Re: DISPLAY not set inside jails after update to 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297043
On Sun, Mar 20, 2016 at 07:47:58AM +0800, Erich Dollansky wrote: > Hi, > > On Sat, 19 Mar 2016 08:23:09 -0600 > Ian Leporewrote: > > > On Sat, 2016-03-19 at 13:48 +0800, Erich Dollansky wrote: > > > > > > nothing else was changed on the machine except the update. I could > > > use > > > > > > ssh 192.168.12.12 > > > > > > to connect to a jail running under that IP address before the update > > > without problems. > > > > > > It works now only with > > > > > > ssh -Y 192.168.12.12 > > > > > > The /etc/ssh/ssh_config file says: > > > > > > Host * > > > ForwardX11 yes > > > > > > So, it should allow to connect to all machines providing ssh and > > > forward X11. > > > > > > What did I miss? > > > > If -Y works, the ssh config file option that corresponds to that is > > ForwardX11Trusted. ForwardX11 corresponds to -X. (Not sure what > > changed, just throwing out the one little crumb of info I've got.) > > > I got this as an off-list reply: > > Could this be related to FreeBSD-SA-16:14.openssh? Not FreeBSD-SA-16:14.openssh and CVE-2016-3115 respectively, but most likely the changes for CVE-2016-1908 which came in as part of the upgrade to OpenSSH 7.2p2, i. e. (among others): https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c The xorg-server port is built with the X11 SECURITY extension disabled. I just can suspect that the intent is to use a nested X server such as Xephyr for securely running applications instead. Actually, I'm surprised that such a fallback to trusted forwarding existed. I believe it wasn't present back when ForwardX11Trusted was introduced, essentially already causing the trouble you're now hitting. Marius signature.asc Description: PGP signature
Re: DISPLAY not set inside jails after update to 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297043
Hi, On Sat, 19 Mar 2016 08:23:09 -0600 Ian Leporewrote: > On Sat, 2016-03-19 at 13:48 +0800, Erich Dollansky wrote: > > > > nothing else was changed on the machine except the update. I could > > use > > > > ssh 192.168.12.12 > > > > to connect to a jail running under that IP address before the update > > without problems. > > > > It works now only with > > > > ssh -Y 192.168.12.12 > > > > The /etc/ssh/ssh_config file says: > > > > Host * > > ForwardX11 yes > > > > So, it should allow to connect to all machines providing ssh and > > forward X11. > > > > What did I miss? > > If -Y works, the ssh config file option that corresponds to that is > ForwardX11Trusted. ForwardX11 corresponds to -X. (Not sure what > changed, just throwing out the one little crumb of info I've got.) > I got this as an off-list reply: Could this be related to FreeBSD-SA-16:14.openssh? Erich ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: DISPLAY not set inside jails after update to 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297043
On Sat, 2016-03-19 at 13:48 +0800, Erich Dollansky wrote: > Hi, > > nothing else was changed on the machine except the update. I could > use > > ssh 192.168.12.12 > > to connect to a jail running under that IP address before the update > without problems. > > It works now only with > > ssh -Y 192.168.12.12 > > The /etc/ssh/ssh_config file says: > > Host * > ForwardX11 yes > > So, it should allow to connect to all machines providing ssh and > forward X11. > > What did I miss? > > Erich If -Y works, the ssh config file option that corresponds to that is ForwardX11Trusted. ForwardX11 corresponds to -X. (Not sure what changed, just throwing out the one little crumb of info I've got.) -- Ian ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
DISPLAY not set inside jails after update to 10.3-PRERELEASE FreeBSD 10.3-PRERELEASE #4 r297043
Hi, nothing else was changed on the machine except the update. I could use ssh 192.168.12.12 to connect to a jail running under that IP address before the update without problems. It works now only with ssh -Y 192.168.12.12 The /etc/ssh/ssh_config file says: Host * ForwardX11 yes So, it should allow to connect to all machines providing ssh and forward X11. What did I miss? Erich ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"