Forwarding X connections using ssh

Forwarding X connections using ssh

[Justin Smith]

I am using the latest release (2.4.18) of SELinux with no patches
(beyond the bare release) and 

OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
(with the sshd on the remote machine provided by SELinux)

 and have a problem forwarding X connections.

Whenever I log in to a remote machine that is in enforcing mode
I get the message

Last login: Wed Mar 27 12:36:49 2002 from
pool-141-158-41-46.phil.east.verizon.net
/usr/X11R6/bin/xauth:  timeout in locking authority file
/home/jsmith/.Xauthority


and X connections are not authorized. When the remote machine is in
permissive mode, there's no problem.

The STRANGE thing is that there are no error messages from the kernel
(so I can't modify the security policy to allow this).

When I do this in verbose mode, I get the messages:
debug2: x11_get_proto /usr/X11R6/bin/xauth list :0.0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072


Any suggestions will be greatly appreciated!

-- 
______________________________________________________________________
Time blows wildly against my door       | Justin R. Smith
Stirring discarded sorrows      	| Department of Mathematics and
Like dead leaves of summers past        |     Computer Science
Memories of forgotten lore          	| Drexel University
Making way for new tomorrows         	| Philadelphia, PA 19104
New hopes, new fears,                   |
         and new ways that last         | Office: (215) 895-1847
URL: http://vorpal.mcs.drexel.edu       | Fax:    (215) 895-1582



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Forwarding X connections using ssh

[Stephen Smalley]

On 27 Mar 2002, Justin Smith wrote:

> I am using the latest release (2.4.18) of SELinux with no patches
> (beyond the bare release) and
>
> OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
> (with the sshd on the remote machine provided by SELinux)
>
>  and have a problem forwarding X connections.
>
> Whenever I log in to a remote machine that is in enforcing mode
> I get the message
>
> Last login: Wed Mar 27 12:36:49 2002 from
> pool-141-158-41-46.phil.east.verizon.net
> /usr/X11R6/bin/xauth:  timeout in locking authority file
> /home/jsmith/.Xauthority
>
>
> and X connections are not authorized. When the remote machine is in
> permissive mode, there's no problem.
>
> The STRANGE thing is that there are no error messages from the kernel
> (so I can't modify the security policy to allow this).

I don't seem to have any problems forwarding X connections via ssh between
two SELinux systems here that are both running in enforcing mode.  Restart
klogd and trying it again, and verify that no messages are logged by the
AVC (avc:) or the security server (security_compute_sid:).  What are your
security option settings in your .config file?

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.