Re: problems with running remote X programs
on Fri, Jun 14, 2002, Colin Watson ([EMAIL PROTECTED]) wrote: On Fri, Jun 14, 2002 at 01:21:59PM +0100, Matthew Yee-King wrote: I'm running gdm, windowmaker, woody and xfree 4.2. i need to run software on a remote mahcine that outputs to my local X server. On the remote machine, i export DISPLAY=mylocalIP:0 then on my local machine, i xhost memote machineIP . but it doesn't work - on the remote machine i get the error Error: Can't open display: mylocalIP:0 is the xserver really locked down by default on debian or something? Yes. Remove '-nolisten tcp' from whatever starts your X server if you Don't do that. It's there for a reason. X11 is an insecure, unauthenticated, protocol. Use other means (ssh with X11 forwarding) to tunnel it remotely if necessary. If you're gaming, run the game on your local box. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Support the EFF, they support you: http://www.eff.org/ pgpXjDz5FaRvp.pgp Description: PGP signature
Re: problems with running remote X programs
on Fri, Jun 14, 2002, Ron Johnson ([EMAIL PROTECTED]) wrote: [Regarding X11 tunnelled over ssh] Over a local, switched fast ethernet connection, what kind of performance drain will I see tunneling through ssh? Both boxen are GHz+. Depends on what you're doing. For text-based apps, little noticeable delay. For heavy graphics apps, but not real-time response (e.g.: Mozilla, Abiword, other office applications), you'll note some lag. Gaming and flash are going to be noteably impacted, probably unsuitably so. You can mitigate this by using blowfish (a fast cipher) and *disabling* compression, which puts more overhead on the connection than it relieves in network traffic, for a fast network. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Software piracy loss numbers are a crock: http://kmself.home.netcom.com/Rants/piracy.html pgpjc7YSxbF7K.pgp Description: PGP signature
Re: problems with running remote X programs
on Fri, Jun 14, 2002, Ron Johnson ([EMAIL PROTECTED]) wrote: On Fri, 2002-06-14 at 11:11, Ron Johnson wrote: ... Any ideas? Colin Watson says to remove '-nolisten tcp' from the script that starts the local X. I'm going to try that now. Progress!! After removing '-nolisten tcp' from /etc/X11/xinit/xserverrc Restore it. You were given bad advice whose implications you don't understand. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? zIWETHEY: Not just a stick in the MUD: http://z.iwethey.org/forums/ pgpc1utUYFCV2.pgp Description: PGP signature
Re: problems with running remote X programs
On Sat, Jun 15, 2002 at 11:44:33PM -0700, Karsten M. Self wrote: on Fri, Jun 14, 2002, Ron Johnson ([EMAIL PROTECTED]) wrote: On Fri, 2002-06-14 at 11:11, Ron Johnson wrote: ... Any ideas? Colin Watson says to remove '-nolisten tcp' from the script that starts the local X. I'm going to try that now. Progress!! After removing '-nolisten tcp' from /etc/X11/xinit/xserverrc Restore it. You were given bad advice whose implications you don't understand. I do understand benefit of SSH but insecure xhost with '-nolisten tcp' has advantage if you are behind firewall with slow machines. So do not be so harsh like You were given bad advice :) Colin Watson has been good to me like Karsten M. Self was. All the discussion about how to set system is really environment dependent. -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki @ Cupertino CA USA See User's Guide: http://www.debian.org/doc/manuals/users-guide/ See Debian reference: http://www.debian.org/doc/manuals/reference/ Debian reference Project at: http://qref.sf.net I welcome your constructive criticisms and corrections. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
On Sat, Jun 15, 2002 at 11:40:21PM -0700, Karsten M. Self wrote: on Fri, Jun 14, 2002, Colin Watson ([EMAIL PROTECTED]) wrote: Yes. Remove '-nolisten tcp' from whatever starts your X server if you ^^ [want to do this snipped, but let's consider that underlined as well] Don't do that. It's there for a reason. X11 is an insecure, unauthenticated, protocol. Use other means (ssh with X11 forwarding) to tunnel it remotely if necessary. Quite - but I have found environments where using plain remote X is useful. For instance, at work we have an internal network, and nobody there is going to attempt to hijack my X session. ssh is not installed on all the bizarre Unix systems that we have lying around, and I have much better things to do than spend a few days compiling it everywhere when it doesn't contribute a jot to