ssh, X11 forwarding, xhost and setenv DISPLAY

[JJ]

I know that ssh will happily tunnel X11 for me. But, when doing this
for an X intensive application, it is annoyingly slow. Usable, but
aggravating.

I often work at a windows laptop running the xceed xserver and ssh to my
solaris 8 box. Inside the xceed configuration, I allow the solaris box
to display to the Xserver on my laptop and set my DISPLAY variable to
point directly at the laptop instead of to the tunneled pathway. This
works just great. The info that goes through X is not encrypted, but
that doesn't bother me, and I only allow my solaris box access. It's
just about as fast as sitting directly at the console of the Solaris box.

My problem is, that I can't seem to do a similar thing if I'm working at
a different seat (like a linux box or mac). If I'm at one of those and
display X tunneled through SSH, the slowness is annoying. However, I
can't seem to X to bypass ssh and display. At the linux box or mac I do
an "xhost <solaris box>" and then set my DISPLAY variable to point
directly to that location. But it still is not allowed. I can only
seem to get X to work by going through the encryption/decryption process
in ssh. I even turned off the firewall on the linux box and still
couldn't get it to work.

Does anyone know of a way to get this faster, though less secure, method
of displaying X over the network to work? Or is there some trick to ssh
to speed up the tunelling of X?

Thanks.

-Jonathan

[Tim Bradshaw]

On 2007-02-20 18:05:42 +0000, JJ <jj...@cornell.edu> said:

> My problem is, that I can't seem to do a similar thing if I'm working
> at a different seat (like a linux box or mac). If I'm at one of those
> and display X tunneled through SSH, the slowness is annoying. However,
> I can't seem to X to bypass ssh and display. At the linux box or mac I
> do an "xhost <solaris box>" and then set my DISPLAY variable to point
> directly to that location. But it still is not allowed. I can only
> seem to get X to work by going through the encryption/decryption
> process in ssh. I even turned off the firewall on the linux box and
> still couldn't get it to work.

From the solaris box (or the X client, anyway), try telnetting to the
machine with the server on port 6000 + display number (normally 6000).
If you can't get through something is in the way: either the server
isn't listening (which seems to be the case for the OS X server by
default) or thye machine has a firewall or something.

--tim

[Darren Dunham]

JJ <jj...@cornell.edu> wrote:
> My problem is, that I can't seem to do a similar thing if I'm working at
> a different seat (like a linux box or mac). If I'm at one of those and
> display X tunneled through SSH, the slowness is annoying. However, I
> can't seem to X to bypass ssh and display. At the linux box or mac I do
> an "xhost <solaris box>" and then set my DISPLAY variable to point
> directly to that location. But it still is not allowed.

What is the message you get?

Some X servers will refuse all external clients by default. You have to
explicitly allow them to accept clients that are not on localhost.

The SSH stuff would normally work in this situation because the client
is on the local machine.

If this is your problem, then the solution depends on the specific X
server in use. There's no common way to control them.

--
Darren Dunham ddu...@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

[JJ]

Darren Dunham wrote:

>
> What is the message you get?

With the linux box, I don't get a message at all. When I try to run the
X application, it just waits.

> Some X servers will refuse all external clients by default. You have to
> explicitly allow them to accept clients that are not on localhost.

I thought turning off the firewall might do this, but it sounds like
you're saying it might be some configuration of the X server itself.
I'll look into this.

> If this is your problem, then the solution depends on the specific X
> server in use. There's no common way to control

Thanks.

-Jonathan

[Darren Dunham]

JJ <jj...@cornell.edu> wrote:
> Darren Dunham wrote:
>> What is the message you get?

> With the linux box, I don't get a message at all. When I try to run the
> X application, it just waits.

>> Some X servers will refuse all external clients by default. You have to
>> explicitly allow them to accept clients that are not on localhost.

> I thought turning off the firewall might do this, but it sounds like
> you're saying it might be some configuration of the X server itself.
> I'll look into this.

Right. On Linux, I might do a 'netstat -an | grep 6000'. The X server
will run open a LISTEN port on 6000 under normal circumstances.

If that port is tied to the localhost address:

tcp 0 0 127.0.0.1:6000 0.0.0.0:* LISTEN

Then it is *NOT* accepting external clients. You'd expect 0.0.0.0:6000
if it is listening on all interfaces.

[Glenn]

> > Some X servers will refuse all external clients by default. You have to
> > explicitly allow them to accept clients that are not on localhost.
>
> I thought turning off the firewall might do this, but it sounds like
> you're saying it might be some configuration of the X server itself.
> I'll look into this.

Google for "DisallowTCP" and "/etc/X11/gdm/gdm.conf" on your Linux
box.

[Ceri Davies]

On 2007-02-20, JJ <jj...@cornell.edu> wrote:
>
> I know that ssh will happily tunnel X11 for me. But, when doing this
> for an X intensive application, it is annoyingly slow. Usable, but
> aggravating.

Did you try enabling compression?

Ceri
--
That must be wonderful! I don't understand it at all.
-- Moliere

[Bernd.Schemmer]

Jonathan,

You can use an VNC Server on the Solaris Box and an VNC Viewer on your
laptop. In my experience this is often faster than using the ssh X
forwarding if ssh is neccessary to access the Solaris Box.

For security reasons configure the VNC Server to only listen to
localhost and use an ssh tunnel to access the VNC Server.

