Re: Help: X11 (Tiger) and Solaris 9
Re: Help: X11 (Tiger) and Solaris 9
- Subject: Re: Help: X11 (Tiger) and Solaris 9
- From: SA <email@hidden>
- Date: Tue, 14 Jun 2005 09:15:20 +0100
xhost email@hiddenne opens allows just that user from that machine to
connect. This is not as secure as the ssh tunnel and you will have to
explicitly configure your firewall to allow connections.
However, on my local network, I always use "xhost +" whenever an ssh tunnel is
not appropriate in the knowledge that X11 ports are blocked a router level to
the outside world and all internal machines are trusted.
SA
On Tuesday 07 Jun 2005 19:19, Rich Cook wrote:
> Short answer:
> Todd is right. You should let ssh set the DISPLAY for you if you
> don't know what you are doing. It will "just work" and will be secure.
> If you sometimes need to set DISPLAY for other reasons, we can discuss
> how to do so intelligently. E.g., you can test in your .cshrc file to
> see if SSH_CLIENT or SSH2_CLIENT is set, and if it is, don't set
> DISPLAY yourself.
>
> Not only do you NOT NEED to type 'xhost +', it is FOOLISH AND DANGEROUS
> TO DO SO! :-) Do not type 'xhost +' for any reason ever. That's not
> an overstatement. You have been warned.
>
>
> Long explanation:
> To understand the issues, you need to understand how all this works.
>
> xlcients run on the remote host (here solaris). xserver runs on your
> local host (here mac) and almost always listens to port 6000
>
> You X11 server on your Mac is "listening" for X connections on port
> 6000 at your IP address. It will not accept connections from
> unauthorized hosts, however. xhost adds allowable hosts. Anyone on
> the host you name will be able to connect to your X server. xhost +
> means "any machine." So when you do 'xhost +' (a very foolish thing to
> do, BTW), you are saying, "anybody who can see my machine, no matter
> where or who they are, can use my X server." This is VERY DANGEROUS,
> because using X11, people can do amazingly nasty things to you. Do not
> do it, ever.
>
> DISPLAY is a host name and a number. The number is added to 6000 to
> tell your xclient which port to try to connect to the host on. This is
> why most of the time you set DISPLAY to :0.0 The lack of a host name
> means (sort of) "localhost" or "this machine". The 0 means "port
> 6000".
>
> ssh makes a "tunnel," from the machine you connect to, to port 6000 on
> your local host. The strange DISPLAY (localhost:10.0) you see is
> telling your remote clients to try to use port 6010 on their own
> machine. ssh has made a tunnel from 6010 on the remote machine to 6000
> on the local machine. This tunnel is encrypted and very secure, but a
> slight bit slower. You should use it! Because of this tunnel, you do
> not need to type 'xhost +'. However, I have found the need sometimes
> to say 'xhost localhost' or 'xhost 127.0.0.1' on occasion, to allow the
> local end of the tunnel to work its magic.
>
> BTW, it certainly does work to set DISPLAY on Tiger. I think the issue
> might be with VPN. But I don't care; you should use ssh and I'm not
> going to tell you guys how to do dumb things. :-)
>
> On Jun 7, 2005, at 8:04 AM, Todd Sampson wrote:
> > Hi Jean,
> > Something strange is going on with DISPLAY since X11 version 1.1 and
> > Tiger. It’s causing me problems.
> >
> > One thing I think you need to do is take the command out of your
> > .bash_profile that sets DISPLAY. It makes sense that DISPLAY should be
> > set to your ip address but it does’nt work anymore.
> >
> > ssh sets DISPLAY automatically. For me, it sets it to localhost:10.1.
> > I don’t know why but it works.
> >
> > Another post said you don’t need to type ‘xhost +’ before you do ssh.
> >
> > Regards,
> > todd
> >
> >
> > From: "Jean M. Feuillet" <email@hidden>
> > Date: Tue, 7 Jun 2005 10:44:26 -0400
> > To: <email@hidden>
> > Cc: "Jean M. Feuillet" <email@hidden>
> > Subject: Help: X11 (Tiger) and Solaris 9
> >
> > Greetings,
> >
> > I have a very bizarre problem with X11 and Solaris 9. I would
> > appreciate it if you could help me resolving it. Here's the scenario:
> >
> > I have an iMac G5 running the latest Tiger. I installed X11 and Xcode
> > (even the latest as of this morning) and I connect to this network
> > from home using Cisco VPN. On the other side, we have installed a new
> > Sun v240 dual procs, 8 GB RAM, running Solaris 9. The only application
> > running is HP OpenView Network Node Manager 7.5 and this is the app
> > that I need to access using X11.
> >
> > After typing "xhost +" on my terminal, I connect to the Sun box with
> > the command line: ssh -2 -Y devicename -l myname
> > At that point, I receive this warning message:
> >
> > Warning: No xauth data; using fake authentication data for X11
> > forwarding.
> > Last login: Tue Jun 7 10:05:48 2005 from 172.21.127.233
> > Sun Microsystems Inc. SunOS 5.9 Generic May 2002
> >
> > In my .bash_profile, I have setup the DISPLAY for my static VPN IP
> > address. So, now I call my app with "ovw &". After a few moments, the
> > Sun replies:
> > Error: Can't open display: 172.21.127.233:0.0
> >
> > Sometimes, it works fine. For example, this morning, I loaded my
> > application without any problem and used it for several hours until I
> > logged out. And now it does not connect anymore.
> >
> > I thought that it was the bandwidth through the VPN, but after
> > checking on our Concord eHealth, the VPN is working normally without
> > excessive utilization (below 50%). We also checked the router
> > downstream of the Sun box and all looks normal.
> >
> > What do you think that the problem might be?
> >
> > Thanks in advance for your replies.
> >
> >
> > Best regards,
> >
> > Jean M. ('Jay') Feuillet
> > 954-294-5771
> >
> > _____________________________________
> > Education is when you read the fine print. Experience is what you get
> > if you don't. (Pete Seeger)
> >
> > This transmission is intended to be delivered only to the names
> > addressee(s) and may contain confidential and proprietary information
> > for the use of the individual(s) and/or entity to which it is
> > addressed. If this transmission is received by anyone other than the
> > names addressee(s), the recipient(s) should immediately notify the
> > sender, Mr. Jean M. ('Jay') Feuillet, by email
> > (<<mailto:email@hidden>>), and obtain instructions as to the
> > disposal of the transmitted material. In no event shall this material
> > be read, used, copied, reproduced, stored or retained by anyone other
> > than the named addressee(s), except with the express written consent
> > of the sender. Thank you.
> > _____________________________________
> >
> > *** Powered by Mac OS X Tiger
> >
> >
> >
> >
> >
> > _______________________________________________
> > Do not post admin requests to the list. They will be ignored.
> > X11-users mailing list (email@hidden)
> > Help/Unsubscribe/Update your Subscription:
> > email@hidden
> >
> > This email sent to email@hidden
> > _______________________________________________
> > Do not post admin requests to the list. They will be ignored.
> > X11-users mailing list (email@hidden)
> > Help/Unsubscribe/Update your Subscription:
> >
> > This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
This email sent to email@hidden