Date: Mon, 30 Jun 2003 17:02:05 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Terry Todd <tlt@badger.tltodd.com> Cc: freebsd-questions@freebsd.org Subject: Re: remote X on 5.1-RELEASE Message-ID: <20030630160205.GA21490@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20030630095146.A86319@badger.tltodd.com> References: <20030629080744.A53730@badger.tltodd.com> <20030630050023.GO11229@freepuppy.bellavista.cz> <20030630095146.A86319@badger.tltodd.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Jun 30, 2003 at 09:51:47AM -0500, Terry Todd wrote:
> On Mon, Jun 30, 2003 at 07:00:23AM +0200, Roman Neuhauser wrote:
> > # tlt@badger.tltodd.com / 2003-06-29 08:07:45 -0500:
> > > How do you get remote X to work with 5.1-RELEASE?
> > >=20
> > > Here is an attempt with some fields blanked out.
> > >=20
> > > $ xhost +
> > > access control disabled, clients can connect from any host
> > > $ telnet ______
> > > Trying ___.___.__.___...
> > > ....
> > > ....
> > > tlt@______> xterm
> > > _X11TransSocketINETConnect: Can't connect: errno =3D 61
> > > _X11TransSocketINETConnect: Can't connect: errno =3D 61
> > > _X11TransSocketINETConnect: Can't connect: errno =3D 61
> > > _X11TransSocketINETConnect: Can't connect: errno =3D 61
> > > _X11TransSocketINETConnect: Can't connect: errno =3D 61
> > > _X11TransSocketINETConnect: Can't connect: errno =3D 61
> > > xterm Xt error: Can't open display: ______.______.___:0.0
> > > tlt@______>=20
> > >=20
> > > The errno man page says errno 61 is connection refused. There is no
> > > firewall or anything on the laptop running 5.1-RELEASE on a local sub=
net.
> > > It is a fairly generic install except I had to recompile with OLDCARD.
> >=20
> > is the X server actually listening to remote connections? see
> > startx(1).
> >=20
>=20
> Yes, this is the answer. startx must now be run with the -listen_tcp opt=
ion
> in order for remote X to work.
That's not entirely true. There's a reason why startx was modified to
prevent the X server listening on the network --- using a remote
session via the clear text X protocol is about as bad as using telnet
or rlogin or rsh: anyone can snoop on what you are doing and pick up
any passwords etc. you happen to type in.
Unless you're running solely over networks where there is no access by
untrusted parties, you should be using encryption to protect your
remote access. Generally that translates to "use ssh" -- and ssh(1)
can protect your X sessions in exactly the same way that it will
protect a tty based login session. It just needs a little
configuration first.
On your workstation (ie. with the screen in front of you), you need to
tell the ssh client to attempt to tunnel X sessions with the remote
machines you log into. Either edit /etc/ssh/ssh_config to change the
defaults system wide, or edit ~/.ssh/config to make the changes on a
per-user basis. You can select the systems you want to tunnel X stuff
=66rom by name, eg. add:
Host foo bar *.example.com
ForwardX11 yes
(There's other options you can use here: see ssh_config(5) for details)
Note that the name match is against what you type on the command line,
not against the fully qualified name of the host.
On the X server, make sure that /etc/ssh/sshd_config does not contain
'X11Forwarding no'. The default on FreeBSD and other systems that use
OpenSSH (which is shown commented out in the sshd_config file) is to
permit X11Forwarding, so likely you won't need to change anything.
Now, to test, open a ssh session on a remote machine using the '-v'
verbose option:
% ssh -v hostname
Amongst the output you should see:
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
and you'll find that the DISPLAY variable has been automatically set
in your environment on the remote system to something like:
% echo $DISPLAY
localhost:10.0
Now when you start up an X program on the remote, it should display on
your desktop, and all without having your X server listen on the
network at all.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--0F1p//8PRICkK4MW
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE/AF79dtESqEQa7a0RAh4vAJ4tLe9TWqc8eGzFCl9GBAvEOURTrQCfQV89
FI/grnwcBsunkDPkpweGToY=
=dRns
-----END PGP SIGNATURE-----
--0F1p//8PRICkK4MW--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030630160205.GA21490>