my job description and really isn't necessary. Occasionally I need to run an X application remotely, and disabling '-nolisten tcp' is quite safe in this context and is by far the simplest solution. It is appropriate to tell people that a secure alternative exists and should be used wherever possible; it is also appropriate to remember that, as long as you know what you're doing, the secure alternative is not always what you want. I would venture to suggest that internal networks where all other hosts are trusted are common enough environments for Debian systems that I don't think I have to suppress this particular piece of knowledge. Naturally, if your system is connected directly to the wider Internet then you need to take that into account in everything you do and use secure protocols like ssh in preference. I apologize for not spelling this out in detail. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
on Sun, Jun 16, 2002, Osamu Aoki ([EMAIL PROTECTED]) wrote: On Sat, Jun 15, 2002 at 11:44:33PM -0700, Karsten M. Self wrote: on Fri, Jun 14, 2002, Ron Johnson ([EMAIL PROTECTED]) wrote: On Fri, 2002-06-14 at 11:11, Ron Johnson wrote: ... Any ideas? Colin Watson says to remove '-nolisten tcp' from the script that starts the local X. I'm going to try that now. Progress!! After removing '-nolisten tcp' from /etc/X11/xinit/xserverrc Restore it. You were given bad advice whose implications you don't understand. I do understand benefit of SSH but insecure xhost with '-nolisten tcp' has advantage if you are behind firewall with slow machines. So do not be so harsh like You were given bad advice :) Colin Watson has been good to me like Karsten M. Self was. All the discussion about how to set system is really environment dependent. This is true. However, I see far too many people advocating xhost + and disabling -nolisten tcp, when the first attempt should be an ssh -X. If this turns out to be too slow for the necessary task (unlikely for any business/system need), then other options can be explored. And again, there are SSH clients (most free) for all significant, and most insignificant, platforms: http://www.linuxmafia.com/pub/linux/security/ssh-clients Telling people to facilitate remote X11 connections by dropping all security precautions is like telling someone who's complaining of heat to strip naked. Though effective, there are other options which might be attempted first -- turning on a fan, closing blinds, upping the A/C, or trading the slacks, button-down, and tie for shorts, T-shirt, and sandals. The proper solution depends on circumstances and resources, but there are some alternatives which should be strongly deprecated. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? KQED FM: The bright spot on the dial: http://www.kqed.org/fm/ pgpw16pmcqP37.pgp Description: PGP signature
Re: problems with running remote X programs
Hi Karsten, I agree you whole heartedly. On Sun, Jun 16, 2002 at 12:03:39PM -0700, Karsten M. Self wrote: Restore it. You were given bad advice whose implications you don't understand. ^^^ I missed the last part of your phrase. I guess Colin/You/me are not in this you. After all, for those asking question in this manner, SSH shall serve best to achieve their goal. This is true. However, I see far too many people advocating xhost + and disabling -nolisten tcp, when the first attempt should be an ssh -X. One problem in Debian is that Debian tries too hard to make it secure and many novice will get stack and FIX it with wrong methods without realizing their implications. -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki @ Cupertino CA USA See User's Guide: http://www.debian.org/doc/manuals/users-guide/ See Debian reference: http://www.debian.org/doc/manuals/reference/ Debian reference Project at: http://qref.sf.net I welcome your constructive criticisms and corrections. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
On Sun, Jun 16, 2002 at 12:03:39PM -0700, Karsten M. Self wrote: This is true. However, I see far too many people advocating xhost + and disabling -nolisten tcp, when the first attempt should be an ssh -X. If this turns out to be too slow for the necessary task (unlikely for any business/system need), then other options can be explored. And snip On a related note, I am facing a peculiar problem with ssh -X hostname. As mentioned previously on this list, I have edited the file /etc/ssh/ssh_config and /etc/ssh/sshd_config to allow X forwarding, etc. I can ssh from machine 'A' to another machine 'B'; run a X program on 'B' whose window comes properly on 'A'. Then the machine locks up. None of the keys work. I cannot telnet/ssh into 'A' from any other machine on the network. Sometimes even 'B' gets locked up. The lock up occurs only when I try X forwarding, else ssh does not give me any problems. What could be the reason for this weird behaviour? I am currently running woody on my machines. Regards, -- Sridhar M.A. Genius doesn't work on an assembly line basis. You can't simply say, Today I will be brilliant. -- Kirk, The Ultimate Computer, stardate 4731.3 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
