Re: embarrassing X question

[Richard Cobbe]

Lo, on Thursday, July 19, Joost Kooij did write:

 The xfree86 packages have been changed to not accept tcp connections
 at all by default.  Check out the -nolisten option in your xserver
 manual page.

I don't think this holds for potato.  I'm pretty certain I never explicity
re-enabled it on this machine, as it's only network connection is a DSL
line to the outside world, and I certainly don't want to allow random
people to open X connections.  However:

[minbar:/etc/X11]$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address State  
SNIP
tcp0  0 0.0.0.0:60000.0.0.0:*   LISTEN  
SNIP

minbar:~# lsof -i :6000
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
XF86_SVGA 517 root0u  IPv4374   TCP *:6000 (LISTEN)


 If you want to turn it back on, change /etc/X11/xdm/Xservers or 
 /etc/X11/xinit/xserverrc, depending on how you start your xserver.

I don't have kdm installed, so I normally use startx.  On my machine,
/etc/X11/xinit/xserverrc doesn't exist.  A quick check at
http://www.debian.org/Packages showed only one (potato) package which
contains an xserverrc file, xbase-clients, which I installed way back
when.  Checked it out, and this package contains
/usr/X11R6/lib/X11/xinit/xserverrc, which is a symlink to
/etc/X11/xinit/xserverrc.

Where should I add the `-nolisten' switch?  Can I do this on the startx
command line?  (I already use a shell function to start x, as I switch
between two different color depths, so this wouldn't be too hard.)  Or is
there a config file I can add this to?

Richard

Re: embarrassing X question

[D-Man]

On Thu, Jul 19, 2001 at 04:04:09PM -0400, Mike wrote:
[snip]
| This might be a kinda dumb question, but does X need to be running on the
| remote machine?  I've tried having X running on the remote machine, but it
| hasn't seemed to make a difference.

X must be running on the local side, obviously.  It doesn't need to be
running on the remote side because you aren't trying to connect to it.
If the remote side is, for example, a headless system then you will
have lots of trouble trying to run X on it :-).

I don't know what your problem is since you seem to have the config
set properly.  Hmm, maybe a firewall issue?  Hopefully someone with
more knowledge will provide some suggestions.

-D

Re: embarrassing X question (PARTIAL FIX)

[Richard Black]

Joost Kooij wrote:

On Thu, Jul 19, 2001 at 08:27:49AM -0400, Richard
Black wrote:
> For some reason, I can no longer remote login to another terminal
and
> display stuff on mine! This started happening last week (with,
> possibly, the changes to gdm...)
>
> I have tried many different things. Typical is something like:
>
> [local machine]
> xhost +
> rlogin remote
>
> [remote machine]
> export DISPLAY=local:0.0
> nedit
>
> But all I get is: NEdit: Can't open display
The xfree86 packages have been changed to not accept tcp connections
at all by default. Check out the "-nolisten" option in your xserver
manual page.
If you want to turn it back on, change /etc/X11/xdm/Xservers or
/etc/X11/xinit/xserverrc, depending on how you start your xserver.
Generally, don't use xhost, it is not safe. Instead use xauth.
Cheers,
Joost
Okay
as I can't get xauth to work (help on this would still appreciated--see
the rest of the thread for what has been tried), so I thought I would try
to get rid of the -nolisten option. This was fine...I am using gdm,
so if you start gdmconfig and select the expert mode, you can change this
in the X-server setup tab.
thanks everyone for you help. Iam still keen to get xauth
working (on principal...) so if you have anyother suggestions, Iwould
be happy to try them
cheers
Richard

Re: embarrassing X question

[Richard Cobbe]

Lo, on Thursday, July 19, Richard Black did write:

 Joost Kooij wrote:
 
  Generally, don't use xhost, it is not safe.  Instead use xauth.

 But...how do I use xauth?  I have tried doing what what suggested in the man
 page ie variants of
 
 xauth extract - $DISPLAY | rsh otherhost xauth merge -
 
 but there still seems to be a problem.  One thing I was wondering is if
 this works when dhcpd is used.  In particular, the machine in my DISPLAY
 variable on the remote machine is different from the machine in the
 .Xauthority file (on the remote machine)

Odd; this should work.  What happens when you try this?

The different DISPLAY settings that you describe shouldn't be a problem.
The .Xauthority file can contain a list of several authentication keys,
each associated with a different display.  If the current display is
already in the file, the associated authentication key will be overwritten;
otherwise, it will be added.

Use `xauth list' to see a list of what's going on here.

Richard

Re: embarrassing X question

[Walter Hofmann]

On Thu, 19 Jul 2001, Richard Black wrote:

  The xfree86 packages have been changed to not accept tcp connections
  at all by default.  Check out the -nolisten option in your xserver
  manual page.
 
 Okay thanks!
 
 But...how do I use xauth?  I have tried doing what what suggested in the man
 page ie variants of

The both moset secure and most convenient way is to use ssh. Enable X
tunnelling in the /etc/ssh/ssh_config file (set ForwardX11 to yes) and
everything will be done for you---no need to set DISPLAY or use xauth or
have the server listen on any tcp port. Just log in with ssh [EMAIL 
PROTECTED].

