Rhialto <[email protected]> wrote:
> On Thu 15 May 2014 at 20:13:10 +0100, Aaron Sloman wrote:
> > X11 connection rejected because of wrong authentication.
> > X connection to localhost:10.0 broken (explicit kill or server
> > shutdown).
> With :10.0 I suspect you used ssh -X to forward your X server
> connection. Is that right?
Actually, when I did the test I had completely forgotten about the need for
permissions, because normally I use ssh only for remote logins and file
transfers, without remote execution of X clients. (I do almost all my editing in
a plain text editor that uses an Xterm window on my local machine.)
However, I've just looked in my ~/.ssh/config file, which has
Host *
ForwardX11 yes
(It also had these two lines as a relic of some past bad exeriences with
ssh timeouts:
ServerAliveCountMax 60000
ServerAliveInterval 60000
But those were not understood by the ancient ssh on the Sun, and I commented
them out.)
> Starting from some version of ssh, connections forwarded like that are
> "untrusted" and some operations are not allowed on them. (I'm not really
> sure wich ones, but I remember that it prevented me from running gvim
> because of that).
>
> But those same versions now have an extra option -Y also, to mark the
> connection (or, as I understand it, the clients at the other end of the
> tunnel) as trustworthy. So if you use -Y instead, what you tried
> (whatever it was) might work better. I can surely imagine that allowing
> a screen locker access to your display requires more trust than just any
> random client.
Agreed. One day when I am in my office and have some spare time, I may try
experimenting to check whether attempting to launch Xlock did produce the error
message, and if so whether using -Y suppresses it.
Aaron
