Jason Lassaline
2000-Dec-22 18:32 UTC
XAUTHORITY=/tmp/ssh-*/cookies makes forwarding through firewall difficult...
Hi. I see this XAUTHORITY=/tmp/ssh-*/cookies issue has been discussed repeatedly, but I haven't seen a solution to the following problem. Remote user logs into firewall. On firewall, DISPLAY var set to secure channel, XAUTHORITY set to /tmp/ssh-*/cookies. X11 forwarding from firewall works fine. User logs into machine behind firewall, and sets DISPLAY var to firewall:X11DisplayOffset.0. Xauth fails because neither XAUTHORITY nor ~/.Xauthority are correct. /tmp on firewall is not visible to machines behind firewall. Problem is independent of broken login scripts that bash XAUTHORITY. A workaround I've found that works: Remote user logs into firewall. On firewall: 'cat $XAUTHORITY >> ~/.Xauthority'. Log into machine behind firewall, & set DISPLAY to firewall:X11DisplayOffset.0. Now I understand that setting XAUTHORITY to something local other than $HOME makes it easier to control XAUTHORITY bashing and cleanup upon exit. However, as you see by the above there is no way (that I can find) of getting OpenSSH to put the cookie elsewhere than /tmp/ssh-*/cookies. Why not set the cookie to /tmp/ssh-*/cookies & append a copy to ~/.Xauthority? Makes the clean up on exit issue more difficult, but still possible. Pls cc: me on replies, I'm not subscribed to this list. Thanx. Jason.
Richard E. Silverman
2000-Dec-24 03:24 UTC
XAUTHORITY=/tmp/ssh-*/cookies makes forwarding through firewall difficult...
On Fri, 22 Dec 2000, Jason Lassaline wrote:> A workaround I've found that works: > Remote user logs into firewall. On firewall: 'cat $XAUTHORITY >> > ~/.Xauthority'. Log into machine behind firewall, & set DISPLAY to > firewall:X11DisplayOffset.0.This appears to imply that your accounts on the firewall box and on the "machine behind firewall" are sharing a home directory via NFS. It strikes me as a rather odd arrangement. In any event, if that's so, then you are sending your proxy display key in the clear over your private network when you do this copy.> Why not set the cookie to /tmp/ssh-*/cookies & append a copy to > ~/.Xauthority? Makes the clean up on exit issue more difficult, but > still possible.Because the point of putting it under /tmp is to avoid the problem I just mentioned. Just copy your proxy display key over the secure connection. You can do this via cut-and-paste with "xauth add", or like this as a separate command: firewall% xauth extract - $DISPLAY | ssh other-box xauth merge - -- Richard Silverman slade at shore.net