From owner-freebsd-questions Tue Jul 10 15:42:41 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by hub.freebsd.org (Postfix) with ESMTP id E1D3937B409 for ; Tue, 10 Jul 2001 15:42:36 -0700 (PDT) (envelope-from oberman@ptavv.es.net) Received: from ptavv.es.net (localhost [127.0.0.1]) by ptavv.es.net (8.10.1/8.10.1) with ESMTP id f6AMgNA25908; Tue, 10 Jul 2001 15:42:23 -0700 (PDT) Message-Id: <200107102242.f6AMgNA25908@ptavv.es.net> To: "Philip Murray" Cc: freebsd-questions@FreeBSD.ORG Subject: Re: SSH & X11 Forwarding In-reply-to: Your message of "Tue, 10 Jul 2001 15:40:35 +1200." <001d01c108f2$14889dd0$0300a8c0@sparlak> Date: Tue, 10 Jul 2001 15:42:22 -0700 From: "Kevin Oberman" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > From: "Philip Murray" > Date: Tue, 10 Jul 2001 15:40:35 +1200 > Sender: owner-freebsd-questions@FreeBSD.ORG > > I'm having trouble getting X11 forwarding over SSH to work with FreeBSD. I'm > using SecureCRT client and have X11 Forwarding enabled. It works fine in > Linux, but in FreeBSD I get the following error: > > SecureCRT : Incoming X11 connection authentication protocol name () is > different than SecureCRT's (MIT-MAGIC-COOKIE-1) > X connection to sparlak.philth.net.nz:10.0 broken (explicit kill or server > shutdown). > > Both times I'm using SSH1 protocol and 3Des encryption, and OpenSSH 2.5 on > the *nix side of things. > > What does it mean, and how can I fix it? X11 does user authentication based on cookies. The original cookie encoding was called MIT-MAGIC-COOKIE-1. It is in vary common use, but was cracked long ago and is not secure. An alternative mechanism, XDM-AUTHORIZATION-1, was developed using DES for encryption. It's a far safer system, but was long un-exportable (from the US and Canada) because it require DES. So all X11 distros include MIT-MAGIC-COOKIE-1 out of the box, but still require the manual inclusion of the DES code module to support XDM-AUTHORIZATION-1. I suspect you system uses the stronger XDM-AUTHORIZATION-1 system exclusively and rejects attempts to use the MIT-MAGIC-COOKIE-1 cookies while SecureCRT only supports the MIT-MAGIC-COOKIE-1. I'd contact Van Dyke about it, assuming you have a licensed copy of SecureCRT. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message