SSH: Has hardcoded xauth location

Bug #8440 reported by Daniel Stone on 2004-09-24
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Colin Watson

Bug Description

Would it be possible to get this changed for the (completely hypothetical, of
course) situation where you don't have a /usr/bin/X11, or a /usr/X11R6/bin?

Matt Zimmerman (mdz) wrote :

This should be changed for Hoary, since we are transitioning away from
/usr/X11R6. Hardcoded paths are considered harmful anyway.

Colin Watson (cjwatson) wrote :

This path has to be hardcoded for the moment; ssh does a stat() on it to figure
out whether it has xauth available. It can certainly be hardcoded to something else.

Miguel Rodríguez (migrax) wrote :

This is beating current breeze users, as xauth only appears to be in
/usr/x11R6/bin now.

Jim Richardson (warlock) wrote :

I got bit by this on Breezy, and took a while to figure out that I needed to
symlink xauth to /usr/bin/X11, which I also had to do for Xorg, but that's
another (related?) issue.

Matt Zimmerman (mdz) wrote :

This situation has become significantly less hypothetical of late :-)

Daniel, this is eventually going to move into /usr/bin, right?

Daniel Stone (daniels) wrote :

It's in /usr/bin now, and /usr/bin/X11 will become a symlink to /usr/bin soonish.

Colin Watson (cjwatson) wrote :

Yes, I haven't changed this because /usr/X11R6/bin/xauth will be going away soon
and /usr/bin/X11/xauth was supposed to be the safe forward-compatible location.
Hang in there. :-)

Stewart Smith (stewart) wrote :

This path is meant to be configurable via XAuthLocation in ssh[d]_config.

The man pages point to this.

Changing this configuration parameter has no effect.

Dennis Kaarsemaker (dennis) wrote :

This has been fixed in breezy

Colin Watson (cjwatson) wrote :

(In reply to comment #9)
> This has been fixed in breezy

No it hasn't - the xauth location is just up-to-date at the moment. It's still
hardcoded. Please leave this bug open.

Matt Zimmerman (mdz) on 2006-03-29
Changed in openssh:
status: Unconfirmed → Confirmed
Colin Watson (cjwatson) on 2007-04-20
Changed in openssh:
assignee: kamion → nobody
Loye Young (loyeyoung) wrote :

Wouldn't this bug be fixed by creating a hardlink?

# ln /usr/bin/X11/xauth /usr/bin/xauth

Changed in openssh (Ubuntu):
status: Confirmed → Fix Released

This is not fixed; please don't close it. It happens that the hardcoded
location is currently sane, but it's still hardcoded.

See comment #10, where I wrote exactly the same thing. I'm confused
about why I need to restate myself ...

Loye: A hardlink is not possible since /usr/bin/X11 is a symlink to '.'
(i.e. /usr/bin). This bug doesn't cause any practical problems right
now, and so doesn't need people trying to dream up workarounds, but it
is nevertheless a bug and should remain open.

 status triaged

Changed in openssh (Ubuntu):
status: Fix Released → Triaged

Sorry, I shouldn't have changed it without comment.

The XAuthLocation option appears to work for me.

sudo mv /usr/bin/xauth /usr/bin/xauth-
"ssh -X localhost" gives "Warning: No xauth data; using fake authentication data for X11 forwarding."
"ssh -X -o XAuthLocation=/usr/bin/xauth- localhost" gives no warning.

Eh.. I guess that's just for the client. Sorry for wasting your time.

Colin Watson (cjwatson) on 2010-03-29
Changed in openssh (Ubuntu):
status: Triaged → Fix Committed
assignee: nobody → Colin Watson (cjwatson)
Launchpad Janitor (janitor) wrote :
Download full text (6.4 KiB)

This bug was fixed in the package openssh - 1:5.5p1-3ubuntu1

openssh (1:5.5p1-3ubuntu1) maverick; urgency=low

  * Resynchronise with Debian. Remaining changes:
    - Add support for registering ConsoleKit sessions on login.
    - Drop openssh-blacklist and openssh-blacklist-extra to Suggests; they
      take up a lot of CD space, and I suspect that rolling them out in
      security updates has covered most affected systems now.
    - Convert to Upstart. The init script is still here for the benefit of
      people running sshd in chroots.
    - Install apport hook.
  * Stop setting OOM adjustment in Upstart job; sshd does it itself now.

openssh (1:5.5p1-3) unstable; urgency=low

  * Discard error messages while checking whether rsh, rlogin, and rcp
    alternatives exist (closes: #579285).
  * Drop IDEA key check; I don't think it works properly any more due to
    textual changes in error output, it's only relevant for direct upgrades
    from truly ancient versions, and it breaks upgrades if
    /etc/ssh/ssh_host_key can't be loaded (closes: #579570).

openssh (1:5.5p1-2) unstable; urgency=low

  * Use dh_installinit -n, since our maintainer scripts already handle this
    more carefully (thanks, Julien Cristau).

openssh (1:5.5p1-1) unstable; urgency=low

  * New upstream release:
    - Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative
    - Include a language tag when sending a protocol 2 disconnection
    - Make logging of certificates used for user authentication more clear
      and consistent between CAs specified using TrustedUserCAKeys and

openssh (1:5.4p1-2) unstable; urgency=low

  * Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 is
    installed, the host key is published in an SSHFP RR secured with DNSSEC,
    and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key
    verification (closes: #572049).
  * Convert to dh(1), and use dh_installdocs --link-doc.
  * Drop lpia support, since Ubuntu no longer supports this architecture.
  * Use dh_install more effectively.
  * Add a NEWS.Debian entry about changes in smartcard support relative to
    previous unofficial builds (closes: #231472).

openssh (1:5.4p1-1) unstable; urgency=low

  * New upstream release (LP: #535029).
    - After a transition period of about 10 years, this release disables SSH
      protocol 1 by default. Clients and servers that need to use the
      legacy protocol must explicitly enable it in ssh_config / sshd_config
      or on the command-line.
    - Remove the libsectok/OpenSC-based smartcard code and add support for
      PKCS#11 tokens. This support is enabled by default in the Debian
      packaging, since it now doesn't involve additional library
      dependencies (closes: #231472, LP: #16918).
    - Add support for certificate authentication of users and hosts using a
      new, minimal OpenSSH certificate format (closes: #482806).
    - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
    - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian
      package, this overlaps with the key blacklisting facil...


Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.