problems with running remote X programs
Hello I'm running gdm, windowmaker, woody and xfree 4.2. i need to run software on a remote mahcine that outputs to my local X server. On the remote machine, i export DISPLAY=mylocalIP:0 then on my local machine, i xhost memote machineIP . but it doesn't work - on the remote machine i get the error Error: Can't open display: mylocalIP:0 is the xserver really locked down by default on debian or something? if i have a root terminal in an xsession started by a normal user, i can't use x programs either... any ideas? matthew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
problems with running remote X programs
Hello I'm running gdm, windowmaker, woody and xfree 4.2. i need to run software on a remote mahcine that outputs to my local X server. On the remote machine, i export DISPLAY=mylocalIP:0 then on my local machine, i xhost memote machineIP . but it doesn't work - on the remote machine i get the error Error: Can't open display: mylocalIP:0 is the xserver really locked down by default on debian or something? if i have a root terminal in an xsession started by a normal user, i can't use x programs either... any ideas? matthew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
On Fri, Jun 14, 2002 at 01:21:59PM +0100, Matthew Yee-King wrote: I'm running gdm, windowmaker, woody and xfree 4.2. i need to run software on a remote mahcine that outputs to my local X server. On the remote machine, i export DISPLAY=mylocalIP:0 then on my local machine, i xhost memote machineIP . but it doesn't work - on the remote machine i get the error Error: Can't open display: mylocalIP:0 is the xserver really locked down by default on debian or something? Yes. Remove '-nolisten tcp' from whatever starts your X server if you want to do this; it might be /etc/X11/xinit/xserverrc, /etc/X11/gdm/gdm.conf, or various others. Alternatively, use ssh X forwarding. if i have a root terminal in an xsession started by a normal user, i can't use x programs either... 'export XAUTHORITY=$HOME/.Xauthority', then make sure to use plain 'su' or 'sudo' instead of 'su -'. There are other solutions involving xauth, too. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
Matthew Yee-King [EMAIL PROTECTED] writes: I'm running gdm, windowmaker, woody and xfree 4.2. i need to run software on a remote mahcine that outputs to my local X server. On the remote machine, i export DISPLAY=mylocalIP:0 then on my local machine, i xhost memote machineIP . Eew eew eew. Don't do that. Debian disables unencrypted X network sessions. But since you're using ssh to log in from one machine to the other (right?) this is easy: just add -X to the ssh command-line arguments to get X forwarding over ssh, and the DISPLAY environment variable will be automagically set to the right thing on the remote machine. -- David Maze [EMAIL PROTECTED] http://people.debian.org/~dmaze/ Theoretical politics is interesting. Politicking should be illegal. -- Abra Mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
On Fri, 2002-06-14 at 10:32, David Z Maze wrote: Matthew Yee-King [EMAIL PROTECTED] writes: I'm running gdm, windowmaker, woody and xfree 4.2. i need to run software on a remote mahcine that outputs to my local X server. On the remote machine, i export DISPLAY=mylocalIP:0 then on my local machine, i xhost memote machineIP . Eew eew eew. Don't do that. Debian disables unencrypted X network sessions. But since you're using ssh to log in from one machine to the other (right?) this is easy: just add -X to the ssh command-line arguments to get X forwarding over ssh, and the DISPLAY environment variable will be automagically set to the right thing on the remote machine. Ok... From an xterm window on my local box, I do $ssh -X username@remotehost Then from the command prompt on the remote box, I type $mtr -g www.cox.net and instantly get the error Gtk-WARNING **: cannot open display: Explicitly setting $DISPLAY on the remote host causes the same error, but it just takes a few seconds of cogitation, first. Any ideas? Colin Watson says to remove '-nolisten tcp' from the script that starts the local X. I'm going to try that now. -- +-+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA http://ronandheather.dhs.org:81 | | | | I have created a government of whirled peas...| | Maharishi Mahesh Yogi, 12-May-2002, | ! CNN, Larry King Live | +-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
