openssh X11Forwarding problem solution

Klaus Knopper knopper at linuxtag.de
Wed Mar 29 06:58:03 EST 2000


Hi!

Several people noticed problems with openssh Version 1.2.2 through 1.2.3
related to X11 forwarding under Linux. For example:

Magnus Holmberg <pucko at lysator.liu.se> wrote:
> I have just installed openssh-1.2.2p1-1
> on two of my machines and I have one problem.
>
> I have 
> X11Forwarding yes
> in my /etc/ssh/sshd_config
>
> but when I try to ssh to that machine I get this when i try to start rxvt:
>
> [pucko at b202 pucko]$ rxvt
> X11 connection rejected because of wrong authentication.
>
> X connection to b202.ryd.student.liu.se:11.0 broken (explicit kill or
> server shutdown).   [pucko at b202 pucko]$
>
> The strange thing is that it works if I do the same thing as root.
>
> What can be wrong?
>
> /M

I believe the source of the problem is the automatic setup of the
XAUTHORITY environment variable in different distributions
(Mandrake, RedHat, others...) during login. openssh seems to create
its own Xauthority cookie file in /tmp rather than create an entry
in the user's $HOME/.Xauthority (why?). After successful ssh login,
XAUTHORITY points to /tmp/ssh-randomstring/cookies, but the
shell's profiles (/etc/profile.d/xhost.* in Mandrake 7.0) reset
this variable to its default location $HOME/.Xauthority (except
for root, this is why it works in the above context). So, the
valid X11-cookie cannot be found by X11-applications because
XAUTHORITY points to the wrong file.

Two possible workarounds:

a) Developers: How about using $HOME/.Xauthority as default cookie file
instead of /tmp/ssh-something, at least as a configurable option?

b) Sysadmins: Disable the (re-)setting of XAUTHORITY in the shell profiles,
or add [ -z "$XAUTHORITY" ] as condition.

Replies, comments or questions to knopper at linuxtag.de, please, since I'm
not on the openssh-unix-dev mailinglist.

Sincerely

	-Klaus Knopper  mailto:knopper at linuxtag.de
	                http://www.linuxtag.de/





More information about the openssh-unix-dev mailing list