X11 Help

Discussion in 'Mac Apps and Mac App Store' started by ScruffyTheMac, Dec 13, 2005.

  1. ScruffyTheMac macrumors regular

    Joined:
    May 21, 2005
    Location:
    Massachusetts
    #1
    OK - For a couple of years, I've been working from home on my Powerbook. 10.3, with Apani Contivity client for a secure tunnel to my corporate network. Using X11, I would ssh to various Sun machines, then push the displays back to the Powerbook. Worked flawlessly.

    This week, I put a bigger hard drive in the laptop and did a fresh OS install of 10.4. The Apani Contivity client (newer version for tiger) works fine - I can ssh to the Sun machines, reach web sites, etc., on the corporate network. However, I cannot push X displays back.

    If I remember correctly, in my 10.3 setup I had the firewall turned on, with ports 6000 through 6007 enabled for X11 traffic. In 10.4 I have turned the firewall off, and still can't get displays.

    Unfortunately, on the client application side, there are no error messages - I type the application name at the UNIX command prompt, and nothing at all happens.

    FWIW, I installed the Apani client on another 10.4 machine - same behavior. Connecting to the corporate network is fine, but no X displays.

    Did something change in the OS or X11 between 10.3 and 10.4 that's causing this? Does anyone have an idea of what I can do to solve this?

    Thanks in advance.
     
  2. kanaka macrumors member

    Joined:
    Jul 8, 2002
    #2
    Do you have x11 fowarding enabled? For a single user, I think you need to edit /Users/YourUserName/.ssh/config

    and set ForwardX11 to "yes" (the default is no). So you should have an entry like this:
    Host [remotebox]
    ForwardX11 yes

    Replace [remotebox] with the remote server you are using, or with a * to enable forwarding for all hosts:
    Host *
    ForwardX11 yes

    To enable forwarding system-wide for all users, you should edit
    /etc/ssh_config
    instead.

    You might need to logout and log back in to reload the new settings.

    Edit:
    Warning from the ssh man page:
    X11 forwarding should be enabled with caution. Users with the
    ability to bypass file permissions on the remote host (for the
    user's X authorization database) can access the local X11 display
    through the forwarded connection. An attacker may then be able
    to perform activities such as keystroke monitoring.
     
  3. rasp macrumors regular

    rasp

    Joined:
    Jan 13, 2005
    Location:
    Easthampton, MA
    #3
    you shouldn't need to forward any ports externally, let ssh tunnel them for you

    just,

    $ ssh -X user@hostname.com

    and that will cause ssh to set up a tunnel and the correct display var on the remote end. This is assuming that 1) you are ssh'ing directly from the mac and 2) the sun servers are set up to allow ssh X forwarding

    I just tried this to a linux server from 10.4.3 and it worked without issue.
     
  4. kanaka macrumors member

    Joined:
    Jul 8, 2002
    #4
    In case somebody stumbling upon this thread doesn't know, the "-X" flag on the command line enables X11 forwarding just like editing the config file, so the previous two posts basically do the same thing. It just depends whether you want to enable forwarding on the command line or in a config file.
     
  5. rasp macrumors regular

    rasp

    Joined:
    Jan 13, 2005
    Location:
    Easthampton, MA
    #5

    Good call, guess I should learn how to read... How does that saying go? Friends don't let friends post tired.
     
  6. ScruffyTheMac thread starter macrumors regular

    Joined:
    May 21, 2005
    Location:
    Massachusetts
    #6
    Do you mean I should do this on the local (X-server) side, or the remote (X-client) side?

    That doesn't work.

    Another clue: I tried this a few times with the firewall turned on and stealth mode enabled, and got this in system.log:

    Dec 13 22:09:05 Titaniac kernel[0]: Stealth Mode connection attempt to TCP 10.0.1.4:6000 from 47.17.131.42:52035

    So the remote side (47.yada) was trying to send something to the local X11 port 6000. So I still think the issue is local, not with the server.
     
  7. kanaka macrumors member

    Joined:
    Jul 8, 2002
    #7
    Either of our ideas should be done on your Powerbook, not the Sun servers.

    X11 forwarding also needs to be enabled on the Sun server (usually in /etc/ssh/sshd_config), but since X11 used to work for you, it sounds like the server is probably already set up correctly. Anyway, if enabling X11 forwarding didn't help, I'm out of ideas :)

    Well, the -X flag is a good thing to mention, and maybe the better way to do it for security reasons, because you're explicitly enabling the forwarding and won't forget you have it permanently enabled in some obscure config file.
     
  8. kanaka macrumors member

    Joined:
    Jul 8, 2002
    #8
    Try using -Y instead of -X:

    $ ssh -Y user@hostname.com

    This enables trusted X11 forwarding. I think you can also set ForwardX11Trusted to yes in the config files.
     
  9. ScruffyTheMac thread starter macrumors regular

    Joined:
    May 21, 2005
    Location:
    Massachusetts
    #9
    Well, I'm stumped. I'm giving up for now; off to sleep.

    Thanks for the suggestions. It's frustrating when something that 'just worked' in 10.3 is broken in 10.4 . . .
     
  10. rasp macrumors regular

    rasp

    Joined:
    Jan 13, 2005
    Location:
    Easthampton, MA
    #10

    Well, how long has that been an option? and in what ways does it differ...

    Thus google has a link to an answer

    http://www.macosxhints.com/article.php?story=20050504114932249

    seems like it might not be the best way to use by default, but good to know about in case.
     
  11. rasp macrumors regular

    rasp

    Joined:
    Jan 13, 2005
    Location:
    Easthampton, MA
    #11
    brainstorm, fire up the iMac that I haven't tweaked....

    for some stupid reason tiger isn't setting a display var on the local machine.

    from a command line try,

    $ export DISPLAY=":0.0"

    before ssh'ing.

    I have a .profile file in my root directory that contains

    [[ -z $DISPLAY ]] && export DISPLAY=":0.0"

    This is of course terminal.app not setting the var. xterm is, but that makes since, due to it being an x11 app itself.
     
  12. ScruffyTheMac thread starter macrumors regular

    Joined:
    May 21, 2005
    Location:
    Massachusetts
    #12
    My X11 xterms already have DISPLAY=:0.0, and I can start local X apps and see the display.

    ssh -Y doesn't work, either. However, I am getting this message when I log in to the remote machine:

    Warning: No xauth data; using fake authentication data for X11 forwarding.

    I only get that message when using the -Y option. :confused:
     
  13. ScruffyTheMac thread starter macrumors regular

    Joined:
    May 21, 2005
    Location:
    Massachusetts
    #13
    progress

    So, this really can be broken into two pieces: mac to mac on my home network, and mac to the corporate Sun machines over my contivity tunnel.

    Per suggestions above, I updated /etc/ssh_config and /etc/sshd_config on my two macs to enable X11 forwarding. Mac2mac ssh and X displays now work as expected, even with the firewall on (and without specifically passing traffic throught ports 6000-6007). No -X or -Y qualifiers needed with ssh. At least this all makes sense now and is consistent with man pages and everyone's advice here.

    Mac to corporate machines still doesn't work, though, even with firewall turned off. Again, nothing has changed on the servers since this worked with 10.3. So I'm still stumped on that piece.

    EDIT: Problem solved (or disappeared actually). Works as expected this morning with no action on my part. Yet another example of my employer screwing up the internal network. That should have been my first choice; the sheer coincidence of my 10.4 upgrade led me astray.

    Thanks again to everyone here - at least I learned something during the process. :^)
     

Share This Page