Something's bothered me when running commands via ssh in my Snow Leopard Mac for a while now. I've been running XQuartz rather than the default X11.app for reasons I can't even remember now. This problem persists in both.
Turns out they can both be fixed if you have xauth set up right. Seems xauth doesn't like local DISPLAY names with periods in it.
I read a few places online and most of them recommended ignoring the problem. lots said not to change the DISPLAY variable. I found one (I forget where) that fixed the problem using symlinks and here's my implementation of that. I added this to a path that gets executed from my .bashrc
If any of this is a tremendously bad idea just let me know!
You might be tempted to add ForwardX11Trusted to you ~/.ssh/config but I've heard that's a bad idea.
$ ssh -X remote xlogo
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
Turns out they can both be fixed if you have xauth set up right. Seems xauth doesn't like local DISPLAY names with periods in it.
$ xauth generate $DISPLAY .
xauth: (argv):1: bad display name "/tmp/launch-158PCz/org.macosforge.xquartz:0" in "add" command
$ echo $DISPLAY
/tmp/launch-158PCz/org.macosforge.xquartz:0
I read a few places online and most of them recommended ignoring the problem. lots said not to change the DISPLAY variable. I found one (I forget where) that fixed the problem using symlinks and here's my implementation of that. I added this to a path that gets executed from my .bashrc
if [ -e "$DISPLAY" ]; then
DISPDIR=$(dirname $DISPLAY)
NEWDISP="${DISPDIR}/:0"
if [ ! -e "$NEWDISP" ]; then
ln -s "$DISPLAY" "$NEWDISP"
xauth -q generate "$NEWDISP" .
fi
export DISPLAY="$NEWDISP"
fi
If any of this is a tremendously bad idea just let me know!
You might be tempted to add ForwardX11Trusted to you ~/.ssh/config but I've heard that's a bad idea.
Comments
Posted Sunday 27 June 2010 Share
/usr/X11R6/bin/xauth: (argv):1: bad display name "/tmp/launch-iq6W7f/orgamacosforgeaxquartz:0" in "add" command"
and I still got the failure message from SSH.
Rather than guess what it wanted, I tried the xauth from MacPorts' x11/xauth package. That worked, dots and all:
bash$ touch blahxauthfile
bash$ /opt/X11/bin/xauth -f blahxauthfile generate /tmp/launch-iq6W7f/org.macosforge.xquartz:0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200
bash$
and can be set in .ssh/config using XAuthLocation. Let's hope Lion fixes /usr/X11R6/bin/xauth.
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
My two modifications to your fix were to drop the line that executed "xauth", for the reasons that James Gilbert said, and that I put it in ~/.bash_profile, which I think is the more standard place to modify environment variables (at least that's how my Mac bash environment is set up). Your approach of using a logical link seemed less-intrusive and safer than moving the file. The resulting section I added to ~/.bash_profile is:
if [ -e "$DISPLAY" ]; then
DISPDIR=$(dirname $DISPLAY)
NEWDISP="${DISPDIR}/:0"
if [ ! -e "$NEWDISP" ]; then
ln -s "$DISPLAY" "$NEWDISP"
fi
export DISPLAY="$NEWDISP"
fi
Your procedure provides a workaround to an acknowledged bug in XQuartz, see http://xquartz.macosforge.org/trac/ticket/459, which has been fixed as of XQuartz v. 2.6.0, but Apple's Software Update has not yet pushed out these bug fixes as of the current time (even though this bug was fixed 7 months ago).
The "untrusted X11 forwarding" is apparently designed to try to prevent keyloggers from stealing passwords, etc. However, one should be aware that there are statements on the web that this may give a false sense of security and is only slightly more secure than "trusted X11 forwarding", see for example:
http://cygwin.com/ml/cygwin-xfree/2008-11/msg00154.html
http://dailypackage.fedorabook.com/index.php?/archives/48-Wednesday-Why-Trusted-and-Untrusted-X11-Forwarding-with-SSH.html
I do not understand these issues well enough to know if they are out of date or not. The official x.org web site has some statements about "ongoing" work to improve security:
http://www.x.org/wiki/Development/Documentation/Security
if [ -e "$DISPLAY" ]; then
dispdir=`dirname $DISPLAY`
dispfile=`basename $DISPLAY`
if [ "$dispfile" = "org.macosforge.xquartz:0" ]; then
dispnew="$dispdir/:0"
mv "$DISPLAY" "$dispnew" && export DISPLAY="$dispnew"
fi
fi
So I rename the file, rather than making a symbolic link. I don't run xauth, because ssh appears to do that for me when I connect to a host with X11Forward set, and because when xauth runs it launches my X11, so I don't want that happening.
Thanks :-)