SSH X forwarding broken

[reinhardt]

Issue description

X forwarding over ssh fails. No window opens, warning/error see below.

Steps to reproduce

local:~$ ssh -Y remote
Warning: No xauth data; using fake authentication data for X11 forwarding.
remote:~$ hgk
Invalid MIT-MAGIC-COOKIE-1 keyInvalid MIT-MAGIC-COOKIE-1 keyapplication-specific initialization failed: couldn't connect to display "localhost:10.0"

Analysis and workaround

strace has a line

stat("/usr/X11R6/bin/xauth", 0x7ffde1c22f80) = -1 ENOENT (No such file or directory)

Symlinking xauth to /usr/X11R6/bin/xauth fixes the issue:

ln -s /run/current-system/sw/bin/xauth /usr/X11R6/bin/xauth

Technical details

• System: 17.03pre92039.adfcc2d (Gorilla)
• Nix version: nix-env (Nix) 1.11.4
• Nixpkgs version: 17.03pre92039.adfcc2d
• SSH version: OpenSSH_7.3p1, OpenSSL 1.0.2i 22 Sep 2016

[CharlesHD]

I have the exact same issue. I tried in configuration.nix :

programs.ssh.forwardX11 = true;
programs.ssh.setXAuthLocation = true;

but both fail : nix-rebuild switch refuses to perform because XAuth location is not set. Seems like setXAuthLocation is set to false somewhere else later.

[groxxda]

@CharlesHD please post the error message you are receiving, programs.ssh.forwardX11 = true; does not cause an error for me with nix-rebuild switch

[CharlesHD]

Of course, here the result of nix-rebuild switch --show-trace :

building Nix...
building the system configuration...
error: while evaluating the attribute ‘config.system.build.toplevel’ at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/system/activation/top-level.nix:246:5:
while evaluating ‘fold’ at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/lib/lists.nix:29:19, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/system/activation/top-level.nix:127:12:
while evaluating ‘fold'’ at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/lib/lists.nix:32:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/lib/lists.nix:36:8:
while evaluating ‘showWarnings’ at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/system/activation/top-level.nix:93:18, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/system/activation/top-level.nix:100:16:
while evaluating ‘fold’ at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/lib/lists.nix:29:19, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/nixos/modules/system/activation/top-level.nix:93:23:
while evaluating ‘fold'’ at /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/lib/lists.nix:32:15, called from /nix/var/nix/profiles/per-user/root/channels/nixos/nixpkgs/lib/lists.nix:36:8:

Failed assertions:
- cannot enable X11 forwarding without setting XAuth location

I found this error message in the 16.09 source raised by this assertion :

{ assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
          message = "cannot enable X11 forwarding without setting XAuth location";
}

On the same file, the line before cfg.setXAuthLocation is set by default :

programs.ssh.setXAuthLocation =
   mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11);

So the assertion shouldn't fails ?

[groxxda]

@CharlesHD That mkDefault line is fairly new: https://github.com/NixOS/nixpkgs/commit/f3c32cb2c1344c9a831bb9e4f47c1b20527dbe0b

but even before that change, the assertion should not fail with services.xserver.enable = true; or programs.ssh.setXAuthLocation = true;

[CharlesHD]

Both are. Here is exactly my configuration.nix :

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only

  networking.hostName = "nixos"; # Define your hostname.

  # Select internationalisation properties.
  i18n = {
    consoleFont = "Lat2-Terminus16";
    consoleKeyMap = "fr-bepo";
    defaultLocale = "en_US.UTF-8";
  };

  # Set your time zone.
  time.timeZone = "Europe/Paris";

  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  environment.systemPackages = with pkgs; [
    wget
    emacs 
    haskellPackages.xmobar
    dmenu
  ];

  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # Enable CUPS to print documents.
  services.printing.enable = true;

  # Enable the X11 windowing system.
  services.xserver = {
    enable = true;
    layout = "fr";
    xkbVariant = "bepo";

    displayManager.lightdm.enable = true;

    windowManager.xmonad.enable = true;
    windowManager.xmonad.enableContribAndExtras = true;
    windowManager.default = "xmonad";
    desktopManager.xterm.enable = false;
    desktopManager.xfce.enable = true;
    desktopManager.default = "xfce";
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.extraUsers.charleshd = {
    isNormalUser = true;
    uid = 1000;
    name = "charleshd";
    group = "users";
    extraGroups = [
      "wheel" "disk" "audio" "video" "networkmanager" "systemd-journal"
     ];
    createHome = true;
    home = "/home/charleshd";
    shell = "/run/current-system/sw/bin/bash";
  };

  # The NixOS release to be compatible with for stateful data such as databases.
  system.stateVersion = "16.09";

  programs.ssh.forwardX11 = true;

}

Still, I get the error.

[groxxda]

There is also https://github.com/NixOS/nixpkgs/blob/f3c32cb2c1344c9a831bb9e4f47c1b20527dbe0b/nixos/modules/services/networking/ssh/sshd.nix#L366 Can you set services.openssh.forwardX11 = true; and test again? This is slightly messy...