On 14 Jun 2002 11:11:58 -0500 Ron Johnson [EMAIL PROTECTED] wrote: Ok... From an xterm window on my local box, I do $ssh -X username@remotehost Then from the command prompt on the remote box, I type $mtr -g www.cox.net and instantly get the error Gtk-WARNING **: cannot open display: Explicitly setting $DISPLAY on the remote host causes the same error, but it just takes a few seconds of cogitation, first. Any ideas? Check for the follwing lines in your /etc/ssh/sshd_config: X11Forwarding yes X11DisplayOffset 10 -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
On Fri, 2002-06-14 at 11:11, Ron Johnson wrote: On Fri, 2002-06-14 at 10:32, David Z Maze wrote: Matthew Yee-King [EMAIL PROTECTED] writes: [snip] Eew eew eew. Don't do that. Debian disables unencrypted X network sessions. But since you're using ssh to log in from one machine to the other (right?) this is easy: just add -X to the ssh command-line arguments to get X forwarding over ssh, and the DISPLAY environment variable will be automagically set to the right thing on the remote machine. Ok... From an xterm window on my local box, I do $ssh -X username@remotehost Then from the command prompt on the remote box, I type $mtr -g www.cox.net and instantly get the error Gtk-WARNING **: cannot open display: Explicitly setting $DISPLAY on the remote host causes the same error, but it just takes a few seconds of cogitation, first. Any ideas? Colin Watson says to remove '-nolisten tcp' from the script that starts the local X. I'm going to try that now. Progress!! After removing '-nolisten tcp' from /etc/X11/xinit/xserverrc this is the error: on the remote host $ mtr -g www.cox.net Xlib: connection to mylocalhost:0.0 refused by server Xlib: Client is not authorized to connect to Server Gtk-WARNING **: cannot open display: mylocalhost:0 $ xhost rebel Xlib: connection to mylocalhost:0.0 refused by server Xlib: Client is not authorized to connect to Server xhost: unable to open display mylocalhost:0 In remotehost:/etc/ssh/sshd_config, there is the directive X11Forwarding no Is this overriding my use of ssh -X? -- +-+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA http://ronandheather.dhs.org:81 | | | | I have created a government of whirled peas...| | Maharishi Mahesh Yogi, 12-May-2002, | ! CNN, Larry King Live | +-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
On Fri, 2002-06-14 at 11:15, Jamin W.Collins wrote: On 14 Jun 2002 11:11:58 -0500 Ron Johnson [EMAIL PROTECTED] wrote: Ok... From an xterm window on my local box, I do $ssh -X username@remotehost Then from the command prompt on the remote box, I type $mtr -g www.cox.net and instantly get the error Gtk-WARNING **: cannot open display: Explicitly setting $DISPLAY on the remote host causes the same error, but it just takes a few seconds of cogitation, first. Any ideas? Check for the follwing lines in your /etc/ssh/sshd_config: X11Forwarding yes X11DisplayOffset 10 That did it. Thanks... Over a local, switched fast ethernet connection, what kind of performance drain will I see tunneling through ssh? Both boxen are GHz+. -- +-+ | Ron Johnson, Jr.Home: [EMAIL PROTECTED] | | Jefferson, LA USA http://ronandheather.dhs.org:81 | | | | I have created a government of whirled peas...| | Maharishi Mahesh Yogi, 12-May-2002, | ! CNN, Larry King Live | +-+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: problems with running remote X programs
Hello, On Fri, Jun 14, 2002 at 11:48:08AM -0500, Ron Johnson wrote: Over a local, switched fast ethernet connection, what kind of performance drain will I see tunneling through ssh? Both boxen are GHz+. I only have an 650 MHz, so I cannot say how it will work on your system. Most programs can be used without any seeable delay, but there are speed problems with videos and some games (100 MBit). On a wireless lan with eleven megabit, it takes some time to start programs, but then they are usable without much problems. -- Benedikt Wildenhain May the tux be with you. :wq pgp00QeqZn0PZ.pgp Description: PGP signature