Status of Bugzilla #1153

Darren Tucker dtucker at zip.com.au
Wed Feb 22 07:22:15 EST 2006 

Simon Vallet wrote:
> OK -- we have globally the following setup here : an external ssh
> gateway performing X11 forwarding to the internal network -- as this
> machine is multihomed, a call to gethostname() returns (correctly IMO)
> the short name of the gateway, which is the value used to set DISPLAY
> and to add xauth credentials. 
> 
> When called, xauth (correctly) qualifies the host name to the one which
> resolves to the externally reachable interface of the gateway. DISPLAY,
> however, is still unqualified.
> 
> Once on the gateway, if an external user wants to get an X11 client
> running on an internal machine in an automated way (i.e. without
> connectiong to the target machine and manually set DISPLAY), it will
> use the value of DISPLAY set by OpenSSH, which uses the unqualified
> hostname. When qualifying this hostname, X11 will use the default
> domain, which is the one from the internal network.
> 
> And this is were the problem appears : as xauth credentials
> are set using the FQDN of the external interface of the gateway, any
> internal X11 client will be denied access to the forwarded X11 server.

This seems to be an argument for mimicking what xauth does.

Your patch doesn't do that, though.  It does something different that 
happens to have the same result in your environment.  As others have 
pointed out, that may not be true in other environments.

An alternative would be to retrieve $DISPLAY from xauth after setting 
the cookie, ie:

xauth> add foo:12 MIT-MAGIC-COOKIE-1 edc426897f65ac50b9ed7f9789b26063
xauth> list foo:12
foo.example.com:12 MIT-MAGIC-COOKIE-1 edc426897f65ac50b9ed7f9789b26063
xauth>

then have sshd set $DISPLAY to foo.example.com:12 returned by "xauth 
list".  This would remove the need to second-guess what xauth is going 
to do.  (It would also make sshd a bit more sensitive to the output 
format of xauth, though.)

I don't know how this would work with the HACMP situation that Frank 
described.  (We used OpenSSH with X11 on HACMP clusters at a previous 
employer and had no problems, but I can't remember what the name 
resolution setup was.)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list