Short answer:
Todd is right. You should let ssh set the DISPLAY for you if you
don't know what you are doing. It will "just work" and will be secure.
If you sometimes need to set DISPLAY for other reasons, we can discuss
how to do so intelligently. E.g., you can test in your .cshrc file to
see if SSH_CLIENT or SSH2_CLIENT is set, and if it is, don't set
DISPLAY yourself.
Not only do you NOT NEED to type 'xhost +', it is FOOLISH AND DANGEROUS
TO DO SO! :-) Do not type 'xhost +' for any reason ever. That's not
an overstatement. You have been warned.
Long explanation:
To understand the issues, you need to understand how all this works.
xlcients run on the remote host (here solaris). xserver runs on your
local host (here mac) and almost always listens to port 6000
You X11 server on your Mac is "listening" for X connections on port
6000 at your IP address. It will not accept connections from
unauthorized hosts, however. xhost adds allowable hosts. Anyone on
the host you name will be able to connect to your X server. xhost +
means "any machine." So when you do 'xhost +' (a very foolish thing to
do, BTW), you are saying, "anybody who can see my machine, no matter
where or who they are, can use my X server." This is VERY DANGEROUS,
because using X11, people can do amazingly nasty things to you. Do not
do it, ever.
DISPLAY is a host name and a number. The number is added to 6000 to
tell your xclient which port to try to connect to the host on. This is
why most of the time you set DISPLAY to :0.0 The lack of a host name
means (sort of) "localhost" or "this machine". The 0 means "port
6000".
ssh makes a "tunnel," from the machine you connect to, to port 6000 on
your local host. The strange DISPLAY (localhost:10.0) you see is
telling your remote clients to try to use port 6010 on their own
machine. ssh has made a tunnel from 6010 on the remote machine to 6000
on the local machine. This tunnel is encrypted and very secure, but a
slight bit slower. You should use it! Because of this tunnel, you do
not need to type 'xhost +'. However, I have found the need sometimes
to say 'xhost localhost' or 'xhost 127.0.0.1' on occasion, to allow the
local end of the tunnel to work its magic.
BTW, it certainly does work to set DISPLAY on Tiger. I think the issue
might be with VPN. But I don't care; you should use ssh and I'm not
going to tell you guys how to do dumb things. :-)
On Jun 7, 2005, at 8:04 AM, Todd Sampson wrote:
Hi Jean,
Something strange is going on with DISPLAY since X11 version 1.1 and
Tiger. It’s causing me problems.
One thing I think you need to do is take the command out of your
.bash_profile that sets DISPLAY. It makes sense that DISPLAY should be
set to your ip address but it does’nt work anymore.
ssh sets DISPLAY automatically. For me, it sets it to localhost:10.1.
I don’t know why but it works.
Another post said you don’t need to type ‘xhost +’ before you do ssh.
Regards,
todd
From: "Jean M. Feuillet" <email@hidden>
Date: Tue, 7 Jun 2005 10:44:26 -0400
To: <email@hidden>
Cc: "Jean M. Feuillet" <email@hidden>
Subject: Help: X11 (Tiger) and Solaris 9
Greetings,
I have a very bizarre problem with X11 and Solaris 9. I would
appreciate it if you could help me resolving it. Here's the scenario:
I have an iMac G5 running the latest Tiger. I installed X11 and Xcode
(even the latest as of this morning) and I connect to this network
from home using Cisco VPN. On the other side, we have installed a new
Sun v240 dual procs, 8 GB RAM, running Solaris 9. The only application
running is HP OpenView Network Node Manager 7.5 and this is the app
that I need to access using X11.
After typing "xhost +" on my terminal, I connect to the Sun box with
the command line: ssh -2 -Y devicename -l myname
At that point, I receive this warning message:
Warning: No xauth data; using fake authentication data for X11
forwarding.
Last login: Tue Jun 7 10:05:48 2005 from 172.21.127.233
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
In my .bash_profile, I have setup the DISPLAY for my static VPN IP
address. So, now I call my app with "ovw &". After a few moments, the
Sun replies:
Error: Can't open display: 172.21.127.233:0.0
Sometimes, it works fine. For example, this morning, I loaded my
application without any problem and used it for several hours until I
logged out. And now it does not connect anymore.
I thought that it was the bandwidth through the VPN, but after
checking on our Concord eHealth, the VPN is working normally without
excessive utilization (below 50%). We also checked the router
downstream of the Sun box and all looks normal.
What do you think that the problem might be?
Thanks in advance for your replies.
Best regards,
Jean M. ('Jay') Feuillet
954-294-5771
_____________________________________
Education is when you read the fine print. Experience is what you get
if you don't. (Pete Seeger)
This transmission is intended to be delivered only to the names
addressee(s) and may contain confidential and proprietary information
for the use of the individual(s) and/or entity to which it is
addressed. If this transmission is received by anyone other than the
names addressee(s), the recipient(s) should immediately notify the
sender, Mr. Jean M. ('Jay') Feuillet, by email
(<<mailto:email@hidden>>), and obtain instructions as to the
disposal of the transmitted material. In no event shall this material
be read, used, copied, reproduced, stored or retained by anyone other
than the named addressee(s), except with the express written consent
of the sender. Thank you.
_____________________________________
*** Powered by Mac OS X Tiger
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/x11-users/
email@hidden
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/x11-users/email@hidden
This email sent to email@hidden
--
The primary task of most software projects is to discover and resolve
these unknowns rather than to build a system. -- Philip G. Armour
--
Richard Cook
Lawrence Livermore National Laboratory
Bldg-453 Rm-4037, Mail Stop L-557
7000 East Avenue, Livermore, CA, 94550, USA
phone (925) 423-9605 (work) fax (925) 423-6961
---
Information Management & Graphics Grp., Services & Development Div.,
Integrated Computing & Communications Dept.
(opinions expressed herein are mine and not those of LLNL)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/x11-users/email@hidden
