Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Warning: No xauth data; using fake authentication data for X11 forwarding.
23,114 views
Skip to first unread message
Kenny McCormack
Feb 20, 2013, 10:49:20 AM2/20/13
to
"Warning: No xauth data; using fake authentication data for X11 forwarding."
I get this (harmless) message if DISPLAY is set on my local machine and I
ssh to another machine. What does it mean?
Note, BTW, that I've never had the need to figure out the new XAUTH stuff.
Just have had the need and the old "xhost" based system works fine for me.
Also note: The fix for this is pretty easy and clear - just do "unset
DISPLAY" before ssh-ing.
--
First of all, I do not appreciate your playing stupid here at all.
- Thomas 'PointedEars' Lahn -
I get this (harmless) message if DISPLAY is set on my local machine and I
ssh to another machine. What does it mean?
Note, BTW, that I've never had the need to figure out the new XAUTH stuff.
Just have had the need and the old "xhost" based system works fine for me.
Also note: The fix for this is pretty easy and clear - just do "unset
DISPLAY" before ssh-ing.
--
First of all, I do not appreciate your playing stupid here at all.
- Thomas 'PointedEars' Lahn -
Barry Margolin
Feb 20, 2013, 12:18:58 PM2/20/13
to
In article <kg2ra0$e3s$1...@news.xmission.com>,
Remove 'ForwardX11 yes' from your .ssh/config file if you don't want to
use it.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
gaz...@shell.xmission.com (Kenny McCormack) wrote:
> "Warning: No xauth data; using fake authentication data for X11 forwarding."
>
> I get this (harmless) message if DISPLAY is set on my local machine and I
> ssh to another machine. What does it mean?
>
> Note, BTW, that I've never had the need to figure out the new XAUTH stuff.
> Just have had the need and the old "xhost" based system works fine for me.
>
> Also note: The fix for this is pretty easy and clear - just do "unset
> DISPLAY" before ssh-ing.
Why do you have X11 forwarding enabled in the first place?
> "Warning: No xauth data; using fake authentication data for X11 forwarding."
>
> I get this (harmless) message if DISPLAY is set on my local machine and I
> ssh to another machine. What does it mean?
>
> Note, BTW, that I've never had the need to figure out the new XAUTH stuff.
> Just have had the need and the old "xhost" based system works fine for me.
>
> Also note: The fix for this is pretty easy and clear - just do "unset
> DISPLAY" before ssh-ing.
Remove 'ForwardX11 yes' from your .ssh/config file if you don't want to
use it.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
Kenny McCormack
Feb 20, 2013, 1:59:34 PM2/20/13
to
In article <barmar-D899AD....@news.eternal-september.org>,
sure there are many. I thought I made it clear that I was not looking for a
fix.
I am interested in what the message means, where it comes from, and why
anyone thinks it is important.
--
Is God willing to prevent evil, but not able? Then he is not omnipotent.
Is he able, but not willing? Then he is malevolent.
Is he both able and willing? Then whence cometh evil?
Is he neither able nor willing? Then why call him God?
~ Epicurus
Barry Margolin <bar...@alum.mit.edu> wrote:
>In article <kg2ra0$e3s$1...@news.xmission.com>,
> gaz...@shell.xmission.com (Kenny McCormack) wrote:
>
>> "Warning: No xauth data; using fake authentication data for X11 forwarding."
>>
>> I get this (harmless) message if DISPLAY is set on my local machine and I
>> ssh to another machine. What does it mean?
>>
>> Note, BTW, that I've never had the need to figure out the new XAUTH stuff.
>> Just have had the need and the old "xhost" based system works fine for me.
>>
>> Also note: The fix for this is pretty easy and clear - just do "unset
>> DISPLAY" before ssh-ing.
>
>Why do you have X11 forwarding enabled in the first place?
>
>Remove 'ForwardX11 yes' from your .ssh/config file if you don't want to
>use it.
I already know what the fix is. I.e., one of the many fixes, of which I am
>In article <kg2ra0$e3s$1...@news.xmission.com>,
> gaz...@shell.xmission.com (Kenny McCormack) wrote:
>
>> "Warning: No xauth data; using fake authentication data for X11 forwarding."
>>
>> I get this (harmless) message if DISPLAY is set on my local machine and I
>> ssh to another machine. What does it mean?
>>
>> Note, BTW, that I've never had the need to figure out the new XAUTH stuff.
>> Just have had the need and the old "xhost" based system works fine for me.
>>
>> Also note: The fix for this is pretty easy and clear - just do "unset
>> DISPLAY" before ssh-ing.
>
>Why do you have X11 forwarding enabled in the first place?
>
>Remove 'ForwardX11 yes' from your .ssh/config file if you don't want to
>use it.
sure there are many. I thought I made it clear that I was not looking for a
fix.
