![]() ![]() Matthew Garrett, a well-known Linux kernel contributor and a security developer at CoreOS, took a swipe at Ubuntu Snap in a blog post Thursday, saying, "Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty." He claimed that installing Snap packages while using X11 display server was insecure, and he put together a proof-of-concept showing how a benign-looking application can log keystrokes typed into a totally different application (in this case, Firefox). There is already a claim that Snap can be circumvented on Ubuntu, but the truth is a little more complex. I haven’t tested this.The new Ubuntu distribution is out, along with the new Snap package format for improving application and OS security. ![]() It’s possible that using “ssh -Y ” may work as well, as it may not trigger the untrusted auth timeout. #Xquartz ubuntu mac#The only change that needs to be made is to add the following line to the Mac client’s /etc/ssh_config: ForwardX11Timeout 596h Why 596 hours? If you convert 596 hours to milliseconds, it’s just under 2^31, and 597 hours is just over 2^31, so there is some kind of signed 32-bit integer overflow problem somewhere along the line. So this did appear to be the right parameter to fix this.įinally through a binary search I found that a setting of 596 hours worked: it didn’t crash the Mac’s X11 server, and it doesn’t time out as described above. I tried a few other settings, for example 0 resulted in timeouts occurring immediately (as opposed to never, which I would have expected), and 10s caused new xterm invocations to fail after about 10 seconds. This caused the X11 server on the Mac to open, and then immediately crash, sending a report to Apple. Of course I would like the longest possible timeout setting, so I started with very long times, like 10000 weeks. #Xquartz ubuntu mac os x#Override the Timeout Default (and avoid a Mac OS X bug)Įven though the Mac’s man pages don’t list ForwardX11Timeout as a parameter, adding it to /etc/ssh_config does not cause an unrecognized option error, so it’s a legal option. #Xquartz ubuntu full#It comes into play only for untrusted connections, apparently, but I don’t have a full trust authority system set up since I only do this locally. In that context, the default value of the timeout parameter is 20 minutes. A few postings about this parameter are in the context of the Cygwin X server, but the symptoms reported are the same as what I saw. Even the Mac OS X’s ssh_config or ssh man page do not even list ForwardX11Timeout as a parameter. Web searches for “ForwardX11Timeout” don’t help much there is very little information about it. So there is apparently a timeout for forwarding X11 display over SSH. Follow the same steps and at the time it fails to start a new xterm it will report: Rejected X11 connection after ForwardX11Timeout expired It’s an X11 Forwarding Timeout It fails with the message “xterm Xt error: Can’t open display: localhost:10.0”Īfter spending a few hours on this, the debug step that led me to the solution was to invoke ssh from the Mac with the highest level of debug logging: “ssh -vvv -X ”.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |