Tag forwarded X11 connection as remote

Michal Srb msrb at suse.com
Wed Oct 4 18:45:29 AEDT 2017

On středa 4. října 2017 5:53:15 CEST Damien Miller wrote:
> On Mon, 2 Oct 2017, Michal Srb wrote:
> > SSH only needs to change the first byte sent from X client to server
> > to mark it as remote. SSH already modifies the whole first message
> > (replaces authorization data), so changing the first byte is easy
> > addition.
> > 
> > I have attached patch that implements it. Please check it and consider
> > adding it or something similar to openssh.
> Thanks - is this flag fully backwards-compatible? Is there a chance it
> could cause problems on older X11 implementations? IMO most of the people
> using X11 forwarding are likely using it to/from older systems.

It is not fully backward compatible. Older X server that does not understand 
the 'R'/'r' flag will reject the client. The commit that added support for the 
flag is from 2011. It seems that first time it appeared in release was in 
version 1.14.0, which was in March 2013.

In addition, the potential incompatibility is only between the SSH client and 
the X server. They are normally both running on the same machine. So in normal 
scenario the an issue would only happen if you would install pre-1.14.0 X 
server and newest SSH client *on the same machine*. The remote side where SSH 
server and X applications run can have any versions, it does not affect them.

I can imagine situation where SSH-ing to an old machine and from there to a 
new machine could cause an issue. Not sure how important/supported such 
scenario is.

The situation could be possibly improved by:
* Adding a parameter that disables setting the remote flag.
* Automatically reconnecting without the flag if X server rejected connection 
with it.

Michal Srb

More information about the openssh-unix-dev mailing list