I am interested in what the message means, where it comes from, and why
anyone thinks it is important.
--
Is God willing to prevent evil, but not able? Then he is not omnipotent.
Is he able, but not willing? Then he is malevolent.
Is he both able and willing? Then whence cometh evil?
Is he neither able nor willing? Then why call him God?
~ Epicurus
Barry Margolin
Feb 20, 2013, 3:22:12 PM2/20/13
to
In article <kg36em$qt8$1...@news.xmission.com>,
> >> Just have had the need and the old "xhost" based system works fine for me.
> >>
> >> Also note: The fix for this is pretty easy and clear - just do "unset
> >> DISPLAY" before ssh-ing.
> >
> >Why do you have X11 forwarding enabled in the first place?
> >
> >Remove 'ForwardX11 yes' from your .ssh/config file if you don't want to
> >use it.
>
> I already know what the fix is. I.e., one of the many fixes, of which I am
> sure there are many. I thought I made it clear that I was not looking for a
> fix.
>
> I am interested in what the message means, where it comes from, and why
> anyone thinks it is important.
The issue is that xhost authentication doesn't work well when you use X
forwarding. I assume you authorize "localhost" using xhost, right? The
problem is that everything coming from the remote machine appears to be
coming from localhost as far as the local X11 server is concerned.
If you had xauth set up, connections from remote clients would be
checked against it. Rather than open you up entirely to connections at
the remote end, it sets up fake xauth data and uses that. It's warning
you that it's doing this.
gaz...@shell.xmission.com (Kenny McCormack) wrote:
> In article <barmar-D899AD....@news.eternal-september.org>,
> Barry Margolin <bar...@alum.mit.edu> wrote:
> >In article <kg2ra0$e3s$1...@news.xmission.com>,
> > gaz...@shell.xmission.com (Kenny McCormack) wrote:
> >
> >> "Warning: No xauth data; using fake authentication data for X11
> >> forwarding."
> >>
> >> I get this (harmless) message if DISPLAY is set on my local machine and I
> >> ssh to another machine. What does it mean?
> >>
> >> Note, BTW, that I've never had the need to figure out the new XAUTH stuff.
"new"? It's at least 2 decades old.
> In article <barmar-D899AD....@news.eternal-september.org>,
> Barry Margolin <bar...@alum.mit.edu> wrote:
> >In article <kg2ra0$e3s$1...@news.xmission.com>,
> > gaz...@shell.xmission.com (Kenny McCormack) wrote:
> >
> >> "Warning: No xauth data; using fake authentication data for X11
> >> forwarding."
> >>
> >> I get this (harmless) message if DISPLAY is set on my local machine and I
> >> ssh to another machine. What does it mean?
> >>
> >> Note, BTW, that I've never had the need to figure out the new XAUTH stuff.
> >> Just have had the need and the old "xhost" based system works fine for me.
> >>
> >> Also note: The fix for this is pretty easy and clear - just do "unset
> >> DISPLAY" before ssh-ing.
> >
> >Why do you have X11 forwarding enabled in the first place?
> >
> >Remove 'ForwardX11 yes' from your .ssh/config file if you don't want to
> >use it.
>
> I already know what the fix is. I.e., one of the many fixes, of which I am
> sure there are many. I thought I made it clear that I was not looking for a
> fix.
>
> I am interested in what the message means, where it comes from, and why
> anyone thinks it is important.
forwarding. I assume you authorize "localhost" using xhost, right? The
problem is that everything coming from the remote machine appears to be
coming from localhost as far as the local X11 server is concerned.
If you had xauth set up, connections from remote clients would be
checked against it. Rather than open you up entirely to connections at
the remote end, it sets up fake xauth data and uses that. It's warning
you that it's doing this.
Kenny McCormack
Feb 20, 2013, 3:58:33 PM2/20/13
to
In article <barmar-2148D7....@news.eternal-september.org>,
Barry Margolin <bar...@alum.mit.edu> wrote:
...
Now, what *is* this "fake auth data"? What does it do? What are its
limitations? Why should I care?
What this all boils down to is: Why issue the message? What is it telling
me that I don't already know?
P.S. I think in the past I've made the message go away by including -X
(capital X) on the command line. IIRC, that tells it not to do X forwarding
(over-riding whatever setting along the way was turning it on by default).
I would assume that including -X is equivalent to unset-ting DISPLAY.
--
- Since the shootings on Friday, the ultra-defensive [maybe wrongly
- hyphenated, but that would be fitting] Roy "News" LIEberman has posted
- at least 90 times, and almost every single post is about his obsessive
- knee-jerk loonball [wacko] gun politics. How much longer before the
- authorities [police] finally disable the trip wires and confiscate the
- arsenal in his St. Louie hovel?
So true. So true.
