Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

X11 Help

S

ScruffyTheMac

macrumors regular
Original poster
May 21, 2005
116
0
Massachusetts
OK - For a couple of years, I've been working from home on my Powerbook. 10.3, with Apani Contivity client for a secure tunnel to my corporate network. Using X11, I would ssh to various Sun machines, then push the displays back to the Powerbook. Worked flawlessly.

This week, I put a bigger hard drive in the laptop and did a fresh OS install of 10.4. The Apani Contivity client (newer version for tiger) works fine - I can ssh to the Sun machines, reach web sites, etc., on the corporate network. However, I cannot push X displays back.

If I remember correctly, in my 10.3 setup I had the firewall turned on, with ports 6000 through 6007 enabled for X11 traffic. In 10.4 I have turned the firewall off, and still can't get displays.

Unfortunately, on the client application side, there are no error messages - I type the application name at the UNIX command prompt, and nothing at all happens.

FWIW, I installed the Apani client on another 10.4 machine - same behavior. Connecting to the corporate network is fine, but no X displays.

Did something change in the OS or X11 between 10.3 and 10.4 that's causing this? Does anyone have an idea of what I can do to solve this?

Thanks in advance.
 
Do you have x11 fowarding enabled? For a single user, I think you need to edit /Users/YourUserName/.ssh/config

and set ForwardX11 to "yes" (the default is no). So you should have an entry like this:
Host [remotebox]
ForwardX11 yes

Replace [remotebox] with the remote server you are using, or with a * to enable forwarding for all hosts:
Host *
ForwardX11 yes

To enable forwarding system-wide for all users, you should edit
/etc/ssh_config
instead.

You might need to logout and log back in to reload the new settings.

Edit:
Warning from the ssh man page:
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.
 
you shouldn't need to forward any ports externally, let ssh tunnel them for you

just,

$ ssh -X user@hostname.com

and that will cause ssh to set up a tunnel and the correct display var on the remote end. This is assuming that 1) you are ssh'ing directly from the mac and 2) the sun servers are set up to allow ssh X forwarding

I just tried this to a linux server from 10.4.3 and it worked without issue.
 
rasp said:
$ ssh -X user@hostname.com
Click to expand...
In case somebody stumbling upon this thread doesn't know, the "-X" flag on the command line enables X11 forwarding just like editing the config file, so the previous two posts basically do the same thing. It just depends whether you want to enable forwarding on the command line or in a config file.
 
kanaka said:
In case somebody stumbling upon this thread doesn't know, the "-X" flag on the command line enables X11 forwarding just like editing the config file, so the previous two posts basically do the same thing. It just depends whether you want to enable forwarding on the command line or in a config file.
Click to expand...


Good call, guess I should learn how to read... How does that saying go? Friends don't let friends post tired.
 
kanaka said:
Do you have x11 fowarding enabled? For a single user, I think you need to edit /Users/YourUserName/.ssh/config

and set ForwardX11 to "yes" (the default is no). So you should have an entry like this:
Host [remotebox]
ForwardX11 yes

Replace [remotebox] with the remote server you are using, or with a * to enable forwarding for all hosts:
Host *
ForwardX11 yes

To enable forwarding system-wide for all users, you should edit
/etc/ssh_config
instead.

You might need to logout and log back in to reload the new settings.
Click to expand...

Do you mean I should do this on the local (X-server) side, or the remote (X-client) side?

rasp said:
you shouldn't need to forward any ports externally, let ssh tunnel them for you

just,

$ ssh -X user@hostname.com

and that will cause ssh to set up a tunnel and the correct display var on the remote end. This is assuming that 1) you are ssh'ing directly from the mac and 2) the sun servers are set up to allow ssh X forwarding

I just tried this to a linux server from 10.4.3 and it worked without issue.
Click to expand...
That doesn't work.

Another clue: I tried this a few times with the firewall turned on and stealth mode enabled, and got this in system.log:

Dec 13 22:09:05 Titaniac kernel[0]: Stealth Mode connection attempt to TCP 10.0.1.4:6000 from 47.17.131.42:52035

So the remote side (47.yada) was trying to send something to the local X11 port 6000. So I still think the issue is local, not with the server.
 
ScruffyTheMac said:
Do you mean I should do this on the local (X-server) side, or the remote (X-client) side?
Click to expand...
Either of our ideas should be done on your Powerbook, not the Sun servers.

X11 forwarding also needs to be enabled on the Sun server (usually in /etc/ssh/sshd_config), but since X11 used to work for you, it sounds like the server is probably already set up correctly. Anyway, if enabling X11 forwarding didn't help, I'm out of ideas :)

rasp said:
Good call, guess I should learn how to read... How does that saying go? Friends don't let friends post tired.
Click to expand...
Well, the -X flag is a good thing to mention, and maybe the better way to do it for security reasons, because you're explicitly enabling the forwarding and won't forget you have it permanently enabled in some obscure config file.
 
Try using -Y instead of -X:

$ ssh -Y user@hostname.com

This enables trusted X11 forwarding. I think you can also set ForwardX11Trusted to yes in the config files.
 
Well, I'm stumped. I'm giving up for now; off to sleep.

Thanks for the suggestions. It's frustrating when something that 'just worked' in 10.3 is broken in 10.4 . . .
 
brainstorm, fire up the iMac that I haven't tweaked....

for some stupid reason tiger isn't setting a display var on the local machine.

from a command line try,

$ export DISPLAY=":0.0"

before ssh'ing.

I have a .profile file in my root directory that contains

[[ -z $DISPLAY ]] && export DISPLAY=":0.0"

This is of course terminal.app not setting the var. xterm is, but that makes since, due to it being an x11 app itself.
 
My X11 xterms already have DISPLAY=:0.0, and I can start local X apps and see the display.

ssh -Y doesn't work, either. However, I am getting this message when I log in to the remote machine:

Warning: No xauth data; using fake authentication data for X11 forwarding.

I only get that message when using the -Y option. :confused:
 
progress

So, this really can be broken into two pieces: mac to mac on my home network, and mac to the corporate Sun machines over my contivity tunnel.

Per suggestions above, I updated /etc/ssh_config and /etc/sshd_config on my two macs to enable X11 forwarding. Mac2mac ssh and X displays now work as expected, even with the firewall on (and without specifically passing traffic throught ports 6000-6007). No -X or -Y qualifiers needed with ssh. At least this all makes sense now and is consistent with man pages and everyone's advice here.

Mac to corporate machines still doesn't work, though, even with firewall turned off. Again, nothing has changed on the servers since this worked with 10.3. So I'm still stumped on that piece.

EDIT: Problem solved (or disappeared actually). Works as expected this morning with no action on my part. Yet another example of my employer screwing up the internal network. That should have been my first choice; the sheer coincidence of my 10.4 upgrade led me astray.

Thanks again to everyone here - at least I learned something during the process. :^)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back