I'm guess I wasn't following the whole cookies discussion completely (putting cookies in /tmp to avoid putting them on NFS, etc.), but I noticed today that with 2.9.9p2, if I use "ssh -X" to start a shell on the server, in that shell XAUTHORITY is set to /tmp/ssh-XXXXXXXX/cookies and there are cookies placed there there. These are the "fake" cookies for the "server:10.X" display. When an X11 client opens a connection using the "fake" display socket, and ssh receives the authentication packet, ssh rewrites the "fake" cookie in the packet with the "real" cookie (which might actually be another "fake" cookie if you are chaining your ssh invocations?). So what's the real issue here... having ssh create a "fake" cookie and that gets copied to the server side... in the user's home directory? Ed Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key
On Thu, Nov 15, 2001 at 03:46:22PM -0500, Ed Phillips wrote:> but I > noticed today that with 2.9.9p2, if I use "ssh -X" to start a shell on the > server, in that shell XAUTHORITY is set to /tmp/ssh-XXXXXXXX/cookies and > there are cookies placed there there.wrong. 2.9.9 and later use $HOME, not /tmp but what is your question? fake cookies are generated in order to restrict the access to the real x11 server to the duration of the ssh session and not to the duration of the x11 session. -m
On Thu, 15 Nov 2001, Markus Friedl wrote:> Date: Thu, 15 Nov 2001 21:54:11 +0100 > From: Markus Friedl <markus at openbsd.org> > To: Ed Phillips <ed at UDel.Edu> > Cc: OpenSSH Development <openssh-unix-dev at mindrot.org> > Subject: Re: X11 cookies and forwarding > > On Thu, Nov 15, 2001 at 03:46:22PM -0500, Ed Phillips wrote: > > but I > > noticed today that with 2.9.9p2, if I use "ssh -X" to start a shell on the > > server, in that shell XAUTHORITY is set to /tmp/ssh-XXXXXXXX/cookies and > > there are cookies placed there there. > > wrong. 2.9.9 and later use $HOME, not /tmpOkay... I figured that much out. I was connecting ssh 2.9.9p2 to sshd 2.9p1. Sorry...> but what is your question?Is the issue with cookies (that has been recently discussed - cookies on NFS and such) a direct result of this change in 2.9.9p2?> fake cookies are generated in order to restrict > the access to the real x11 server to the duration > of the ssh session and not to the duration of the > x11 session.Got it. Ed Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key