Re: [CentOS] An odd X question
Hello Stuart, On 06/25/2015 11:51 PM, Stuart Barkley wrote: For (ssh based) X forwarding no X server needs to run on the server. I usually install the xorg-x11-xauth (necessary) and xterm (optional) rpms on all my servers in case X forwarding becomes necessary. Then from your desktop (assuming Linux already running X) in a local xterm do something like: ssh -Y remote-system Do not use that because any user logged on the server can connect to your X server display and snoop what you are doing, open windows etc. -Y disables all the X server authentication mechanisms (http://www.x.org/wiki/Development/Documentation/Security/) Note about -X versus -Y with ssh: -X enables basic X forwarding, It disables some X functionality making it safer to allow. -X also stops working after about 20 minutes (this is by design but not well documented). I only recently learned why it would stop working after pulling out the last of my hair. I have been using ssh X forwarding for current work use (local betwork) for more than 15 years and never got into this kind of problem from RH 7 to Centos 7, AIX and Solaris. Maybe it is some other issue that is closing your ssh connection (maybe you should use the KeepAlive options on the ssh server/client); just guessing. -Y allows the full X protocol which might be a security risk. Some applications will only work with -Y. With this, remote X applications can grab keyboard interactions, grab passwords, put windows on top of other windows (obscuring security messages), etc. For my own choice I use -Y (although I only enable it occasionally to specific systems). It is a security risk as I said above any user logged on the server can connect to your display X server without you knowing. Lec ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] An odd X question
On 06/26/2015 05:04 AM, mark wrote: You misunderstand me: I understand the terminology, and why they chose it. I simply disagree with their choice, and have always found it confusing, esp. to anyone coming into it since, um, the mid/late 80's, when *everything* else in the world used the terminology the other way, from d/b to three-tiered architecture. No, they didn't. The server is the persistent process, the one that listens for network connections from clients, typically the one that authenticates clients, and the one that performs privileged actions on behalf of clients. That's what the X11 display server does. The display server is a persistent process. Clients (such as xterm) connect to it. There is not a persistent xterm server running that the display client connects to. The display server authenticates clients. It manages the interface with the graphics card and HID devices. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] An odd X question
On 06/26/2015 12:16 AM, Alexandru Chiscan wrote: Do not use that because any user logged on the server can connect to your X server display and snoop what you are doing, open windows etc. -Y disables all the X server authentication mechanisms (http://www.x.org/wiki/Development/Documentation/Security/) Not authentication, only SECURITY. Any root user can connect to your X11 server, whether you use -X or -Y, since they can read your .Xauthority file. Users who cannot read your .Xauthority file cannot connect at all. The difference between trusted and untrusted is that trusted clients can snoop keyboard events or window contents. Untrusted clients cannot do that. However, on Fedora, ForwardX11Trusted is yes by default (see ssh_config), so -X and -Y do the same thing. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] An odd X question
On 06/25/15 18:02, Marko Vojinovic wrote: On Thu, 25 Jun 2015 15:55:41 -0400 m.r...@5-cent.us wrote: mark and why is it called xorg-x11-server, when in X terminology, it's the client?* * Which I always thought was bass-ackward, but... You should think of it this way: the program that wants something drawn on the screen is a client; the program that does the drawing is the server. The client asks the server to draw stuff on the screen, and server is, well... servicing those requests, from various clients. snip You misunderstand me: I understand the terminology, and why they chose it. I simply disagree with their choice, and have always found it confusing, esp. to anyone coming into it since, um, the mid/late 80's, when *everything* else in the world used the terminology the other way, from d/b to three-tiered architecture. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] An odd X question
On Thu, 25 Jun 2015 at 15:55 -, m.r...@5-cent.us wrote: I've got a headless server running CentOS 7. I've got a user who wants to run some graphical software on it, and view using x forwarding. What I don't have clear is how to set this up. I've just installed xorg-x11-server-[Xorg, common]. I assume I need to run X, but I don't see running this in runlevel 5. For (ssh based) X forwarding no X server needs to run on the server. I usually install the xorg-x11-xauth (necessary) and xterm (optional) rpms on all my servers in case X forwarding becomes necessary. Then from your desktop (assuming Linux already running X) in a local xterm do something like: ssh -Y remote-system Once logged into the remote system you should now have a DISPLAY environment variable set which will tell any client applications how to connect back to the X server on your desktop. For example, just run xterm on the remote server and a xterm window will pop up on your display. This is just an example. You could run xload or any other basic X application. You can also run more complex applications. Many will run fine. Other applications may perform poorly (due to the X protocol chattiness: Firefox, etc). Other applications will have other issues (some gnome/kde/gtk applications make other assumptions about being on the same system as the window manager and try to use dbus and local system things). Note about -X versus -Y with ssh: -X enables basic X forwarding, It disables some X functionality making it safer to allow. -X also stops working after about 20 minutes (this is by design but not well documented). I only recently learned why it would stop working after pulling out the last of my hair. -Y allows the full X protocol which might be a security risk. Some applications will only work with -Y. With this, remote X applications can grab keyboard interactions, grab passwords, put windows on top of other windows (obscuring security messages), etc. For my own choice I use -Y (although I only enable it occasionally to specific systems). Stuart -- I've never been lost; I was once bewildered for three days, but never lost! -- Daniel Boone ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] An odd X question
On 06/25/15 15:55, m.r...@5-cent.us wrote: I've got a headless server running CentOS 7. I've got a user who wants to run some graphical software on it, and view using x forwarding. What I don't have clear is how to set this up. I've just installed xorg-x11-server-[Xorg, common]. I assume I need to run X, but I don't see running this in runlevel 5. Thoughts? mark and why is it called xorg-x11-server, when in X terminology, it's the client?* * Which I always thought was bass-ackward, but... The easiest way to think of this is that the host on which you are going to watch the output needs a running X server, the source just needs the client application. Of course this also presumes that network and permissions are all in place. The test that I've always used is to run a simple xclient on the remote host, xclock, xeyes, xterminal and see if it show up, if it does you are good to go. Pete -- If money can fix it, it's not a problem. -- Click and Clack the Tappet brothers ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] An odd X question
On Thu, 25 Jun 2015 15:55:41 -0400 m.r...@5-cent.us wrote: mark and why is it called xorg-x11-server, when in X terminology, it's the client?* * Which I always thought was bass-ackward, but... You should think of it this way: the program that wants something drawn on the screen is a client; the program that does the drawing is the server. The client asks the server to draw stuff on the screen, and server is, well... servicing those requests, from various clients. So the server is always the local Xorg process that draws your display, while any remote or local program that wants things drawn on it is the client. The fact that one of them is remote and the other local is of course completely irrelevant for the client/server terminology, contrary to common opinion. This last thing is what confuses people --- they usually think of the word server as the remote machine, while client is the local machine. That is the wrong way to understand the words server and client. HTH, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
