[LightDM] Magic cookie doesn't work - no protocol specified
Robert Ancell
robert.ancell at gmail.com
Mon Jan 25 19:53:10 PST 2016
Hi Mikhail,
I think I've worked out what is going on here:
If you look at the two Xauth databases you get:
$ XAUTHORITY=Xauthority-startx-local xauth list
morfikownia/unix:0 MIT-MAGIC-COOKIE-1 0a7b2d573a4a722fda829ff57e48b70c
192.168.1.150:0 MIT-MAGIC-COOKIE-1 5f84d468a9f2d34ea4399512c2729a3b
$ XAUTHORITY=Xauthority-lightdm-local xauth list
morfikownia/unix:0 MIT-MAGIC-COOKIE-1 c95db8e522de76d8ad35d5117e20200a
Both of them have cookies for the local Unix socket (morfikownia/unix:0)
but only the startx one has an entry for network connections (
192.168.1.150:0).
This is why the cookie is not working, in LightDM that cookie is only used
for local connections. If you don't set any cookie does it connect (i.e. no
authentication is done).
What you can do:
- You can add any authentication you want to the server X authority file,
perhaps by using display-setup-script. See /usr/bin/startx for how they
generate cookies.
- We could consider using the same cookie for TCP/IP connections, please
file a bug if you want this.
--Robert
On Sat, 12 Dec 2015 at 03:36 Mikhail Morfikov <mmorfikov at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 2015-12-10 05:08, Robert Ancell wrote:
> > I just really wanted the .Xauthority files to check that they contain the
> > cookies in the format we expected.
> >
>
> Ok, I've managed to setup everything up anew.
>
> 1. When the Xserver is started via "startx", and when I use the following
> line in the /etc/X11/xinit/xserverrc file:
>
> exec /usr/bin/X -auth "$HOME/.Xauthority" -listen tcp "$@"
>
> I am able to send the cookie to the remote machine (it's just an LXC
> container) using this command:
>
> local$ xauth extract - morfikownia.mhouse.lh:0.0 | ssh -x
> morfik at 192.168.10.20 xauth merge -
> morfik at 192.168.10.20's password:
>
> I logged in to the remote machine and started a GUI application to see
> whether it works. And I got pretty ugly graphical interface, but it works.
>
> The processes on the local machine look like this:
>
> local$ ps aux | grep X
> morfik 87819 0.0 0.0 15932 1764 tty2 S+ 12:42 0:00 xinit
> /etc/X11/xinit/xinitrc -- /etc/X11/xinit/xserverrc :0 vt2 -keeptty -auth
> /tmp/serverauth.ZdhjfKxkp1
> morfik 87820 5.2 1.8 288012 34712 tty2 Sl 12:42 0:30
> /usr/lib/xorg/Xorg -auth /home/morfik/.Xauthority -listen tcp :0 vt2
> -keeptty -auth /tmp/serverauth.ZdhjfKxkp1
> morfik 87831 0.0 1.0 232868 19204 tty2 S 12:42 0:00
> /usr/bin/openbox --startup /usr/lib/x86_64-linux-gnu/openbox-autostart
> OPENBOX
>
> 2. I restored the /etc/X11/xinit/xserverrc file so it now contains the
> default line which was:
>
> exec /usr/bin/X -nolisten tcp "$@"
>
> And set everything up via lightdm configuration file
> (/etc/lightdm/lightdm.conf). The only change I did was the following:
>
> xserver-command=X -listen tcp -auth "$HOME/.Xauthority"
> xserver-allow-tcp=true
>
> The whole file looks like this:
>
> # egrep -v ^# /etc/lightdm/lightdm.conf
> [LightDM]
> greeter-user=lightdm
> minimum-display-number=0
> minimum-vt=7
> logind-check-graphical=true
> log-directory=/var/log/lightdm
> run-directory=/var/run/lightdm
> cache-directory=/var/cache/lightdm
>
> [Seat:*]
> xserver-command=X -listen tcp -auth "$HOME/.Xauthority"
> xserver-allow-tcp=true
> greeter-session=lightdm-gtk-greeter
> greeter-hide-users=false
> greeter-allow-guest=false
> greeter-show-manual-login=true
> greeter-show-remote-login=true
> user-session=openbox
> allow-user-switching=true
> allow-guest=false
> autologin-guest=false
> autologin-user-timeout=0
> autologin-in-background=false
>
> [XDMCPServer]
>
> [VNCServer]
>
> The processes are a little bit different, but I don't think it matters.
