ssh X11 forwarding "times out"

Question

ssh X11 forwarding "times out"

Hi,
I searched for an answer, came up empty.
Here is my small problem. I use xterm to ssh to UNIX or LINUX machines and X connections are automatically forwarded properly. The DISPLAY environment is set. After some 10 min or so, if not used, this forwarding expires. The message when starting for instance a new xemacs application:
Xlib: connection to "localhost:11.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key
X server not responding
: "localhost:11.0"
My solution is to exit, reconnect and start the X application immediately. But, there might be a way to change that time out. I looked in ssh_config, could not see it.

I hope there is a "simple" way to extent the "expiration" time.
Thanks for any hints

Gerfried

iMac 800 MHz / PowerBook G4 Mac OS X (10.4.8)

iMac 800 MHz / PowerBook G4, Mac OS X (10.4.8)

Posted on Dec 12, 2006 6:59 AM

Reply

Answer 1

Bill Scott

Level 6

11,459 points

Dec 12, 2006 7:30 AM in response to Gerfried Kumbartzki

create a file called

~/.ssh/config

and put these lines into it:

Host *
ServerAliveInterval 120
ServerAliveCountMax 3

Reply

Answer 2

Dec 12, 2006 2:20 PM in response to Bill Scott

Thanks for the pointers.
This did not solve my problem. The ssh connection stays alive, only the X forwarding stops working. Usually, it is not a matter of inactivity, I use the xterm for other work. Just the next X application wont connect.

Gerfried

Reply

Answer 3

Dec 12, 2006 3:06 PM in response to Gerfried Kumbartzki

This looks interesting...

from SSH_CONFIG(5):

ForwardX11Trusted
If this option is set to ``yes'' then remote X11 clients will
have full access to the original X11 display.

If this option is set to ``no'' then remote X11 clients will be
considered untrusted and prevented from stealing or tampering
with data belonging to trusted X11 clients. Furthermore, the
xauth(1) token used for the session will be set to expire after
20 minutes. Remote clients will be refused access after this
time.

The default is ``no''.

See the X11 SECURITY extension specification for full details on
the restrictions imposed on untrusted clients.

Reply

Answer 4

Dec 12, 2006 4:43 PM in response to Gerfried Kumbartzki

Hi Andy,
I don't think that's the problem here because it isn't time dependent, is it? Gerfried said that forwarding works initially. I assume that he's talking about the same application although he doesn't say so explicitly. I suppose the initial app could have been trusted and the later one not.

If anyone is interested in reading the specification of the X11 Security Extension, I've provided a link to the PDF. It's actually readable and makes sense except that I wouldn't have the foggiest idea how to specify an app as trusted for me. Thank heaven you don't have to deal with that with secure shell. Using "ssh -Y" instead of "ssh -X" causes secure shell to mark all apps as trusted.

Hi Gerfried,
You've probably got the "new and improved" X11. I waited more than a half hour and then again an hour after logging in and forwarding continued to work. I've set my ServerAliveInterval, which you said didn't help and I've set my AddressFamily to inet, which cuts out consideration of IPv6 addresses. The use of IPv6 addresses has caused some weird problems in the past but I don't remember anything being time dependent.

Those are the only two options I have set so I'm betting that the "new and improved" X11 is the problem. My version is 1.1.2; I stopped upgrading when I heard about all of the bugs. X11 is easy to remove. Delete the app in /Applications/Utilities/X11.app, all of the package receipts in /Library/Receipts that begin with "X11" and the directories /private/etc/X11 and /usr/X11R6. Then reinstall from the system restore DVD. I've got the X11Update2006 update so you should be OK in this regard to install that update.

If that doesn't fix the problem then I would have to guess that something is weird about the remote UNIX machines. However, the error message suggests that the problem is on your Mac so I think that reverting to an older version of X11 will work.
--
Gary
~~~~
Under any conditions, anywhere, whatever you are doing,
there is some ordinance under which you can be booked.
-- Robert D. Sprecht, Rand Corp.

Reply

Answer 5

Dec 13, 2006 11:42 AM in response to Gary Kerbaugh

Hi again,

inspite of all the good ideas, I have made no progress.
Just the facts:
I use X11 from the Apple distribution: X11 1.0
ssh is Open SSH-4.2p1, Open SSL 0.9.7L 28.Sep 2006
I open xterm and use
ssh host or ssh -X host.
I can open any X application and it works fine. When I close the X application, stay connected, work or idle xterm without running an X application for a while and just want to go back and open the former (or any) X application used before or not,
I get the Xlib message.

As I understand the MIT-MAGIC-COOKIE-1 is set on the X Client when the connection is made. It is in the .Xauthority file. This file and its content does not change during a connection and there is only one such file. (Observation; the cookie is set newly only when ssh -X is used, else the file is visited but the cookie is not changed).
The puzzle is that, say I use more than one xterm and have more than one ssh connection to the same client, there is only one cookie in .Xauthority, but both windows behave independently; one refuses a new application while the other is still active (say has not "timed out") or has an X application running.

Where is the MIT-MAGIC-COOKIE-1 which Xlib complains about.
Xlib is running on the client.

I see this behaviour only when using my Mac as server. I get exact the same whether I connect to a Linux (Fedora Core 5) or True64 Unix box. I don't get this when connecting between the other systems.

Gerfried

Reply

Answer 6

Bill Scott

Level 6

11,459 points

Dec 13, 2006 1:52 PM in response to Gerfried Kumbartzki

do you have a dynamic ip address that is changing over the period of time in question?

Reply

Answer 7

Dec 13, 2006 2:04 PM in response to Gerfried Kumbartzki

Hi and thanks to all who tried to help.
Let me answer my own questions.
Lesson 1: It allways pays to keep digging.
Lesson 2: the time out (1200 sec) is built in and used by the xauth file generating the cookie at connection time , if and only if ForwardX11Trusted is no (the default). I learned that by running ssh -vv ( in debugging mode).
So, either set ForwardX11Trusted to yes or what is equivalent start
ssh -Y ....
Here is the relevant sequence of the debugging information:
debug2: x11 getproto: /usr/X11R6/bin/xauth -f /tmp/ssh-NqsVtPNYzM/xauthfile generate 😮.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null
debug2: x11 getproto: /usr/X11R6/bin/xauth -f /tmp/ssh-NqsVtPNYzM/xauthfile list 😮.0 . 2>/dev/null
Look at the untrusted timeout 1200!

Playing around, I'm pretty sure running -vv also nullifies the timeout !

Thanks again
Gerfried

iMac 800 MHz / PowerBook G4 Mac OS X (10.4.8)

Reply