Barry Margolin <bar...@alum.mit.edu> wrote:
...
>If you had xauth set up, connections from remote clients would be
>checked against it. Rather than open you up entirely to connections at
>the remote end, it sets up fake xauth data and uses that. It's warning
>you that it's doing this.
OK. So far, so good.
>checked against it. Rather than open you up entirely to connections at
>the remote end, it sets up fake xauth data and uses that. It's warning
>you that it's doing this.
Now, what *is* this "fake auth data"? What does it do? What are its
limitations? Why should I care?
What this all boils down to is: Why issue the message? What is it telling
me that I don't already know?
P.S. I think in the past I've made the message go away by including -X
(capital X) on the command line. IIRC, that tells it not to do X forwarding
(over-riding whatever setting along the way was turning it on by default).
I would assume that including -X is equivalent to unset-ting DISPLAY.
--
- Since the shootings on Friday, the ultra-defensive [maybe wrongly
- hyphenated, but that would be fitting] Roy "News" LIEberman has posted
- at least 90 times, and almost every single post is about his obsessive
- knee-jerk loonball [wacko] gun politics. How much longer before the
- authorities [police] finally disable the trip wires and confiscate the
- arsenal in his St. Louie hovel?
So true. So true.
Barry Margolin
Feb 20, 2013, 4:44:33 PM2/20/13
to
In article <kg3ddp$321$1...@news.xmission.com>,
setting some limitations.
I suspect what it does is generate a random cookie on the SSH server and
put it into your .Xauthority file there. But I'm not sure -- you can
check whether this file is being created.
>
> What this all boils down to is: Why issue the message? What is it telling
> me that I don't already know?
If you try to connect to the remote X server and it fails, this is the
likely reason.
>
> P.S. I think in the past I've made the message go away by including -X
> (capital X) on the command line. IIRC, that tells it not to do X forwarding
> (over-riding whatever setting along the way was turning it on by default).
>
> I would assume that including -X is equivalent to unset-ting DISPLAY.
Effectively. X11 is only forwarded if it's enabled on the client in the
first place, and the DISPLAY environment variable is how applications
determine if X11 is enabled.
Another way of suppressing the error is by adding:
X11UseLocalhost yes
to the SSH server's sshd_config file.
gaz...@shell.xmission.com (Kenny McCormack) wrote:
> In article <barmar-2148D7....@news.eternal-september.org>,
> Barry Margolin <bar...@alum.mit.edu> wrote:
> ...
> >If you had xauth set up, connections from remote clients would be
> >checked against it. Rather than open you up entirely to connections at
> >the remote end, it sets up fake xauth data and uses that. It's warning
> >you that it's doing this.
>
> OK. So far, so good.
>
> Now, what *is* this "fake auth data"? What does it do? What are its
> limitations? Why should I care?
You asked for your X session to be forwarded. It's doing it, but it's
> In article <barmar-2148D7....@news.eternal-september.org>,
> Barry Margolin <bar...@alum.mit.edu> wrote:
> ...
> >If you had xauth set up, connections from remote clients would be
> >checked against it. Rather than open you up entirely to connections at
> >the remote end, it sets up fake xauth data and uses that. It's warning
> >you that it's doing this.
>
> OK. So far, so good.
>
> Now, what *is* this "fake auth data"? What does it do? What are its
> limitations? Why should I care?
setting some limitations.
I suspect what it does is generate a random cookie on the SSH server and
put it into your .Xauthority file there. But I'm not sure -- you can
check whether this file is being created.
>
> What this all boils down to is: Why issue the message? What is it telling
> me that I don't already know?
likely reason.
>
> P.S. I think in the past I've made the message go away by including -X
> (capital X) on the command line. IIRC, that tells it not to do X forwarding
> (over-riding whatever setting along the way was turning it on by default).
>
> I would assume that including -X is equivalent to unset-ting DISPLAY.
first place, and the DISPLAY environment variable is how applications
determine if X11 is enabled.
Another way of suppressing the error is by adding:
X11UseLocalhost yes
to the SSH server's sshd_config file.
Dan Espen
Feb 20, 2013, 7:23:31 PM2/20/13
to
gaz...@shell.xmission.com (Kenny McCormack) writes:
> In article <barmar-2148D7....@news.eternal-september.org>,
> Barry Margolin <bar...@alum.mit.edu> wrote:
> ...
>>If you had xauth set up, connections from remote clients would be
>>checked against it. Rather than open you up entirely to connections at
>>the remote end, it sets up fake xauth data and uses that. It's warning
>>you that it's doing this.
>
> OK. So far, so good.
>
> Now, what *is* this "fake auth data"? What does it do? What are its
> limitations? Why should I care?
>
> What this all boils down to is: Why issue the message? What is it telling
> me that I don't already know?
