This is the mail archive of the
cygwin-xfree@cygwin.com
mailing list for the Cygwin XFree86 project.
Re: ssh X11 Forwarding from menu in window manager
- From: Tzafrir Cohen <tzafrir at technion dot ac dot il>
- To: R Dicaire <rdicaire at ardynet dot com>
- Cc: <cygwin-xfree at sources dot redhat dot com>
- Date: Sun, 20 Jan 2002 21:09:45 +0200 (IST)
- Subject: Re: ssh X11 Forwarding from menu in window manager
On Sun, 20 Jan 2002, R Dicaire wrote:
> Tzafrir Cohen wrote:
>
> Tzafrir, thanks for responding.
>
> > > All my ssh keys are correctly configured,
> >
> > This is probably irrelevant. X11 forwarding is generally not related to
> > how you authenticated.
>
> Not sure what you mean here. In linux, I use ssh-agent, every terminal
> and xterm I log into sources a file at login that sets two ssh variables
> so I dont have to keep typing the passphrase for authentication to a
> remote host. Passwordless access. As I'd previously mentioned, this
> setup works fine in X11 under linux. I have this setup in Cygwin as
> well, and it works fine,
> except for executing ssh -X from window manager menu items.
ssh-agent does something different:
[ here follows a lengthy explanation of what ssh-agent does. Feel free to
skip this if this doesn't interest you ]
ssh supports authentication using private-key/public-key pairs. The idea
is that only the client needs to know the private key (which is secret)
and the server only needs to know the public key (which is not secret).
So you create a key pair (ssh-keygen), make the private key (say, id_dsa)
available to the client, and add the public key (id_dsa.pub in this case)
to the list of "authorized keys" of the server. When a client tries to
connect to the server and they decide to try public key authentication,
the server encrypts a certain message with the public key, sends it to the
client, and the client should be able to decrypt that message. So far, no
need to type a password and no need for ssh-agent.
This is fine if the client sits in your private computer at home, and you
know that nobody else has access there. But what if other people have
access to that directory? This can be the administrator of the system (if
you only have a regular account there) or someone who happens to use your
account for 5 minutes. Those people can get your private key, and from now
on, present themselves as you.
To prevent this, the private key can be saved localy in an encrypted for.
This will require you to know a certain password ("passphrase") just to be
able to access the private key.
But this means that you have to type a passphrase again for each
connection. It does not travel the wires to the other side, but still, we
don't want to keep typing the same password.
ssh-agent is supposed to save you some typing. It saves (only in memory,
and in a relatively secure way) decrypted private keys. Whenever you need
to connect to a remote host, you ask the ssh-agent to do the public keys
authentication for you.
But all of this is totally unrelated to X11 forwarding. X11 forwarding
takes place after the authentication has been established, in the final
stages of setting a connection. It creates a socket on the server side
that acts as an X server, and sets the client processes to use this
"server" (by setting DISPLAY and adding an appropriate xauth key). Any
connection to that dummy X server is transfered over the ssh connection to
the original X server.
>
> > > ssh -X works when executed
> > > from an xterm inside X11 Cygwin, just not from the window manager menu.
Sorry, I miss-read your message.
Try instead to run (from the menu):
xterm -e ssh -X
What happens now?
BTW: do you run 'ssh -X <a command>' ?
Just 'ssh -X' is probably pointless if it is not already in a terminal
(I'm not sure exactly what it is supopsed to do)
>
> > First thing you should do is to use the "-v" (verbose) option of ssh to
> > get more information.
> > Maybe the remote server does not allow X11 forwarding?
>
> Since this works under Linux, its not a server issue.
Still: have you tried using '-v'? It can provide you with some useful
hints.
>
> > Maybe you need to generate an initial xauthority token in your startx
> > script. My .xinitrc currently includes:
> >
> > export DISPLAY=localhost:0
> > xauth generate $DISPLAY
> > xhost -
>
> I tried adding this to .xinitrc, it didn't work. Same behaviour as
> before.
>
> > BTW: if you always use X11 forwarding (or always use it with some hosts)
> > consider setting in your config file:
This will only make the '-X' switch unnecessary. see ssh (1).
>
> My servers and clients configurations are fine. Everything works fine
> under the various *nix platforms I run, just not under X11 Cygwin.
>
> I even tried sourcing the file that contains the two ssh vars for
> ssh-agent functionality from .xinitrc, no go. Neither did it work when I
> tried sourcing it as part of the window manager menu item itself.
>
> Under Linux, when one starts X, it looks like the shells environment is
> inherited by X, I'm thinking when X is started in Cygwin, such is not
> the case?
What do you mean? It inherits the environment of the shell that created it
(except some vars that were overriden)
One difference between a standard unix environment and cygwin is that in a
standard unix environment (at least in linux) the X server has to run with
special priviliges, and therefore its invocation has to be wrapped with a
special wrapper program (xinit, run from startx), and later the server
executes one client session with normal user privileges (/etc/X11/Xsession
or xinitrc or whatever).
On cygwin you are already (usually) a cygwin super-user, things are
generally a bit less complecated on cygwin.
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir