-X X11 fowarding failure

[hakasapl]

Troubleshooting steps

• Added "C:\Program Files\VcXsrv" to path
• Added "XAuthLocation "C:\Program Files\VcXsrv\xauth.exe" to ~/.ssh/config
• Tried reseting my TEMP and TMP environment vars to C:\Temp
• Tried running powershell as administrator

"OpenSSH for Windows" version 8.1.0.0

Server OperatingSystem Ubuntu 18.04.4 Server

Client OperatingSystem Windows 10 Pro

What is failing

I can't seem to get the -X option to work with my local X server (VcXsrv). There are a few errors indicated below about the exact errors. The -Y option works just fine, but I'd rather not use that due to security issues. I've been able to reproduce this bug on multiple windows installations.

Expected output
Successful secure X11 forwarding

Actual output
First Case: When I add xauth to my path (as mentioned above), and use the -X flag, I get this message:

Warning: untrusted X11 forwarding setup failed: xauth key data not generated

Second Case: When I manually add the xauth location to my ~/.ssh/config file, I get the message

client_x11_get_proto: mkdtemp: No such file or directory

[riverar]

Related #1563. Workaround: Set TMPDIR to something like C:\Temp or another user-writable location. Also remove spaces from path defined in XAuthLocation (e.g. C:\Progra~1).

[bagajjal]

@hakasapl - Please confirm if the PR changes has fixed your issue.

[hakasapl]

The TMPDIR var has fixed my issue with the temporary directory issue, but I still can't get untrusted X11 forwarding to work, throwing the same error. Debug lines suggest that it is using the correct executable. I may open a different issue for this since it's not the same bug.

[riverar]

The TMPDIR var has fixed my issue with the temporary directory issue, but I still can't get untrusted X11 forwarding to work, throwing the same error. Debug lines suggest that it is using the correct executable. I may open a different issue for this since it's not the same bug.

Can you share a -vvv log with the new issue too? Feel free to redact any hostnames and cookies. Thanks!

[hakasapl]

Sure! I reverted to the natively installed windows openssh to see if that would make a difference, but it didn't. I am also using XWin from Cygwin now to test out some different X servers, but both x servers show the same error in the log.

PS C:\Users\Hakan> ssh -vvv -X <host>
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Reading configuration data C:\\Users\\Hakan/.ssh/config
debug1: C:\\Users\\Hakan/.ssh/config line 25: Applying options for <profile>
debug1: C:\\Users\\Hakan/.ssh/config line 38: Applying options for *
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname <host> is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to <host> [<host>] port 22.
debug1: Connection established.
debug1: identity file C:\\Users\\Hakan/.ssh/id_rsa type 0
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_rsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_dsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_dsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_ecdsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_ecdsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_ed25519.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_ed25519-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_xmss.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/Hakan/.ssh/id_xmss-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\Hakan/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to <host>:22 as '<user>'
debug3: hostkeys_foreach: reading file "C:\\Users\\Hakan/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\Hakan/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from <host>
debug3: Failed to open file:C:/Users/Hakan/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:w86/3aDVJsAUUXFqEaCsNhB/JIIxaEFzoglDuLfufME
debug3: hostkeys_foreach: reading file "C:\\Users\\Hakan/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\Hakan/.ssh/known_hosts:5
debug3: load_hostkeys: loaded 1 keys from <host>
debug3: Failed to open file:C:/Users/Hakan/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: Host '<host>' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\Hakan/.ssh/known_hosts:5
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: C:\\Users\\Hakan/.ssh/id_rsa (00000287CAD89580), agent
debug2: key: C:\\Users\\Hakan/.ssh/id_dsa (0000000000000000)
debug2: key: C:\\Users\\Hakan/.ssh/id_ecdsa (0000000000000000)
debug2: key: C:\\Users\\Hakan/.ssh/id_ed25519 (0000000000000000)
debug2: key: C:\\Users\\Hakan/.ssh/id_xmss (0000000000000000)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:E2efD4RXfcvMJwtJgpKhZTTSSfZt9zchjdCI3sO+MZI C:\\Users\\Hakan/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:E2efD4RXfcvMJwtJgpKhZTTSSfZt9zchjdCI3sO+MZI
debug3: sign_and_send_pubkey: RSA SHA256:E2efD4RXfcvMJwtJgpKhZTTSSfZt9zchjdCI3sO+MZI
warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to <host> ([<host>]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: exec
debug1: console supports the ansi parsing
debug3: Successfully set console output code page from:437 to 65001
debug3: Successfully set console input code page from:437 to 65001
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: client_x11_get_proto: C:\\cygwin64\\bin\\xauth.exe -f C:\\Temp/ssh-ZLktm6tmnewa/xauthfile generate unix:0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1260 2>/dev/null
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
debug1: Requesting authentication agent forwarding.
debug2: channel 0: request [email protected] confirm 0
debug3: send packet: type 98
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-65-generic x86_64)

It seems there is only two lines relevant to the X11 forwarding setup.

And here's my xauth info in my .ssh/config:

Host *
	XAuthLocation C:\cygwin64\bin\xauth.exe

[riverar]

@hakasapl Thanks for the dump.

I'll have to check Cygwin, but I suspect xauth there has the same quirk as VcXsrv in that it doesn't understand the unix: shorthand to refer to the local machine (see #1563 (comment)).

Is your DISPLAY set to localhost:[...]? Can you try replacing it with 127.0.0.1:[...]? That'll workaround ssh's internal replace of localhost with unix and should line up with your xauth configuration.

[hakasapl]

Same issue unfortunately after resetting the display environment var. It is currently set to 127.0.0.1:0.0

debug2: client_x11_get_proto: C:\\cygwin64\\bin\\xauth.exe -f C:\\Temp/ssh-mgbvhjg1lvUN/xauthfile generate 127.0.0.1:0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1260 2>/dev/null
Warning: untrusted X11 forwarding setup failed: xauth key data not generated

[riverar]

@hakasapl Can you provide a dump of xauth list?

[hakasapl]

Nothing printed

PS C:\Users\Hakan> C:\cygwin64\bin\xauth.exe list
PS C:\Users\Hakan>

[riverar]

@hakasapl Thanks, I'm setting up a Cygwin xauth test now and will get back to you shortly.

[riverar]

@hakasapl So this works for me here, few more questions:

• Can you provide the version of xauth? (xauth version)
• Does C:\Temp actually exist? Can your user (non-elevated) create files in there? You may alternatively want to use a more private location like C:\Users\[username]\AppData\Local\Temp.
• Does manually running xauth work or produce errors? (e.g. in PowerShell: C:\\cygwin64\\bin\\xauth.exe -f $env:Temp generate 127.0.0.1:0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 10)

[hakasapl]

XAuth version is 1.1.

Yes, C:\Temp actually exists and I can write to it unelevated.

PS C:\Users\Hakan> C:\\cygwin64\\bin\\xauth.exe -f $env:Temp generate 127.0.0.1:0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 10
/usr/bin/xauth: (argv):1:  couldn't query Security extension on display "127.0.0.1:0.0"

That may be the root cause here. I verified the X-server was running on 127.0.0.1:0.0 and listening tcp.

[riverar]

@hakasapl Ah. Is this with Xwin? Try switching back to Vcxsrv if possible. I've used that successfully.

I'll install Xwin and try reproducing this now.

[riverar]

@hakasapl Can confirm Cygwin/X doesn't support untrusted forwarding per FAQ https://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-trusted-untrusted-x11-forwarding

[hakasapl]

With Vcxsrv it still had the same log message, except it uses Vcxsrv xauth now. When I tried to manually generate, I don't get an error this time (I did with cygwin), but xauth list still yields nothing the untrusted X11 forwarding still doesn't work with the same log messages.

[riverar]

@hakasapl Thanks for your patience, there are a bunch of bugs interacting with each other that are likely impacting you here. Can you post a new log dump?

I have Vcxsrv working here, so we just need to compare notes.

[hakasapl]

Sorry, I won't be able to take a look at this for a few days, but I'll get back to you with a dump soon.

[riverar]

@hakasapl any updates?

[maertendMSFT]

@hakasapl ping