>
> P.S. I think in the past I've made the message go away by including -X
> (capital X) on the command line. IIRC, that tells it not to do X forwarding
> (over-riding whatever setting along the way was turning it on by default).
man ssh:
> In article <barmar-2148D7....@news.eternal-september.org>,
> Barry Margolin <bar...@alum.mit.edu> wrote:
> ...
>>If you had xauth set up, connections from remote clients would be
>>checked against it. Rather than open you up entirely to connections at
>>the remote end, it sets up fake xauth data and uses that. It's warning
>>you that it's doing this.
>
> OK. So far, so good.
>
> Now, what *is* this "fake auth data"? What does it do? What are its
> limitations? Why should I care?
>
> What this all boils down to is: Why issue the message? What is it telling
> me that I don't already know?
>
> P.S. I think in the past I've made the message go away by including -X
> (capital X) on the command line. IIRC, that tells it not to do X forwarding
> (over-riding whatever setting along the way was turning it on by default).
-X Enables X11 forwarding. This can also be specified on a
per-host basis in a configuration file.
--
Dan Espen
Kenny McCormack
Feb 21, 2013, 7:18:23 AM2/21/13
to
In article <icehgap...@home.home>, Dan Espen <des...@verizon.net> wrote:
...
it on.
--
"We should always be disposed to believe that which appears to us to be
white is really black, if the hierarchy of the church so decides."
- Saint Ignatius Loyola (1491-1556) Founder of the Jesuit Order -
...
>man ssh:
>
> -X Enables X11 forwarding. This can also be specified on a
> per-host basis in a configuration file.
Yup - just checked it myself. It is little x that turns it off; big X turns
>
> -X Enables X11 forwarding. This can also be specified on a
> per-host basis in a configuration file.
it on.
--
"We should always be disposed to believe that which appears to us to be
white is really black, if the hierarchy of the church so decides."
- Saint Ignatius Loyola (1491-1556) Founder of the Jesuit Order -
Alan Curry
Feb 22, 2013, 12:58:19 AM2/22/13
to
In article <kg3ddp$321$1...@news.xmission.com>,
~/.Xauthority on the machine you ssh'ed into, and must be supplied by
clients connecting to the forwarder (preventing other users on the
remote machine from connecting to your X server, unless they can read
your ~/.Xauthority).
The limitation is that it doesn't protect the traffic all the way from
end to end. After the traffic goes through the ssh connection, the rest
of the journey to the X server is only being protected by xhost.
X clients started inside the ssh session will not be able to tell the
difference. They believe that they are talking to the X server over a
fully xauth'ed connection, so they won't be able to warn you about the
degraded security mode. If the situation was not intended, a warning
from ssh is the only way you'd ever find out about it.
There doesn't seem to be any option to declare that the situation *is*
intended. I guess that's because even the minimal startx script sets up
xauth these days. You have to work extra hard to not have xauth.
--
Alan Curry
Kenny McCormack <gaz...@shell.xmission.com> wrote:
>In article <barmar-2148D7....@news.eternal-september.org>,
>Barry Margolin <bar...@alum.mit.edu> wrote:
>...
>>If you had xauth set up, connections from remote clients would be
>>checked against it. Rather than open you up entirely to connections at
>>the remote end, it sets up fake xauth data and uses that. It's warning
>>you that it's doing this.
>
>OK. So far, so good.
>
>Now, what *is* this "fake auth data"? What does it do? What are its
>limitations? Why should I care?
>
The fake auth data is a cookie that's been generated and put into
>In article <barmar-2148D7....@news.eternal-september.org>,
>Barry Margolin <bar...@alum.mit.edu> wrote:
>...
>>If you had xauth set up, connections from remote clients would be
>>checked against it. Rather than open you up entirely to connections at
>>the remote end, it sets up fake xauth data and uses that. It's warning
>>you that it's doing this.
>
>OK. So far, so good.
>
>Now, what *is* this "fake auth data"? What does it do? What are its
>limitations? Why should I care?
>
~/.Xauthority on the machine you ssh'ed into, and must be supplied by
clients connecting to the forwarder (preventing other users on the
remote machine from connecting to your X server, unless they can read
your ~/.Xauthority).
The limitation is that it doesn't protect the traffic all the way from
end to end. After the traffic goes through the ssh connection, the rest
of the journey to the X server is only being protected by xhost.
X clients started inside the ssh session will not be able to tell the
difference. They believe that they are talking to the X server over a
fully xauth'ed connection, so they won't be able to warn you about the
degraded security mode. If the situation was not intended, a warning
from ssh is the only way you'd ever find out about it.
There doesn't seem to be any option to declare that the situation *is*
intended. I guess that's because even the minimal startx script sets up
xauth these days. You have to work extra hard to not have xauth.
--
Alan Curry
0 new messages