Re: Mac OS 10.6.5 X11 client display forwarding issue.
Re: Mac OS 10.6.5 X11 client display forwarding issue.
- Subject: Re: Mac OS 10.6.5 X11 client display forwarding issue.
- From: Jeremy Huddleston <email@hidden>
- Date: Wed, 17 Nov 2010 11:16:47 -0800
Please don't start new threads by responding to old ones. It keeps things more tidy.
On Nov 16, 2010, at 23:48, email@hidden wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
>
> I don't know if the problem is connected but since last update X11 crashs after starting kde on the remote Linux-server.
Which update? It doesn't look like you're running any X11 server provided by MacPorts, XQuartz, or Apple. What does "About" say in the X11 menu?
> My login procedure is as follows:
> - I start X11 with a script (without no window-manager)
> - connecting to remote Linux using "ssh -X server"
> - starting "kde"
> If I use "ssh -Y server" instead, X11 does not crash.
Well, you should be using -Y anyway if you're running KDE as it has applications that need to be trusted... but I'm curious why -X crashes the server.
> What is the difference between -X and -Y which can cause the crash? Why does it work with -X last week?
I've never really had -X work for me for complex cases because some client applications still don't work with it, but it has never crashed the server. The differnece between -X and -Y is that -Y enables trusted X11 forwarding... from ssh(3):
"""
-X Enables X11 forwarding. This can also be specified on a per-host
basis in a configuration file.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X authorization database) can access the local X11 display
through the forwarded connection. An attacker may then be able
to perform activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11 SECURITY
extension restrictions by default. Please refer to the ssh -Y
option and the ForwardX11Trusted directive in ssh_config(5) for
more information.
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not
subjected to the X11 SECURITY extension controls.
"""
A quick google search provides a good article that saves me furhter typing:
http://dailypackage.fedorabook.com/index.php?/archives/48-Wednesday-Why-Trusted-and-Untrusted-X11-Forwarding-with-SSH.html
"""
The current version of SSH supports the X11 SECURITY extension, which provides two classes of clients: trusted clients, which can do anything with the display, and untrusted clients, which cannot inject synthetic events (mouse movement, keypresses) or read data from other windows (e.g., take screenshots). It should be possible to run almost all clients as untrusted, leaving the trusted category for screencapture and screencast programs, macro recorders, and other specialized utilities.
The SSH option -X has been replaced by -Y, which gives remote clients the key for trusted connections. The -X option now sets up untrusted connections.
In theory, this new feature should improve security. After all, you don't want a remote application to be capturing keystrokes or reading the screen when you access your banking web site, right?
Surprisingly, this feature is disabled in Fedora Core 6, and all X11 connections through SSH tunnels are handled as trusted. You can see this near the end of /etc/ssh/ssh_config:
...
The reason for this is explained in the comments in this file: simply put, the untrusted mode is not (yet) handled correctly by some client programs, so for now we're stuck with the historical (less-secure) setting.
"""
Yeah, these server strings don't match what we provide...
> Different outputs (in nohup.out)
>
> Connection with "-X" will result in:
> - -------------
> XFree86 Version 4.4.0 / X Window System
> (protocol Version 11, revision 0, vendor release 6600)
> [DRI] screen 0 installation complete
> Screen 0 added: 1440x900 @ (0,0)
> xterm: fatal IO error 32 (Broken pipe) or KillClient on X server ":3.0"
> Quitting XDarwin...
> - -------------
> Connection with "-Y" reslts in:
> - -------------
> XFree86 Version 4.4.0 / X Window System
> (protocol Version 11, revision 0, vendor release 6600)
> [DRI] screen 0 installation complete
> Screen 0 added: 1440x900 @ (0,0).
> Quitting XDarwin...
> - -------------
>
> BTW: Why it tries to reach X-Server on :3.0 where it should be open at :2.0?!
>
>
> Best regards,
>
>
> Volker Schmidt
>
>
> X11 startup-script: -------------
> #!/bin/sh
> cp ~/.xinitrc-nowm ~/.xinitrc
> nohup /Applications/Utilities/X11.app/Contents/MacOS/X11 :2 -once
> cp ~/.xinitrc-aqua ~/.xinitrc
> - ---------------------------------
You should just make a ~/.xinitrc.d directory instead. Don't override ~/.xinitrc unless you're sure you know what you're doing.
See: http://xquartz.macosforge.org/trac/wiki/X11-UsersFAQ#WantanotherX11.appserver
> ~/.xinitrc-nowm: ----------------
> #!/bin/sh
> # $Id: xinitrc,v 1.2 2003/02/27 19:03:30 jharper Exp $
> userresources=$HOME/.Xresources
> usermodmap=$HOME/.Xmodmap
> sysresources=/etc/X11/xinit/.Xresources
> sysmodmap=/etc/X11/xinit/.Xmodmap
> # merge in defaults and keymaps
> if [ -f $sysresources ]; then
> xrdb -merge $sysresources
> fi
> if [ -f $sysmodmap ]; then
> xmodmap $sysmodmap
> fi
> if [ -f $userresources ]; then
> xrdb -merge $userresources
> fi
> if [ -f $usermodmap ]; then
> xmodmap $usermodmap
> fi
> # start some nice programs
> exec xterm -geometry 30x5+10+20
> # start the window manager
> #exec quartz-wm
> - ---------------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
This email sent to email@hidden