Problem forwarding using 'ssh -X root at localhost' on FC3

Mike A. Harris mharris at mharris.ca
Fri Dec 2 23:18:28 PST 2005


Michael L. Wright wrote:
> Hi,
> 
> I recently migrated from a desktop to a Compaq Presario 3000/R3306US laptop 
> with nvidia video and upgraded from:
> RH 7.2
> XFree86-4.1.0-15
> openssh-3.1p1-14
> 
> to:
> Fedora Core 3
> xorg-x11-6.8.2-1.FC3.1
> openssh-3.9p1-8.0.3.
> 
> Previously I was able to run apps as root by opening a console window, 
> entering the command 'ssh -X root at localhost', then typing 'konsole &' (yes, 
> KDE) to obtain a root console session without problems.
> 
> Now I get multiple error messages when I launch the root konsole window, 
> though it does work.  Other applications such as glade throw additional 
> errors and won't run.  Is this familiar to anyone? Does it sound like a 
> problem with X or with ssh?
> 
> Launching the root konsole window:
[SNIP]
> [root at Michael ~]# glade
> Gdk-ERROR **: BadWindow (invalid Window parameter)
>   serial 3864 error_code 3 request_code 38 minor_code 0
> Gdk-ERROR **: BadAccess (attempt to access private resource denied)
>   serial 3865 error_code 10 request_code 102 minor_code 0
> 
> and glade dies.
> 
> Any help will be very much appreciated, since I can't fully move to the laptop 
> until this problem is solved.

Actually, this is a "feature" of openssh.  The openssh developers
decided that X11 forwarding was an inherently insecure thing by
default, and so they changed newer versions of openssh to no longer
do full X11 forwarding by default.

The "ssh -X" option no longer works as it did in the past.  If you try
to use it, you will end up with X11 forwarding that seems to "pretend"
to work, but which causes almost all X applications to fail, because
it uses the XSECURITY extension by default, and 99.9% of all
applications are written without any clue about XSECURITY, and so they
will completely break with errors like the above.  The usual sign of
this is a bunch of "BadAtom" errors or other unexpected errors.

If you want to get the X11 forwarding you are used to getting by
default from older releases of openssh, you now must use the "-Y"
option instead of -X.  If you previously had ssh configured by
default to automatically use -X, then you need to now reconfigure
it to use what is now the equivalent of "-Y".

All operating systems which use newer versions of openssh are
affected by this *cough* feature *cough*.  IMHO, it was a very
horrible solution to the security problem.  There were really
3 choices for a default the openssh project had to choose from:

1) "by default everything works like you expect it to" X11
    forwarding which is insecure, and what was widespread existing
    practice previously

2) "by default, X11 forwarding is totally disabled" where you
    know right away that it is not enabled, and that you have to
    enable it if you want to use it.

3) "by default, we'll make it look like X11 forwarding is configured
     and is supposed to work, but we'll make it 'secure' and break
     99% of all applications which each fail with obscure error
     messages which make users think X is broken or something else
     is very strangely screwed up"

Guess which of the 3 options the openssh project went with.  ;O)

Yes, they went with option #3, which just irritates everyone and
does not work with almost any software out there.  The best solution
would have been to give users both security *and* consistency,
without pretending to work, by choosing #2.  Then users can decide
to use #1 or #3 themselves.

For Fedora, we decided to change the upstream default from #3 to
#2, to provide consistency and have a secure default, letting
users decide themselves manually if they want to override this,
and wether they want to use the insecure "working" X11 forwarding,
or the secure "nonworking" X11 forwarding.

If you've upgraded your system properly though, you would not
be seeing any errors though as it was fixed about 8-12 months
ago.  ;o)

Hopefully this lengthy explanation will get archived on mail
archives around the world now and people will find the answer
when they do their google homework. ;o)

Hope this helps..

take care,
TTYL



More information about the xorg mailing list