-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FreeBSD : Collisions between redirected ssh X server and xrdp #3381
Comments
@derekschrock - can you have a look at the above and tell me if I've missed anything out? |
I've got another observation to add to this. Again, I'd appreciate your thoughts on this, Derek. If you create an xrdp session with a DISPLAY of (say) |
It looks good in terms of the issue, you can also look at
Yes, if you RDP first then ssh even though ssh is update the xauth data the xrdp doesn't seem to care. I'd guess that's because it's using the socket file[s]? However, I don't know what exactly might fail else where due to xauth changing. But is easy to back to a bad state by logging out of the RDP desktop and RDPing back in. |
Thanks Derek, It looks like the session not starting was down to other reasons related to an incomplete FreeBSD 14 development environment. I was also logging in as a separate user! I've fixed all that, and now I'm seeing what you're seeing. I've got an IPv6 GUA on this box, although I'm not using it to connect. I've updated the problem description to match. Also, the xauth file gets trampled on, regardless of which login I use first. So if I use rdp, then ssh, the file is changed. This is less of a problem as I think both ends of the ssh tunnel need to match, but this isn't a problem for an xrdp session. Although X11 is quite happy with one display 10 using TCP and another using UDS, xauth isn't. The xauth file format does not allow for these two transports to be stored in the file together. I'll summarise where I think we are, which is there are two problems here:-
I've also tried I think we need these changes:-
Does that sound reasonable, or am I missing something else? |
Looks good. Thanks for the detailed summary. |
I'll proceed along those lines then. We'll keep this issue open for the first of these, which is xrdp detecting an active X server. I'll raise a separate issue for XAUTHORITY. |
I think I can see a way to sort this out. The problem is
At the moment we're setting |
@derekschrock - I've linked a draft PR to close this. I'd be grateful if you could look at it. If you want a patch making against any previous xrdp version, let me know and I'll sort it out for you. I've already found another minor problem in the socket code. I'll raise another issue for that! |
Scrub the other issue - I'll look at the other problem as part of this PR. It won't substantially change the fix though. |
Raised another issue #3391 for discussion. |
Testing #3390 on FreeBSD 14.1 in a jail and on a host we get the expected results where xrdp is not overlapping with any existing connections. So an existing ssh X11 tunnel on 10 xrdp connection uses 11.
The issue with openssh reusing DISPLAY values still remains but I'd like to think that's an openssh issue (with FreeBSD)? There's no way to control non-xrdp sockets correct? If so I can check with opeensh to see if they're interested in fixing this. But I think think this would only be an issue if you were trying to run something X via ssh with |
Thanks for the update. I think you're right about ssh. As I said in my analysis, changing the MAGIC-COOKIE xrdp is using is unlikely to be an issue in practice, as both the X server and the client(s) have visibility of the same cookie, via the If I understand the situation correctly, when a user in the ssh session changes the DISPLAY from
|
The case was 1. It was when ssh would overwrite existing xauth data generated by xrdp (RDP first, ssh later). I must have had a different issue. I can't reproduce that right now. So I think everything should be good as you said. |
I'm minded to merge #3383 in to devel and v0.10.x, as it turns out to be very simple, and I think it will solve the FreeBSD problems almost entirely. Even though the X11 display numbers are colliding, the different authfiles should prevent any applications running on the wrong display, provided the users don't mess about with the $DISPLAY variable. The fix I've got for this issue is a bit more risky, so can go straight into |
Edit : 2025-1-7 The problem symptoms have been edited. Please consult the issue history for where we started.
xrdp version
0.10.x / devel
Detailed xrdp version, build options
Operating system & version
FreeBSD 14.2-RELEASE
Installation method
git clone & make install
Which backend do you use?
xorgxrdp
What desktop environment do you use?
XFCE
Environment xrdp running on
VM
What's your client?
Various
Area(s) with issue?
Session manager (sesman)
Steps to reproduce
ssh -X
:-✔️ Expected Behavior
Following login,
xauth list
in ssh session shows same information❌ Actual Behavior
Anything else?
Thanks to @derekschrock for raising this on Gitter.
An active X server is checked for by xrdp by using the following algorithm:-
0.0.0.0:<tport>
and/or[::]:<tport>
where<tport>
is the TCP port which may be used by the X server.When ssh X11 forwarding is used by
ssh
, there is no Unix Domain Socket, and the forwarding TCP port is bound tolocalhost
only.The problem seems to be caused by a difference in behaviour between Linux and FreeBSD when
SO_REUSEADDR
is set on a TCP socket passed tobind()
On Linux, if a program is listening on
localhost:<tport>
, and another user tries to listen on0.0.0.0:<tport>;
or[::]:<tport>
, thebind()
fails withEADDRINUSE
On FreeBSD, with the same conditions, the
bind()
succeeds.The following IPv4 test program illustrates the issue:-
Log in to Linux or FreeBSD over ssh with X11 forwarding and run the program.
On Linux:-
On FreeBSD:-
The text was updated successfully, but these errors were encountered: