-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 For all those having issues with untrusted X11 forwarding (IOW ssh -X):
1) First, please (re-)read this: http://x.cygwin.com/docs/faq/cygwin-x-faq.html#remote 2) I can confirm that ssh is hardcoded to look for xauth in /usr/X11R6/bin. The 5.1p1-9 release should fix that; in the meantime, you can add the following line to either ~/.ssh/config or /etc/ssh_config: XAuthLocation /usr/bin/xauth 3) Even if you do that, you will still get a warning: > Warning: untrusted X11 forwarding setup failed: xauth key data not generated Which means that ssh is going to use *trusted* X11 forwarding anyway, because *untrusted* X11 forwarding depends on the Security (aka XC-Security) extension, which has been disabled by default upstream. Here's why: Trusted X11 forwarding means that you trust the server that you wish to ssh into is not using any keyloggers, screenshot utilities, packet sniffers, or anything else to hijack your connection, in which case X11 will allow it to do whatever a local client would be able to do. Untrusted X11 forwarding was meant to be a way to allow logins to unknown or insecure systems. It generates a cookie with xauth and uses the Security extension to limit what the remote client is allowed to do. But this is widely considered to be not useful, because the Security extension uses an arbitrary and limited access control policy, which results in a lot of applications not working correctly and what is really a false sense of security. This is true even today; I rebuilt XWin with Security enabled and 'ssh -X' into my linux VM, and got BadAccess errors from *any* GTK2 program. More on this subject: http://www.openssh.com/faq.html#3.13 http://www.nsa.gov/selinuX/papers/x11/x93.html Given the limited usefulness of untrusted X11 forwarding, *upstream* has disabled it by default in favour of other security models, but it has not yet been removed. So there are two options: A) Leave things as they are now, with that warning advising people that untrusted X11 forwarding is not available and that trusted mode is being used instead. The warning can be silenced by using ssh -Y, since that is what ssh -X is doing now anyway. B) Re-enable the Security extension together with the openssh update, and be swamped by questions that programs aren't running under ssh -X, and have to tell everyone that ssh -X is generally broken anyway and they should be using ssh -Y instead. Unless someone can show me a case where something works correctly with option (B) where it doesn't in (A), then I may reconsider, but otherwise everyone now understands that the Security extension is not really useful, not to be relied upon, and therefore is not available. Yaakov Cygwin/X -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkkgxwEACgkQpiWmPGlmQSOrMgCg58/L1MgjOUfzfyQn8CeApyCO jS0AoO6dCFxA16eeKkjdJiCrXk3wBetj =w+Nv -----END PGP SIGNATURE----- -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://x.cygwin.com/docs/ FAQ: http://x.cygwin.com/docs/faq/