Bug 1016 - ssh caching doesn't forward X11 connections
Summary: ssh caching doesn't forward X11 connections
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: -current
Hardware: All All
: P2 enhancement
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-04-17 09:39 AEST by Frederik Eaton
Modified: 2006-10-07 11:39 AEST (History)
0 users

See Also:

Attachments
Enable X11 and agent forwarding for multiplexed connections (7.37 KB, patch)
2005-06-21 12:51 AEST, Damien Miller 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Frederik Eaton 2005-04-17 09:39:15 AEST 
see mailing list message id 4246B5F4.3060504@mindrot.org
Comment 1 Frederik Eaton 2005-04-17 09:40:34 AEST 
see mailing list message id 4246B5F4.3060504@mindrot.org
Comment 2 Darren Tucker 2005-04-17 10:40:04 AEST 
This is not currently implemented.  According to djm, this is "something of a
protocol limitation"
(http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=111193626113938&w=2).

I had a brief read of section 6.3 of draft-ietf-secsh-connect-25 and I can't see
what the gotchas are (although I don't doubt there are some).
Comment 3 Damien Miller 2005-04-17 14:01:36 AEST 
Actually, I was confused: the protocol doesn't provide an impediment to
implementing this, but we need to figure out whether multiple connections share
the same X11 and agent forwardings and, if so, how.
Comment 4 Damien Miller 2005-04-17 14:03:11 AEST 
Please retest with >=4.0. A lot of multiplexing bugs were fixed between 3.9 and 4.0.
Comment 5 Damien Miller 2005-04-17 14:12:36 AEST 
oops, that last comment was directed to the wrong bug.
Comment 6 Frederik Eaton 2005-04-17 17:49:14 AEST 
Personally, I think X11 and agent forwardings should be separate for separate
connections. Caching should be as transparent as possible. In particular,
ssh-agent forwarding should be separate because one might start different agents
with different permissions depending on level of trust in the remote host one is
logging in to. But this remote host might be a hop away from the server side of
the cached connection, e.g. I might log into a firewall machine and then
multiple internal machines from there, where some internal machines are not
trusted and some are. So I would need separate agents for cached connections to
the firewall. Similarly, the host on which I run X is often not the same as the
host on which I run my window manager and start all of my xterms, in fact, it is
almost never the same since I like to use dumb terminals. If ssh were to try to
force me to use the same X display for all of the cached outgoing connections
from this host, it would be annoying indeed. Every time I restart the dumb
terminal I'd have to go in and terminate the master ssh processes on the
window-manager host. It would also be annoying in a situation where I logged in
at different times from multiple display hosts to the same server.
Comment 7 Damien Miller 2005-06-21 12:51:23 AEST 
Created attachment 931 [details]
Enable X11 and agent forwarding for multiplexed connections

This patch enables X11 and agent forwarding for multiplexed connections. I
can't see any way in the protocol that allows for forwarding multiple DISPLAYs
or agents so this patch inherits them from the master connection.

We could do a private protocol extension, but I'm not sure whether it is worth
it.
Comment 8 Damien Miller 2005-07-04 11:06:12 AEST 
A similar patch was committed and will be in openssh-4.2. 

We're not going to do distinct forwarding of DISPLAY at the moment. If anyone
wants to work on a protocol extension to make this happen, please open another
enhancement bug.
Comment 9 Darren Tucker 2006-10-07 11:39:40 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.