A solution for X11 forwarding on AFP OS X clients

Apr 14, '06 04:57:00AM

Contributed by: Anonymous

When ssh'ing into an OS X client as a user whose home directory is mounted on an AFP server, the following errors can occur. First, during the login process:

/usr/X11R6/bin/xauth: error in locking authority file ~/.XAuthority 
Second, if one tries to start an X11 application, the following error occurs:
X11 connection rejected because of wrong authentication. 
X connection to localhost:10.0 broken (explicit kill or server shutdown).
The problem seems to be that xauth cannot update the .Xauthority file when the ssh session starts up, rendering the user unable to authenticate to the X server connected to their ssh session. A workaround to this problem is to have xauth write the session authnetication cookie info to a file on the local disk, not in the AFP-mounted home directory. One needs to create an /etc/sshrc file to do this.

Afterwards, the user's shell environment needs to be updated to point X to the proper file to obtains it authority data. The following are the changes I made to my clients to get X11 forwarding working on these machines:

#########################################################
# /etc/sshrc

# Set up the local file in which to store the .Xauthority information:
export XAUTHORITY=/tmp/.Xauthority.$USER

# Now create and write the magic cookie information:
if read proto cookie && [ -n "$DISPLAY" ]; then
   if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
      # X11UseLocalhost=yes
      echo add unix:`echo $DISPLAY |
      cut -c11-` $proto $cookie
   else
      # X11UseLocalhost=no
      echo add $DISPLAY $proto $cookie
   fi | /usr/X11R6/bin/xauth -q -
fi
#########################################################
The user needs to have the proper .Xauthority file location set up when their shell starts up. The users in my group have bash as their default shell, and the additions to their ~/.bashrc script needed to set up X11 correctly are as follows:
###########################################################
# ~/.bashrc X11 configuration
if [[ -z $DISPLAY ]]; then
   # DISPLAY is not set, so check to see what X display is owned
   # by the current user and set DISPLAY to this value: 
   X11_FOLDER=/tmp/.X11-unix
   currentUser=`id -u`
   bb=`ls -ln $X11_FOLDER | grep $currentUser`
   bbb=${bb/*X/:}
   usedDISPLAY=$bbb.0
   export DISPLAY=$usedDISPLAY
else
   # DISPLAY is set, so we assume remote user login via
   # ssh and set the XAUTHORITY variable to point to 
   # proper file.
   export XAUTHORITY=/tmp/.Xauthority.$USER
fi
###########################################################
With these changes, ssh users should be able to use X11 programs.

Comments (3)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20060410092629437