X forwarding does not seem to be working correctly when trying to establish a connection between two HP-UX (11.31) hosts
Notice the error message:
xauth key data not generated
X applications will not start because of missing authorizations:
The SSH versions on both hosts are identical and is:
With some extra debugging info enabled via the SSH daemon we can see:
Trying to invoke the
xauth command manually gives:
There is however a workaround available by using Trusted X11 forwarding, instead of:
But with Trusted X11 one assumes that each client is per default a trusted one and this makes X11 forwarding even less secure:
$ man sshd -X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring. For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information. -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls
It looks very much that untrusted X11 forwarding in the current OpenSSH version of HP-UX is either broken or unsupported.
Out of curiosity I executed two SSH connections with system call tracing via
truss, one with trusted X11 and one with untrusted X11.
Trusted X11 :
$ truss -f ssh -vvvv -Y serv1
Untrusted X11 :
$ truss -f ssh -vvvv -X serv1
In the connection with X11 trusted enabled we see that
xauth is referring to
And this works fine of course.
However during the untrusted connectie
xauth tries to create a temporary magic cookie in
/tmp using an unsupported commando of itself:
10385: stat("/usr/bin/X11/xauth", 0x9fffffffffffdb00) = 0 debug2: x11_get_proto: /usr/bin/X11/xauth -f /tmp/ssh-WPMfSbLVs1pd/xauthfile generate 10.20.76.3:12.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null 10397: execve("/usr/bin/X11/xauth", 0x4003b180, 0x40053860) = 0 [32-bit] 10397: open("/usr/bin/X11/xauth", O_RDONLY, 0) = 3 10397: stat("/tmp/ssh-WPMfSbLVs1pd/xauthfile-c", 0x7fffea40) ERR#2 ENOENT 10397: creat("/tmp/ssh-WPMfSbLVs1pd/xauthfile-c", 438) = 3 10397: link("/tmp/ssh-WPMfSbLVs1pd/xauthfile-c", "/tmp/ssh-WPMfSbLVs1pd/xauthfile-l") = 0 10397: access("/tmp/ssh-WPMfSbLVs1pd/xauthfile", F_OK) ERR#2 ENOENT 10397: open("/tmp/ssh-WPMfSbLVs1pd/xauthfile", O_RDONLY, 0666) ERR#2 ENOENT 10397: access("/tmp/ssh-WPMfSbLVs1pd/xauthfile", F_OK) ERR#2 ENOENT 10397: unlink("/tmp/ssh-WPMfSbLVs1pd/xauthfile-c") = 0 10397: unlink("/tmp/ssh-WPMfSbLVs1pd/xauthfile-l") = 0 Warning: untrusted X11 forwarding setup failed: xauth key data not generated 10385: unlink("/tmp/ssh-WPMfSbLVs1pd/xauthfile") ERR#2 ENOENT Warning: No xauth data; using fake authentication data for X11 forwarding.
This behaviour is confirmed by running the generate command from within
After consultation with HP support it appears that this behaviour has indeed been broken for many years:
QXCR1000761588 – HP-UX’s xauth(1) does not have the “generate” option Unfortunately, this enhancement request has never been implemented so we still have to live with the current limitation.
As a workaround we can force *Trusted X11 *for all connections by altering the default
ssh_config client configuration file: