On Wed, Jun 26, 2002 at 03:11:20PM -0700, Christopher Mahmood wrote:
* Robert C. Paulsen Jr. (robert@paulsenonline.net) [020626 14:56]:
Using '-X'?
No, because it's enabled in the config file (as mentioned in the part you didn't quote above).
That doesn't mean that I didn't want to see you explicitly use it.
OK, I re-did the YOU update and used ssh -X. No change. But, I guess I did neglect to mention just what error message I get when starting an X application after using "sux -". Here is is (last two lines):
sux - Password: No matches found, authority file "/dev/fd/62" not written xauth: (argv):1: unable to read any entries from file "(stdin)" avalon:~ # xterm X11 connection rejected because of wrong authentication. X connection to localhost:10.0 broken (explicit kill or server shutdown).
That may be just a warning, but as I say in the part you didn't quote following the above, it *doesn't* work; I can't start X applications.
I tested it mixing different versions with 3.3 and it works fine, that's why I specified using '-X'. Please use '-v' as well.
Here is the output from "ssh -X -v". Note two lines i particular: debug1: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. These don't appear with the shipped version of ssh. It appears to be a problem on the server side since I can use the latest updates on the client side w/o problem. =====================[ debug output ]=================================== robert@avalon:~> ssh -X -v avalon OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to avalon [192.168.0.31] port 22. debug1: Connection established. debug1: identity file /home/robert/.ssh/identity type -1 debug1: identity file /home/robert/.ssh/id_rsa type -1 debug1: identity file /home/robert/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 130/256 debug1: bits set: 1599/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'avalon' is known and matches the RSA host key. debug1: Found key in /home/robert/.ssh/known_hosts:10 debug1: bits set: 1577/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug1: next auth method to try is publickey debug1: try privkey: /home/robert/.ssh/identity debug1: try privkey: /home/robert/.ssh/id_rsa debug1: try pubkey: /home/robert/.ssh/id_dsa debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 0x8093c48 hint 2 debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/home/robert/.ssh/id_dsa': debug1: read PEM private key done: type DSA debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: x11-req debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug1: channel 0: open confirm rwindow 0 rmax 32768 Last login: Wed Jun 26 19:56:25 2002 from avalon.paulsen.org Have a lot of fun... robert@avalon:~> sux - Password: No matches found, authority file "/dev/fd/62" not written xauth: (argv):1: unable to read any entries from file "(stdin)" avalon:~ # xterm debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384 debug1: client_request_x11: request from 127.0.0.1 39754 debug1: fd 7 setting TCP_NODELAY debug1: fd 7 setting O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug1: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. debug1: X11 rejected 1 i0/o0 debug1: channel 1: read failed debug1: channel 1: close_read debug1: channel 1: input open -> drain debug1: channel 1: ibuf empty debug1: channel 1: send eof debug1: channel 1: input drain -> closed debug1: channel 1: write failed debug1: channel 1: close_write debug1: channel 1: output open -> closed debug1: X11 closed 1 i3/o3 debug1: channel 1: send close debug1: channel 1: rcvd close debug1: channel 1: is dead debug1: channel 1: garbage collecting debug1: channel_free: channel 1: x11, nchannels 2 X connection to localhost:11.0 broken (explicit kill or server shutdown). =========================================================================
Again -- All this worked *before* updating to the new ssh. I just reinstalled ssh from the original CDs and all is back to normal. I will have to live with this exposure until ssh is fixed.
What exposure? Please read the security announcements before saying things like that; there's already too much confusion around this.
Well, there was a security notice recommending an update. If there is no exposure why update? -- Robert C. Paulsen, Jr. robert@paulsenonline.net