Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7691: SSH -X fails, X11Forwarding

Centrify DirectControl ,  

14 November,16 at 05:33 PM

Applies to: 

Centrify-enabled OpenSSH 7.2p2 on all supported platforms 

Problem: 

In Centrify-enabled OpenSSH 7.2p2 (Suite2016.1), SSH X11 'untrusted-mode' forwarding, aka, 'ssh -X', fails. 

Cause: 

For 'ssh -X', OpenSSH calls 'xauth' on the client machine, which utilizes the XC-Security extension in xorg-server. However, this extension is disabled as default as of xorg-server version 1.7.5. Because of this, system vendors may enable or disable it in their own xorg-server spin. This includes Centrify-enabled OpenSSH. In the case of the XC-Security extension being disabled, 'xauth' will fail. For Centrify-enabled OpenSSH versions prior to 7.2p2, if 'xauth' fails in 'untrusted-mode', it will use the fallback setting and still succeed the forwarding, however starting in version 7.2p2, it will directly fail. This is a security enhancement adopted per Xorg and OpenSSH best practices. 

More details on this can be found from the official Xorg documentation. 

Resolution: 

Centrify no longer supports untrusted X11 forwarding.

Note: 
Going forward, Centrify-enabled OpenSSH will support only 'ssh -Y' in future, but '-X' will be kept for backward compatibility. For 'ssh -X', OpenSSH will call 'xauth' program in client machine, which will use XC-Security extension in xorg-server, yet that extension was disabled as default since xorg-server version 1.7.5, and system vendors may enabled or disabled it in their own xorg-server building, so, for disabled ones, 'xauth' will fail, please check the doc of Xorg for details.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.