Problem
X forwarding does not seem to be working correctly when trying to establish a connection between two HP-UX (11.31) hosts
Notice the error message: xauth key data not generated
X applications will not start because of missing authorizations:
The SSH versions on both hosts are identical and is:
Analysis
sshd debugging
With some extra debugging info enabled via the SSH daemon we can see:
client1->serv1:
Trying to invoke the xauth
command manually gives:
There is however a workaround available by using Trusted X11 forwarding, instead of:
Do:
But with Trusted X11 one assumes that each client is per default a trusted one and this makes X11 forwarding even less secure:
$ man sshd
-X Enables X11 forwarding. This can also be specified on a per-host
basis in a configuration file.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11 SECURITY
extension restrictions by default. Please refer to the ssh -Y
option and the ForwardX11Trusted directive in ssh_config(5) for
more information.
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
subjected to the X11 SECURITY extension controls
It looks very much that untrusted X11 forwarding in the current OpenSSH version of HP-UX is either broken or unsupported.
Truss debugging
Out of curiosity I executed two SSH connections with system call tracing via truss
, one with trusted X11 and one with untrusted X11.
-
Trusted X11 :
$ truss -f ssh -vvvv -Y serv1
-
Untrusted X11 :
$ truss -f ssh -vvvv -X serv1
In the connection with X11 trusted enabled we see that xauth
is referring to /home/acme/.Xauthority:
And this works fine of course.
However during the untrusted connectie xauth
tries to create a temporary magic cookie in /tmp
using an unsupported commando of itself:
10385: stat("/usr/bin/X11/xauth", 0x9fffffffffffdb00) = 0
debug2: x11_get_proto: /usr/bin/X11/xauth -f /tmp/ssh-WPMfSbLVs1pd/xauthfile generate 10.20.76.3:12.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null
10397: execve("/usr/bin/X11/xauth", 0x4003b180, 0x40053860) = 0 [32-bit]
10397: open("/usr/bin/X11/xauth", O_RDONLY, 0) = 3
10397: stat("/tmp/ssh-WPMfSbLVs1pd/xauthfile-c", 0x7fffea40) ERR#2 ENOENT
10397: creat("/tmp/ssh-WPMfSbLVs1pd/xauthfile-c", 438) = 3
10397: link("/tmp/ssh-WPMfSbLVs1pd/xauthfile-c", "/tmp/ssh-WPMfSbLVs1pd/xauthfile-l") = 0
10397: access("/tmp/ssh-WPMfSbLVs1pd/xauthfile", F_OK) ERR#2 ENOENT
10397: open("/tmp/ssh-WPMfSbLVs1pd/xauthfile", O_RDONLY, 0666) ERR#2 ENOENT
10397: access("/tmp/ssh-WPMfSbLVs1pd/xauthfile", F_OK) ERR#2 ENOENT
10397: unlink("/tmp/ssh-WPMfSbLVs1pd/xauthfile-c") = 0
10397: unlink("/tmp/ssh-WPMfSbLVs1pd/xauthfile-l") = 0
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
10385: unlink("/tmp/ssh-WPMfSbLVs1pd/xauthfile") ERR#2 ENOENT
Warning: No xauth data; using fake authentication data for X11 forwarding.
This behaviour is confirmed by running the generate command from within xauth
:
Conclusion
After consultation with HP support it appears that this behaviour has indeed been broken for many years:
QXCR1000761588 – HP-UX’s xauth(1) does not have the “generate” option Unfortunately, this enhancement request has never been implemented so we still have to live with the current limitation.
As a workaround we can force *Trusted X11 *for all connections by altering the default ssh_config
client configuration file:
See also: https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c01544532
Leave a comment