Problem forwarding using 'ssh -X root at localhost' on FC3

Michael L. Wright mlw-xorg at mrserver.net
Sat Dec 3 12:29:02 PST 2005 

On Saturday 03 December 2005 02:18 am, Mike A. Harris wrote:
> Michael L. Wright wrote:
> > Hi,
> >
> > I recently migrated from a desktop to a Compaq Presario 3000/R3306US
> > laptop with nvidia video and upgraded from:
> > RH 7.2
> > XFree86-4.1.0-15
> > openssh-3.1p1-14
> >
> > to:
> > Fedora Core 3
> > xorg-x11-6.8.2-1.FC3.1
> > openssh-3.9p1-8.0.3.
> >
> > Previously I was able to run apps as root by opening a console window,
> > entering the command 'ssh -X root at localhost', then typing 'konsole &'
> > (yes, KDE) to obtain a root console session without problems.
> >
> > Now I get multiple error messages when I launch the root konsole window,
> > though it does work.  Other applications such as glade throw additional
> > errors and won't run.  Is this familiar to anyone? Does it sound like a
> > problem with X or with ssh?
> >
> > Launching the root konsole window:
>
> [SNIP]
>
> > [root at Michael ~]# glade
> > Gdk-ERROR **: BadWindow (invalid Window parameter)
> >   serial 3864 error_code 3 request_code 38 minor_code 0
> > Gdk-ERROR **: BadAccess (attempt to access private resource denied)
> >   serial 3865 error_code 10 request_code 102 minor_code 0
> >
> > and glade dies.
> >
> > Any help will be very much appreciated, since I can't fully move to the
> > laptop until this problem is solved.
>
> Actually, this is a "feature" of openssh.  The openssh developers
> decided that X11 forwarding was an inherently insecure thing by
> default, and so they changed newer versions of openssh to no longer
> do full X11 forwarding by default.
>
> The "ssh -X" option no longer works as it did in the past.  If you try
> to use it, you will end up with X11 forwarding that seems to "pretend"
> to work, but which causes almost all X applications to fail, because
> it uses the XSECURITY extension by default, and 99.9% of all
> applications are written without any clue about XSECURITY, and so they
> will completely break with errors like the above.  The usual sign of
> this is a bunch of "BadAtom" errors or other unexpected errors.
>
> If you want to get the X11 forwarding you are used to getting by
> default from older releases of openssh, you now must use the "-Y"
> option instead of -X.  If you previously had ssh configured by
> default to automatically use -X, then you need to now reconfigure
> it to use what is now the equivalent of "-Y".
>
> All operating systems which use newer versions of openssh are
> affected by this *cough* feature *cough*.  IMHO, it was a very
> horrible solution to the security problem.  There were really
> 3 choices for a default the openssh project had to choose from:
>
> 1) "by default everything works like you expect it to" X11
>     forwarding which is insecure, and what was widespread existing
>     practice previously
>
> 2) "by default, X11 forwarding is totally disabled" where you
>     know right away that it is not enabled, and that you have to
>     enable it if you want to use it.
>
> 3) "by default, we'll make it look like X11 forwarding is configured
>      and is supposed to work, but we'll make it 'secure' and break
>      99% of all applications which each fail with obscure error
>      messages which make users think X is broken or something else
>      is very strangely screwed up"
>
> Guess which of the 3 options the openssh project went with.  ;O)
>
> Yes, they went with option #3, which just irritates everyone and
> does not work with almost any software out there.  The best solution
> would have been to give users both security *and* consistency,
> without pretending to work, by choosing #2.  Then users can decide
> to use #1 or #3 themselves.
>
> For Fedora, we decided to change the upstream default from #3 to
> #2, to provide consistency and have a secure default, letting
> users decide themselves manually if they want to override this,
> and wether they want to use the insecure "working" X11 forwarding,
> or the secure "nonworking" X11 forwarding.
>
> If you've upgraded your system properly though, you would not
> be seeing any errors though as it was fixed about 8-12 months
> ago.  ;o)
>
> Hopefully this lengthy explanation will get archived on mail
> archives around the world now and people will find the answer
> when they do their google homework. ;o)
>
> Hope this helps..
>
> take care,
> TTYL
> _______________________________________________
> xorg mailing list
> xorg at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/xorg

Thanks for the informative answer, and I totally agree with your analysis.  No 
reason users should be left with a broken system and no explanation.  Too 
reminiscent of experiences with M$ ;-)

As far as I know, I _did_ upgrade properly.  Moved the existing 7.2 (it was 
stable and it _worked_) install (X wouldn't work because it didn't know about 
the nvidia video), upgraded from the FC3 CDs, then let up2date make it 
current.  Some things didn't (and still don't) work correctly - I've lost my 
adobe fonts, up2date won't run as an X app, and the red update button is 
missing from the panel.  And other problems not related to X.  Am I missing 
something?

Thanks,

Michael

More information about the xorg mailing list