Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
Ira, Have you tried the "FreeNX" project? It gives superior performance over VNC & supports multi-sessions and/or multi-users. (which VNC does not) It is linked with the standard X libraries on your system (X.org in RHEL4/5 case) so I suspect it should provide all the X extensions you require. - Noam 2008/2/3 Ira Abramov <[EMAIL PROTECTED]>: > > > On Feb 3, 2008 11:15 AM, Shachar Shemesh <[EMAIL PROTECTED]> > > > wrote: > > > > > > > VNC on Windows behaves differently than on Linux. On Linux, it > > > > opens its own unique X server, and then exports its display using > > > > the VNC protocol. On Windows, VNC server exports the main Windows > > > > display. > > their client is a windows machine, then an unimaginately-named linux > machine "xserver" runs Xvnc for 12 users, and from there they dispatch > jobs to a cluster of CPU machines via a dispatcher whose name I forgot. > The target machines already mount the same homedirs, so of course I have > the MIT and XDM cookies in the .Xauthority at the far end as well. The > problem is an interactive job tries to spawn at the target node but Xvnc > ignores the xauth mechanism and blocks the client (and as I said - "xhost > +" works but is too permissive) > > They just moved to that VNC setup because they are trying to stop using > a local Xserver on the windows. they are surprised to discover vnc is > slower, even though I explain the plusses and minuses. > > The local server is a commercial one, I was told they triend the local X > from Cygwin with "bad results" but never gave me a full explanation. > I'll have to either test the current cygwin-xorg and see if it's better > for thזm, or test their propriatery/commercial Xserver-for-windows for > any sort of MIT cookie support. > > Quoting Ilya Konstantinov, from the post of Sun, 03 Feb: > > > Nowadays, you have VNC servers which act as X11 clients and export > > > whatever X11 display you point them at. Those are the VNC servers > > > which come with GNOME and KDE as their "remote desktop" offerings. > > I'm not going to run 12 full xorgs on the machine. Xvnc does the correct > job, just misses support for some of the security models (supports only > xhost, basically) > > > See also the discussion there about using x11vnc from inetd for spawning > new > > X sessions on demand in response to VNC connections. > > that means I lose sessions on disconnect, AS WELL as get sluggy GUI > reactions. that's less useful than a local Xsserver on the windows. > > -- > Target of opportunity > Ira Abramov > http://ira.abramov.org/email/ > > = > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > >
Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
On Sun, 2008-02-03 at 14:40 +0200, Ira Abramov wrote: > (and as I said - "xhost > +" works but is too permissive) Did you look into the options which xhost provides (man xhost)? Maybe there is an option which provides you with the right security limitations? --- Omer -- MS-Windows is the Pal-Kal of the PC world. My own blog is at http://www.zak.co.il/tddpirate/ My opinions, as expressed in this E-mail message, are mine alone. They do not represent the official policy of any organization with which I may be affiliated in any way. WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
> > On Feb 3, 2008 11:15 AM, Shachar Shemesh <[EMAIL PROTECTED]> > > wrote: > > > > > VNC on Windows behaves differently than on Linux. On Linux, it > > > opens its own unique X server, and then exports its display using > > > the VNC protocol. On Windows, VNC server exports the main Windows > > > display. their client is a windows machine, then an unimaginately-named linux machine "xserver" runs Xvnc for 12 users, and from there they dispatch jobs to a cluster of CPU machines via a dispatcher whose name I forgot. The target machines already mount the same homedirs, so of course I have the MIT and XDM cookies in the .Xauthority at the far end as well. The problem is an interactive job tries to spawn at the target node but Xvnc ignores the xauth mechanism and blocks the client (and as I said - "xhost +" works but is too permissive) They just moved to that VNC setup because they are trying to stop using a local Xserver on the windows. they are surprised to discover vnc is slower, even though I explain the plusses and minuses. The local server is a commercial one, I was told they triend the local X from Cygwin with "bad results" but never gave me a full explanation. I'll have to either test the current cygwin-xorg and see if it's better for thזm, or test their propriatery/commercial Xserver-for-windows for any sort of MIT cookie support. Quoting Ilya Konstantinov, from the post of Sun, 03 Feb: > > Nowadays, you have VNC servers which act as X11 clients and export > > whatever X11 display you point them at. Those are the VNC servers > > which come with GNOME and KDE as their "remote desktop" offerings. I'm not going to run 12 full xorgs on the machine. Xvnc does the correct job, just misses support for some of the security models (supports only xhost, basically) > See also the discussion there about using x11vnc from inetd for spawning new > X sessions on demand in response to VNC connections. that means I lose sessions on disconnect, AS WELL as get sluggy GUI reactions. that's less useful than a local Xsserver on the windows. -- Target of opportunity Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
On Feb 3, 2008 12:49 PM, Ilya Konstantinov <[EMAIL PROTECTED]> wrote: > On Feb 3, 2008 11:15 AM, Shachar Shemesh <[EMAIL PROTECTED]> wrote: > > > VNC on Windows behaves differently than on Linux. On Linux, it opens its > > own unique X server, and then exports its display using the VNC > > protocol. On Windows, VNC server exports the main Windows display. > > > Nowadays, you have VNC servers which act as X11 clients and export > whatever X11 display you point them at. Those are the VNC servers which come > with GNOME and KDE as their "remote desktop" offerings. > > Here's one: > http://www.karlrunge.com/x11vnc/ > > BTW, those kind of VNC servers only became possible (with reasonable > performance) with the introduction of the DAMAGE extension, so they pretty > much have to run on a modern X server - or otherwise there'll be very > CPU-intensive screen polling. > This describes a configuration more like Xvnc: http://www.karlrunge.com/x11vnc/#faq-xvfb See also the discussion there about using x11vnc from inetd for spawning new X sessions on demand in response to VNC connections.
Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
On Feb 3, 2008 11:15 AM, Shachar Shemesh <[EMAIL PROTECTED]> wrote: > VNC on Windows behaves differently than on Linux. On Linux, it opens its > own unique X server, and then exports its display using the VNC > protocol. On Windows, VNC server exports the main Windows display. Nowadays, you have VNC servers which act as X11 clients and export whatever X11 display you point them at. Those are the VNC servers which come with GNOME and KDE as their "remote desktop" offerings. Here's one: http://www.karlrunge.com/x11vnc/ BTW, those kind of VNC servers only became possible (with reasonable performance) with the introduction of the DAMAGE extension, so they pretty much have to run on a modern X server - or otherwise there'll be very CPU-intensive screen polling.
Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
Ira Abramov wrote: Time to go test their local windows Xserver and see what it DOES support. VNC on Windows behaves differently than on Linux. On Linux, it opens its own unique X server, and then exports its display using the VNC protocol. On Windows, VNC server exports the main Windows display. This means that if you want to export X11 programs running on Windows using VNC, you also have to explicitly run an X11 server. Which is good news. Cygwin has a Windows port of X.org, which, as you know, does support MIT cookies. Problem solved. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
Quoting Shachar Shemesh, from the post of Sun, 03 Feb: > Ira Abramov wrote: > >> is the RHEL-supplied Xvnc ignoring MIT-MAGIC-COOKIE because of >> configuration, or something missing at compile time? > I believe they ignore it because their X server doesn't support it. damn... I suspected that was it :-( Time to go test their local windows Xserver and see what it DOES support. -- It's all good Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
Ira Abramov wrote: is the RHEL-supplied Xvnc ignoring MIT-MAGIC-COOKIE because of configuration, or something missing at compile time? I believe they ignore it because their X server doesn't support it. A VNC server is also an X server, which means that you are NOT using a X.org or XFree86 based server. If the server does not support an extension, then nothing you will do with the files will make it. Shachar = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
On Feb 2, 2008 11:49 PM, Ira Abramov <[EMAIL PROTECTED]> wrote: > howdie gang! > > I have two clients with a similar problem: the run a job dispatcher that > sends their requests to a free node in a compute cluster to run a > compilation or simulation of the system. Some of those jobs are supposed > to open an interactive X connection. the display is set right but of > course one needs authority to access the user's display. right now it > means the user has to run it with "xhost +" and that's just too > permissive. How about copying over the cookie using "xauth nextract ... | ssh ... xauth nmerge ..." (or whatever is required to pass over the cookie, you get the idea)? Also try setting up the XAUTHORITY envariable to point to a .Xauthority file with the right cookies in it. --Amos
Xsecurity - how do I turn on MIT-MAGIC-COOKIE-1 and .Xauthority support?
howdie gang! I have two clients with a similar problem: the run a job dispatcher that sends their requests to a free node in a compute cluster to run a compilation or simulation of the system. Some of those jobs are supposed to open an interactive X connection. the display is set right but of course one needs authority to access the user's display. right now it means the user has to run it with "xhost +" and that's just too permissive. The users run with vnc clients to Xvnc servers, that don't seem to support secure-RPC either, so looks like "xhost +nis:[EMAIL PROTECTED]" can't work either. is the RHEL-supplied Xvnc ignoring MIT-MAGIC-COOKIE because of configuration, or something missing at compile time? the Xsecurity manpage is not giving too many hints... Thanks, Ira. -- All your base are belong to us Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
