Ubuntu
tk8.5 package

xauth authentication not working

Bug #371181 reported by Paul Civati
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tk8.5 (Ubuntu)
New
Low
Unassigned

Bug Description

Since upgrading to 9.04 I find that xauth for X11 capable SSH sessions does not work - nothing has changed on the server side.

This applies to two separate 9.04 client machines and this functionality worked when they were previously 8.04 and 8.10 systems.

You can see that X11 forwarding has been negotiated because the $DISPLAY has been set.

LOCAL:

paul@tuscan:~ % xauth list
tuscan/unix:0 MIT-MAGIC-COOKIE-1 07587ffe64e21a256756ae9959e8b1c5
localhost.localdomain/unix:0 MIT-MAGIC-COOKIE-1 07587ffe64e21a256756ae9959e8b1c5

REMOTE:

paul@vantage:~ % echo $DISPLAY
localhost:11.0
paul@vantage:~ % exmh &
[1] 38127
paul@vantage:~ % BgRegister X server insecure (must use xauth-style authorization); command ignored
BgRegister X server insecure (must use xauth-style authorization); command ignored
BgRegister X server insecure (must use xauth-style authorization); command ignored
BgRegister X server insecure (must use xauth-style authorization); command ignored
BgRegister X server insecure (must use xauth-style authorization); command ignored
exmh-bg cannot rendez-vous with UI - exiting.
  Usually this is because Tk send is not working.
  Check the notes under Frequently Asked Questions #4a and #4b.
  You can find this under the Help menu.

Revision history for this message
Chuck Short (zulcss) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. Please answer these questions:
1. Is this reproducible?
2. If so, what specific steps should we take to recreate this bug? Be as detailed as possible.
This will help us to find and resolve the problem.

Changed in openssh (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Chuck Short (zulcss) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in openssh (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Markus Kuhn (markus-kuhn) wrote :

The problem may be related to Ubuntu (experienced on 10.4) apparently executing the commands

xhost +si:localuser:`id -un`
xhost +si:localuser:root
xhost +si:localuser:gdm

or does something equivalent when you log in. Just type "xhost" to see the list of non-xauth authorizations currently enabled for your X11 server. The first of the above lines is in

  /etc/X11/Xsession.d/60x11-common_localhost

The exmh background daemon considers the presence of any of these to be bad and therefore refuses to work. Executing the above three lines with + changed to - is a workaround, but ultimately exmh-bg (or a library it uses) probably needs patching to tolerate this practice.

See also "man xhost".

Revision history for this message
Markus Kuhn (markus-kuhn) wrote :

Really a Tk problem, nothing to do with openssh, therefore changing package and reopening.

affects: openssh (Ubuntu) → tk8.5 (Ubuntu)
Changed in tk8.5 (Ubuntu):
status: Invalid → New
Revision history for this message
Markus Kuhn (markus-kuhn) wrote :

Since Ubuntu uses several "xhost +..." lines in its default configuration, one could argue it should have compiled TCL/Tk with the TK_NO_SECURITY flag set, otherwise Tk's "send" IPC breaks, which is really what I suspect this bug report is all about.

Even better would be to patch in Tk the "xhost" security test to allow the three (apparently harmless and useful ones) xhost exceptions in the Ubuntu configuration to pass through without an alert.

Revision history for this message
Markus Kuhn (markus-kuhn) wrote :

These "xhost +si:localuser:..." settings have also caused problems to Tk users on RedHat/Fedora systems in the past:

  https://bugzilla.redhat.com/show_bug.cgi?id=349071
  https://partner-bugzilla.redhat.com/show_bug.cgi?id=216236

It all goes back to the Tk changes entry

  4/26/93 (new feature) Implemented security check for "send" as proposed
  by Bennett Todd: incoming sends are now rejected unless (a) xhost-style
  access control is enabled and (b) the list of authorized hosts is
  empty. In other words, you have to use xauth to use send. This feature
  can be disabled by setting the TK_NO_SECURITY flag at compile-time.

The Tk people claim to have fixed this in the tk8.5 branch:

  https://sourceforge.net/tracker/index.php?func=detail&aid=1909931&group_id=12997&atid=112997

So I wonder why Ubuntu 10.4 is still affected ...

To reproduce: start exmh and activate under "Preferences" in "Background Processing" the "Separate background process" option and one of the "Background processing" options (e.g., flist).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.