the
  A:10 fake display.

For that gnuclient first needs the B:99 cookie to connect to gnuserver
however it cannot find it because the cookie is actually in
~/.Xauthority.. It is no use trying to pass the A:10 cookie in the
gnuserv session when you cannot connect to gnuserv in the first place/


Jan





More information about the openssh-unix-dev mailing list