Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 71508 - /etc/sercurity/pam_env.conf breaks X forwarding with ssh (with patch).
Summary: /etc/sercurity/pam_env.conf breaks X forwarding with ssh (with patch).
Status: RESOLVED DUPLICATE of bug 70585
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: PAM Gentoo Team (OBSOLETE)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-17 03:14 UTC by Jakob Schiotz
Modified: 2005-07-17 13:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Comment out the offending line in pam_env.conf (patch,435 bytes, patch)
2004-11-17 03:16 UTC, Jakob Schiotz 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakob Schiotz 2004-11-17 03:14:47 UTC 
When loggin in to a Gentoo machine using ssh, X forwarding does not work because the DISPLAY environment variable is set to remotehost:0.0 by /etc/sercurity/pam_env.conf.  This overrides the setting (for example localhost:11.0) made by sshd.  Removing the line from /etc/sercurity/pam_env.conf setting DISPLAY solves the problem. I was afraid that would break X in a su shell, but that is not the case.

Note that the default ssh setup is to disallow X forwarding, but I guess most people quickly enable it.

I will attach a patch to pam_env fixing this.

BTW, the value that pam_env.conf sets is at best a guess, which will make X work if one connect from display 0 on a machine with an insecure X setup.  Perhaps a better solution would be to enable X forwaring in ssh_config and sshd_config.



Reproducible: Always
Steps to Reproduce:
1. From another machine (remotehost.domain) log onto this machine with ssh.
2. echo $DISPLAY
3. xterm

Actual Results:  
Step 2: DISPLAY is remotehost.domain:0.0
Step 3: xterm fails

Expected Results:  
DISPLAY should be localhost:N.0 where N is 10 or larger.
xterm should pop up on the remote machine.


demokrit ssh # emerge info
Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1,
2.6.9 i686)
=================================================================
System uname: 2.6.9 i686 Mobile Intel(R) Pentium(R) 4 - M CPU 2.00GHz
Gentoo Base System version 1.4.16
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.14.90.0.8-r1
Headers:  sys-kernel/linux26-headers-2.6.8.1
Libtools: sys-devel/libtool-1.5.2-r5
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown
/usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
DISTDIR="/var/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms"
GENTOO_MIRRORS="http://trumpetti.atm.tut.fi/gentoo/
ftp://trumpetti.atm.tut.fi/gentoo/ ftp://ftp.rhnet.is/pub/gentoo/
ftp://gd.tuwien.ac.at/opsys/linux/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/var/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X Xaw3d acpi alsa arts atlas avi berkdb bitmap-fonts cdr crypt cups dga dvd
emacs encode fam flac foomaticdb fortran gdbm gif gpm gtk gtk2 imagemagick imap
imlib java jpeg kde libg++ libwww mad maildir mbox mikmod motif mozilla mpeg
mule ncurses netcdf nls nptl oggvobis oggvorbis opengl oss pam pcmcia pdflib
perlpng pnp ppds python qt quicktime readline scanner sdl slang spell sse ssl
svga tcltk tcpd tetex tiff truetype trusted usb wxwindows x86 xml2 xmms xv xvid
zlib"
Comment 1 Jakob Schiotz 2004-11-17 03:16:18 UTC 
Created attachment 44143 [details, diff]
Comment out the offending line in pam_env.conf

A proposed solution.  Perhaps somebody knows that the line is good for
something, in that case another solution must be found.  But the line does not
seem reasonable.
Comment 2 Toralf Förster gentoo-dev 2004-11-17 03:22:32 UTC 
I commended out this line:
#DISPLAY                DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

because it me to start xfce while logged in at the command line and try to start xfc4 without kdm, xdm and so on.
Comment 3 Toralf Förster gentoo-dev 2004-11-17 05:42:07 UTC 
Aargh, wrong copy + paste, again:

Setting the DISPLAY variable in pam_env.conf in the actual manner is not a good idea, because after a login at the console the variable DISPLAY is set regardless of X was started or not. This causes at least /usr/bin/startxfc4 to fail with "X server already running on display :0.0" even if no X11 is running.
Comment 4 Uwe Weissenbacher 2004-11-18 01:54:58 UTC 
This is a duplicate of bug #70585
Can somebody with the rights to do this change the status?
Comment 5 Jakob Schiotz 2004-11-18 02:41:07 UTC 
Yes, it is indeed a duplicate.  Sorry about not catching this when I reported it.

*** This bug has been marked as a duplicate of 70585 ***