Bug 5868 - X11 forwarding fails when sshd option X11UseLocalhost is yes
Summary: X11 forwarding fails when sshd option X11UseLocalhost is yes
Status: RESOLVED DUPLICATE of bug 3647
Alias: None
Product: Slurm
Classification: Unclassified
Component: slurmstepd (show other bugs)
Version: 18.08.1
Hardware: Linux Linux
: --- 4 - Minor Issue
Assignee: Tim Wickberg
QA Contact:
URL:
Depends on:
Blocks:
 
Reported: 2018-10-17 09:53 MDT by Michael Gutteridge
Modified: 2018-10-17 16:35 MDT (History)
0 users

See Also:
Site: FHCRC - Fred Hutchinson Cancer Research Center
Alineos Sites: ---
Bull/Atos Sites: ---
Confidential Site: ---
Cray Sites: ---
HPCnow Sites: ---
HPE Sites: ---
IBM Sites: ---
NOAA SIte: ---
OCF Sites: ---
SFW Sites: ---
SNIC sites: ---
Linux Distro: ---
Machine Name:
CLE Version:
Version Fixed:
Target Release: ---
DevPrio: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Gutteridge 2018-10-17 09:53:44 MDT
When we try to use `--x11` with srun and the SSH server on the daemon node is configured with "X11UseLocalhost yes" we get the error:

    mrg@submithost:~$ srun --x11 xterm
    srun: error: x11_get_xauth: Could not retrieve magic 
    cookie. Cannot use X11 forwarding.

Setting "X11UseLocalhost no" resolves the issue but we'd _kind_ of like to use the more secure localhost forwarding.  I've done a bit of digging and I think I've found some answers at least.  Hopefully this will be useful.

src/common/x11_util.c in the function x11_get_auth attempts to use the DISPLAY environment variable to look for the authentication token in the Xauthority file:

    147   xauth_argv[2] = xstrdup(getenv("DISPLAY"));

When configured with "X11UseLocalhost yes", the display is set to "localhost:NN", but sshd generates the authentication token using[1]:

    /usr/bin/xauth add unix:10.0 MIT-MAGIC-COOKIE-1 38d8abba976...

which generates a token like:

    node1/unix:10  MIT-MAGIC-COOKIE-1  b9488c20....

which won't be located by x11_get_auth as it's looking for a token like:

    xauth list localhost:10.0

So that's background- for a fix... I'm not sure how to advise.  I do know that you can also look up the token generated by ssh using:

    xauth list unix:10.0

Maybe a conditional around generating xauth_argv[2] that checks to see if the display is "localhost:NN.X" and in those cases look for a token using "unix:NN.X"?

Thanks for all your work.

Michael

[1] https://github.com/openssh/openssh-portable/blob/f1dd179e122bdfdb7ca3072d9603607740efda05/session.c#L2599
Comment 1 Tim Wickberg 2018-10-17 16:35:46 MDT
Hi Michael -

This is a known limitation of the current implementation. We'll be adding additional configuration flags to help work around these issues with the xauth cookie format in a future 18.08 release.

I'm closing this as a duplicate of bug 3647 which is tracking that and related X11 forwarding issues.

- Tim

*** This bug has been marked as a duplicate of bug 3647 ***