> Anyways, here they are:
>
> local$ ps aux | grep X
> root 101362 4.2 1.7 281704 33448 tty7 Ssl+ 13:11 0:26
> /usr/lib/xorg/Xorg -listen tcp -auth $HOME/.Xauthority :0 -seat seat0 -auth
> /var/run/lightdm/root/:0 -listen tcp vt7 -novtswitch
> morfik 101414 0.0 0.9 232340 18744 ? Ss 13:11 0:00
> /usr/bin/openbox --startup /usr/lib/x86_64-linux-gnu/openbox-autostart
> OPENBOX
>
>
> When I try to send the cookie using the same command as earlier, I get
> this:
>
> local$ xauth extract - morfikownia.mhouse.lh:0.0 | ssh -x
> morfik at 192.168.10.20 xauth merge -
> No matches found, authority file "-" not written
>
> ^C
>
> But when I issue the following command:
>
> local$ xauth extract - $DISPLAY | ssh -x morfik at 192.168.10.20 xauth merge
> -
> morfik at 192.168.10.20's password:
>
> It works here, but when I try to start a GUI application on the remote
> machine, I get:
>
> remote$ geany
> Invalid MIT-MAGIC-COOKIE-1 key
> Geany: cannot open display
>
> I can of course do the following on the local machine:
>
> local$ xhost +192.168.10.20
> 192.168.10.20 being added to access control list
>
> And now I am able to start the GUI app on the remote machine. So I have no
> idea why the cookies don't work with LightDM.
>
> I included two .Xauthority files called .Xauthority-startx-local and
> .Xauthority-lightdm-local . Both of which are from the local machine. I
> think you needed only those files, right?
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBCgAGBQJWat9ZAAoJEM0EaBB3G2UgG1EP/Rul8Rop3k2JZe2UWUCpd1tb
> bb4QYIP+f71bX0dM8LaENQrbpmJEV3HKiNih8KK3d9wBv/cNVkl0PIybsy8RSiHd
> ABqqU2YsxLesJwI4XS/h8ozJUHNphh7u320iLresMIzvOInEZqIFHRx8IjR7vKU9
> C2/VcIWWNEPl9aQxYAW1WqUbu5waV3Oa50+YwkopcC/wBm7XRRmM2J7iEz1aUVsm
> yQQdnXJDIkXu7FcqMP8+ddr/TbIuHhfn5HXj2xq7OgzgHLdKhEZLGjWCOnNbM9rH
> AYNnUD53EODnwPqH96BBITmoVZb6j/R9lctm61q6Wt2l9OCsVVJFh1EJHld4fgd4
> I+rbzcMQY4D7qWgysdfQCyX/5RhxENqE6vTcu8wm4F+6aFiLMiB5sKLgX8Tkc5F5
> sHg/Hx+WBjrPaQ9mRwUcevFD5lY9HoSmXW0fw682ug8ADnVdHZK1LNLvRkVbg+Xp
> EbsgqMXGlmlx1Fz8YnSC7j3h0UtP29LVum8zSU4/T4kOoRHDbN7N+wD3u2CDfpvP
> tsgm9wRQ03q8DKpWpu90xmzdO6sOvVI966fHjI5IE9wMXytyFc2FW4r07G1rQFN+
> KEI5vXK6rMqnA8SWwcQtNOXw6a1MQMAL9oRiIgm4tG6/FB9AMMifbSe9294yUHrA
> Egau9ktmG7KkmMyGBGXp
> =SNXM
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/lightdm/attachments/20160126/2d342527/attachment.html>
More information about the LightDM
mailing list