XAUTHORITY=/tmp/ssh-*/cookies makes forwarding through firewall difficult...

[Jason Lassaline]

Hi.

I see this XAUTHORITY=/tmp/ssh-*/cookies issue has been discussed
repeatedly, but I haven't seen a solution to the following problem.

Remote user logs into firewall.  On firewall, DISPLAY var set to secure
channel, XAUTHORITY set to /tmp/ssh-*/cookies.  X11 forwarding from
firewall works fine.
User logs into machine behind firewall, and sets DISPLAY var to
firewall:X11DisplayOffset.0.  Xauth fails because neither XAUTHORITY nor
~/.Xauthority are correct.  /tmp on firewall is not visible to machines
behind firewall.  Problem is independent of broken login scripts that
bash XAUTHORITY.

A workaround I've found that works:
Remote user logs into firewall.  On firewall: 'cat $XAUTHORITY >>
~/.Xauthority'.  Log into machine behind firewall, & set DISPLAY to
firewall:X11DisplayOffset.0.

Now I understand that setting XAUTHORITY to something local other than
$HOME makes it easier to control XAUTHORITY bashing and cleanup upon
exit.  However, as you see by the above there is no way (that I can
find) of getting OpenSSH to put the cookie elsewhere than
/tmp/ssh-*/cookies.

Why not set the cookie to /tmp/ssh-*/cookies & append a copy to
~/.Xauthority?  Makes the clean up on exit issue more difficult, but
still possible.

Pls cc: me on replies, I'm not subscribed to this list.

Thanx.
Jason.