[reinhardt]

FTR, I don't get an error from nix-rebuild switch when setting programs.ssh.setXAuthLocation, but it doesn't solve the original problem either.

EDIT: Sorry, I do get the error when combining setXAuthLocation and forwardX11. But I don't usually set forwardX11 in the nixos config; what I do is set X forwarding per host in .ssh/config. ...or do I need both? I tried with programs.ssh.setXAuthLocation and services.openssh.forwardX11 just now and the error seems to be gone, actually.

[CharlesHD]

Setting services.openssh.forwardX11 = true; fixed the issue for me too. I do not have programs.ssh.setXAuthLocation set, just forwardX11 for ssh and openssh.

[pschuprikov]

I stumbled into this problem today.

After looking through the code my first thought was that this line explains the behavior we see. Since openssh.forwardX11 appears to be an ultimate variable that influences programs.ssh.setXAuthLocation. Everything else has lower priority.

But then I looked at this line. And now it started to look like an infinite recursion of some sort that resolves to false.

[pschuprikov]

I was wrong, I looked at the wrong revision. The last line should be this one. Now everything is clear.

[reinhardt]

So does that explain why setting setXAuthLocation alone still gets me the error?

[pschuprikov]

Yes, as mentioned in nixos manual default option definition (like if you add programs.ssh.setXAuthLocation = true) has priority 1000, while mkForce has priority 50 (lower takes precedence).

[reinhardt]

Ah, I see, thanks!

So I'm assuming there was some change to all this that broke my config. Since I know what to do now I'm OK with not digging any deeper and closing this.

Thank you everyone!

[CharlesHD]

In my opinion this is still a bogus behavior. programs.ssh.forwardX11 should request X11 forwarding by default for outgoing connections. service.openssh.forwardX11 should allow X11 forwarding for incoming connections. programs.ssh.setXAuthLocation should set xauth location. That's something you may want independently of the other two. (but the first two should implie setXAuthLocation to true).

[reinhardt]

I agree. While it works as it is, it's not very intuitive or transparent.

[ryantrinkle]

One thing I just noticed here (running on 18.09.git.5e425e2) is that I had to manually sudo systemctl restart sshd.service after configuring these settings - it did not happen automatically.

[jcguu95]

Has anything changed since 2018? I have all programs.ssh.forwardX11, service.openssh.forwardX11 and programs.ssh.setXAuthLocation set, restarted sshd, connected using ssh -Yt me@192.168.1.112. But startx still fails:

lenovo-nixos% startx
xauth:  file /home/me/.serverauth.31266 does not exist

X.Org X Server 1.20.8
X Protocol Version 11, Revision 0
Build Operating System: Linux 4.19.116 x86_64
Current Operating System: Linux lenovo-nixos 5.4.53 #1-NixOS SMP Wed Jul 22 07:33:18 UTC 2020 x86_64
Kernel command line: initrd=\efi\nixos\g84axbp6wvd8ii5i4hy2v4f02w8lqd6i-initrd-linux-5.4.53-initrd.efi systemConfig=/nix/store/cjw7vsxwc3v0jsv66jk41bizn9l01xsm-nixos-system-lenovo-nixos-20.03.2648.69af91469be init=/nix/store/cjw7vsxwc3v0jsv66jk41bizn9l01xsm-nixos-system-lenovo-nixos-20.03.2648.69af91469be/init loglevel=4
Build Date: 29 March 2020  08:21:49PM

Current version of pixman: 0.38.4
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/home/me/.xorg.log", Time: Sat Aug 22 09:07:03 2020
(==) Using config file: "/etc/X11/xorg.conf"
(==) Using config directory: "/etc/X11/xorg.conf.d"
(==) Using system config directory "/nix/store/12r3mzy6nqkqs8kj7h4fb940l7n5m1rq-xorg-server-1.20.8/share/X11/xorg.conf.d"
(EE)
Fatal server error:
(EE) parse_vt_settings: Cannot open /dev/tty0 (Permission denied)
(EE)
(EE)
Please consult the The X.Org Foundation support
         at http://wiki.x.org
 for help.
(EE) Please also check the log file at "/home/me/.xorg.log" for additional information.
(EE)
(EE) Server terminated with error (1). Closing log file.
xinit: giving up
xinit: unable to connect to X server: Connection refused
xinit: server error
Couldn't get a file descriptor referring to the console

Detailed log furthur shows

[ 31143.767] (EE) systemd-logind: failed to take device /dev/dri/card0: Operation not permitted
[ 31143.773] (II) xfree86: Adding drm device (/dev/dri/card1)
[ 31143.774] (EE) systemd-logind: failed to take device /dev/dri/card1: Operation not permitted
[ 31144.397] (--) PCI:*(0@0:2:0) 8086:1606:17aa:3902 rev 9, Mem @ 0xd1000000/16777216, 0xc0000000/268435456, I/O @ 0x00006000/64, BIOS @ 0x????????/131072
[ 31144.397] (--) PCI: (10@0:0:0) 1002:6660:17aa:381b rev 131, Mem @ 0xb0000000/268435456, 0xd3000000/262144, I/O @ 0x00003000/256, BIOS @ 0x????????/131072