In the past, as long as I had XQuartz installed: -
I was able to happily tunnel over X11 between macOS and Linux, using a command such as: -
ssh -X wasadmin@was9001
but, since the update to Sierra, I see this: -
ssh -X wasadmin@was9001
which returns: -
wasadmin@192.168.1.109's password:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Last login: Thu Oct 27 13:47:24 2016 from 192.168.1.13
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Last login: Thu Oct 27 13:47:24 2016 from 192.168.1.13
and, from Linux: -
xterm
which returns this: -
xterm Xt error: Can't open display:
xterm: DISPLAY is not set
xterm: DISPLAY is not set
I did the needful and Google'd to find this: -
which said, in part: -
…
On MacOS Sierra, I use ssh -Y command , then x11 works, although got a Warning: No xauth data; using fake authentication data for X11 forwarding. client side no ~/.ssh/config file
…
so I tried this: -
ssh -Y wasadmin@was9001
which returns this: -
wasadmin@192.168.1.109's password:
Warning: No xauth data; using fake authentication data for X11 forwarding.
Last login: Thu Oct 27 14:16:13 2016 from 192.168.1.13
Warning: No xauth data; using fake authentication data for X11 forwarding.
Last login: Thu Oct 27 14:16:13 2016 from 192.168.1.13
and: -
xterm
which JUST WORKS :-)
For the record, I also don't have a config file in ~/.ssh either
ls -al ~/.ssh/
total 16
drwx------ 3 hayd staff 102 7 Nov 2014 .
drwxr-xr-x+ 42 hayd staff 1428 27 Oct 13:37 ..
-rw-r--r-- 1 hayd staff 7821 27 Oct 09:33 known_hosts
drwx------ 3 hayd staff 102 7 Nov 2014 .
drwxr-xr-x+ 42 hayd staff 1428 27 Oct 13:37 ..
-rw-r--r-- 1 hayd staff 7821 27 Oct 09:33 known_hosts
From the man page for ssh we have: -
…
-X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.
X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An
attacker may then be able to perform activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information.
-x Disables X11 forwarding.
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.
…
X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An
attacker may then be able to perform activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information.
-x Disables X11 forwarding.
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.
…
so I guess that's the difference :-)
2 comments:
Love how this stuff comes back around again and again... :-)
In my comment on your blog 3.5 years ago, I was suggesting to use ssh -Y. But you know what? I can't remember why I picked -Y and not -X at the time! Glad it works though :-D
Thanks Stuart, good to hear from you, mate
As you say, it goes round and round and round :-)
Time to play some Dead or Alive :-)
Post a Comment