XWayland: disabled X extension security breaks ssh X11 forwarding
Affected version
- Arch Linux
- Gnome 3.38.2
- Gnome Shell 3.38.1
- Mutter 3.38.1
- Wayland 1.18.0
Bug summary
As of !1405 (merged) the security X extension is by default disabled for XWayland, which makes it impossible to start ssh with untrusted X11 forwarding. Untrusted in this context means you don't trust the connection. SSH will use additional security measures to try to make X11 forwarding safer.
Steps to reproduce
Start an ssh session with X11 Forwarding
ssh -X -v user@server
What happened
simon@laptop ~ % ssh -X -v ssh1.ulyssis.org
OpenSSH_8.4p1, OpenSSL 1.1.1h 22 Sep 2020
...
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
What did you expect to happen
simon@laptop ~ % ssh -X -v ssh1.ulyssis.org
OpenSSH_8.4p1, OpenSSL 1.1.1h 22 Sep 2020
...
debug1: Requesting X11 forwarding with authentication spoofing.
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-47-generic x86_64)
Relevant logs, screenshots, screencasts etc.
The difference can easily be seen:
Without the security X extension:
simon@laptop ~ % xdpyinfo -queryExtensions -ext all | grep SEC
Xlib: extension "Multi-Buffering" missing on display ":0".
simon@laptop ~ % xauth -v -f ~/.Xauthority generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted timeout 120
Using authority file /home/simon/.Xauthority
xauth: (argv):1: couldn't query Security extension on display ":0"
With the security X extension:
simon@laptop ~ % xdpyinfo -queryExtensions -ext all | grep SEC
SECURITY (opcode: 137, base event: 86, base error: 138)
Xlib: extension "Multi-Buffering" missing on display ":0".
simon@laptop ~ % xauth -v -f ~/.Xauthority generate $DISPLAY MIT-MAGIC-COOKIE-1 untrusted timeout 120
Using authority file /home/simon/.Xauthority
authorization id is 1339
Writing authority file /home/simon/.Xauthority
The new setting can be changed by running the following command:
gsettings set org.gnome.mutter.wayland xwayland-disable-extension []
This should most likely be the default value in order to not break ssh X11 Forwarding.