Another advantage is that you do not loose your open sessions if you
disconnect the VNC viewer (because the X Server (which is the VNC
Server) runs on your Solaris box and not on the laptop).

regards

Bernd

--
Bernd Schemmer http://home.arcor.de/bnsmb/index.html

[Jim Prescott]

In article <erfd9o$gkl$1...@ruby.cit.cornell.edu>, JJ <jj...@cornell.edu> wrote:
>I know that ssh will happily tunnel X11 for me. But, when doing this
>for an X intensive application, it is annoyingly slow.

You could try switching encryption methods, some are much faster than
others. Blowfish is much faster than 3des. If top-notch security
isn't necessary you might be able to find something supported on both
sides that is even quicker.

>At the linux box or mac I do
>an "xhost <solaris box>" and then set my DISPLAY variable to point
>directly to that location. But it still is not allowed.

With RedHat/Fedora systems I've run into two problems
- the X server starts with "-nolisten tcp" so it doesn't accept
remote connections. This is usually controlled by DisallowTCP
in the X startup files (which vary from release to release)
- they sometimes startup the server with a private XAUTHORITY
file instead of ~/.Xauthority (using xauth is somewhat better
than using xhost but the private file makes this harder).
--
Jim Prescott - Computing and Networking Group j...@seas.rochester.edu
School of Engineering and Applied Sciences, University of Rochester, NY

[John Ferguson]

I realize that this is an old thread, but it speaks to a problem I'm having. I'd like to operate my SPARC10 - SunOS 4.1.4, Openwin 3.0 from an Ubuntu 16.04 laptop.

I had to reinstall SSH1 to do ssh connections to the Sun - and it seems to work ok, although there is a warning that the length of the encryption word wasn't right.

I found and permitted the two lines in ssh_config on the Ubuntu machine which would otherwise have prevented this from working. I do the xhost ident on both machines, I do the setenv DISPLAY hp2:0 on the Sun, and I try to export xclock. It eventually times out and says it cannot open the display.

Is it possible that this whole idea is nuts and that the differences in the ssh protocols running on the two machines are enough to prevent it from working?

all of this was so EASY in 1992, maybe I was smarter then.

??

[John Ferguson]

Maybe I neeed to launch openwin on the sun --noauth. I doubt if there is an MIT majic cookie on the hp.

[John-Paul Stewart]

On 2018-03-13 10:10 AM, John Ferguson wrote:
>
> I found and permitted the two lines in ssh_config on the Ubuntu machine
> which would otherwise have prevented this from working. I do the xhost
> ident on both machines, I do the setenv DISPLAY hp2:0 on the Sun, and I
> try to export xclock. It eventually times out and says it cannot open
> the display.

Don't use xhost or setenv DISPLAY when doing X11 forwarding over SSH!
If SSH is correctly configured, either by adding "ForwardX11 yes" to
/etc/ssh/ssh_config on the Ubuntu machine or by calling ssh with the -X
(or -Y) command line option on the Ubuntu machine, then that's all you
need to do. SSH itself will handle the rest. Calling xhost is
completely unnecessary. Worse, setting DISPLAY will actually break X11
forwarding through SSH, since SSH will use a completely different name
for the display; it'll be something like localhost:10.0. SSH always
uses localhost for its forwarding, even though it'll be displayed
elsewhere, and is usually :10 or higher. (SSH uses a "proxy" X server
to enable it to send the actual data over the encrypted SSH channel.
You're trying to circumvent that when you override DISPLAY.)

What you're doing with xhost and DISPLAY dates from the old days of rsh
or telnet and is no longer needed with SSH.

So, from the Ubuntu box just ssh into the Sun machine, and then try to
launch xclock or whatever you like. Don't worry about xhost or setting
DISPLAY. You can echo $DISPLAY if you want to see what it's set to, but
it won't be what you're expecting.

If that still doesn't work, post here again, and somebody will try to
figure out what's really going on.

[John Ferguson]

Wow, Thank you so much John-Paul. I did what you suggested and it worked perfectly.

[John Ferguson]

John-Paul, It's coming back to me very slowly. We sold a sparc2 with a shoebox with two 400Meg +/- drives to replace an old IBM system which took up a room and it's own Liebert System. the new system was much faster and was used for a proprietary business managment system. Access to the system was via a bunch of PC's running an x-windows application. I suspect raw access was via RSH.

It worked great. Who would have thought. the savings from the Liebert alone when they shut down the IBM system was substantial.

on my own system the simple stuff works like xclock and the various openwin demos. on other things I'm getting font errors - could be I can't get them in Ubuntu because they were licensed. There are also Xnews issues. I concede the whole effort is nuts.

[John-Paul Stewart]

On 2018-03-13 10:53 PM, John Ferguson wrote:
>> on my own system the simple stuff works like xclock and the various
> openwin demos. on other things I'm getting font errors - could be I
> can't get them in Ubuntu because they were licensed. There are also
> Xnews issues.

Yeah, unfortunately those are common problems and don't necessarily have
solutions.

> I concede the whole effort is nuts.

But isn't that what makes it fun? :)

[John Ferguson]

I found someone who had gotten vnc running on sunos 4.1.4. He needed to have bash running and I think he also had GCC. I've got GCC 2.9.5.2 running fine on my system - i needed it to get ghostscript running so I could print to the SPARCprinter from most of the systems in the house (Except Windows 10 - so far).
.
I'm hoping a VNC installation will not hang on the fonts issue, maybe use the fonts on the server.