Walter

embarrassing X question

[Richard Black]

For some reason, I can no longer remote login to another terminal and
display stuff on mine!  This started happening last week (with,
possibly, the changes to gdm...)

I have tried many different things.  Typical is something like:

[local machine]
xhost +
rlogin remote

[remote machine]
export DISPLAY=local:0.0
nedit

But all I get is:  NEdit: Can't open display

Any ideas?  Help would be greatly appreciated!

cheers

Richard

Re: embarrassing X question

[dude]

On Thu, 19 Jul 2001, Richard Black wrote:


 For some reason, I can no longer remote login to another terminal and
 display stuff on mine!  This started happening last week (with,
 possibly, the changes to gdm...)

 I have tried many different things.  Typical is something like:

 [local machine]
 xhost +
 rlogin remote

 [remote machine]
 export DISPLAY=local:0.0
 nedit

 But all I get is:  NEdit: Can't open display

 Any ideas?  Help would be greatly appreciated!



I also noticed that i lost the ability to remotely server xwindows

I noticed that the /etc/X11/xinit$ xinitrc file had changed
and that the nolisten command was no longer present.
(which should be of concern since it now means all xsevers will serve
automatically, when they should be turned off by default)

I wonder if this has anythign to do with it.

G

Re: embarrassing X question

[Joost Kooij]

On Thu, Jul 19, 2001 at 08:27:49AM -0400, Richard Black wrote:
 For some reason, I can no longer remote login to another terminal and
 display stuff on mine!  This started happening last week (with,
 possibly, the changes to gdm...)
 
 I have tried many different things.  Typical is something like:
 
 [local machine]
 xhost +
 rlogin remote
 
 [remote machine]
 export DISPLAY=local:0.0
 nedit
 
 But all I get is:  NEdit: Can't open display

The xfree86 packages have been changed to not accept tcp connections
at all by default.  Check out the -nolisten option in your xserver
manual page.

If you want to turn it back on, change /etc/X11/xdm/Xservers or 
/etc/X11/xinit/xserverrc, depending on how you start your xserver.

Generally, don't use xhost, it is not safe.  Instead use xauth.

Cheers,


Joost

Re: embarrassing X question

[D-Man]

On Thu, Jul 19, 2001 at 08:27:49AM -0400, Richard Black wrote:
| For some reason, I can no longer remote login to another terminal and
| display stuff on mine!  This started happening last week (with,
| possibly, the changes to gdm...)
| 
| I have tried many different things.  Typical is something like:
| 
| [local machine]
| xhost +
| rlogin remote
| 
| [remote machine]
| export DISPLAY=local:0.0
| nedit
| 
| But all I get is:  NEdit: Can't open display

I would use ssh instead of rlogin if you can.  Also, enable the
ForwardX11 option in ssh.  If you do this then the display will be
setup for you and it will be encrypted as well.  This is also the
easiest (only?) way to display stuff back on a masq'd box.

-D

Re: embarrassing X question

[Richard Black]

Joost Kooij wrote:

 On Thu, Jul 19, 2001 at 08:27:49AM -0400, Richard Black wrote:
  For some reason, I can no longer remote login to another terminal and
  display stuff on mine!  This started happening last week (with,
  possibly, the changes to gdm...)
 
  I have tried many different things.  Typical is something like:
 
  [local machine]
  xhost +
  rlogin remote
 
  [remote machine]
  export DISPLAY=local:0.0
  nedit
 
  But all I get is:  NEdit: Can't open display

 The xfree86 packages have been changed to not accept tcp connections
 at all by default.  Check out the -nolisten option in your xserver
 manual page.

 If you want to turn it back on, change /etc/X11/xdm/Xservers or
 /etc/X11/xinit/xserverrc, depending on how you start your xserver.

 Generally, don't use xhost, it is not safe.  Instead use xauth.

 Cheers,

 Joost


Okay thanks!

But...how do I use xauth?  I have tried doing what what suggested in the man
page ie variants of

xauth extract - $DISPLAY | rsh otherhost xauth merge -

but there still seems to be a problem.  One thing I was wondering is if this
works when dhcpd is used.  In particular, the machine in my DISPLAY variable on
the remote machine is different from the machine in the .Xauthority file (on the

remote machine)

Is there a way to deal with this do you know?

Richard

Re: embarrassing X question

[Mike]

D-Man wrote:
 
 I would use ssh instead of rlogin if you can.  Also, enable the
 ForwardX11 option in ssh.  If you do this then the display will be
 setup for you and it will be encrypted as well.  This is also the
 easiest (only?) way to display stuff back on a masq'd box.

How do you do this?  I've been trying to do this for some time now with no
success.  Every time I get:

[EMAIL PROTECTED]:~$ ssh -f hal9000 xterm
[EMAIL PROTECTED]'s password: 
[EMAIL PROTECTED]:~$ xterm Xt error: Can't open display: hal9000:10.0

hobbiton is the local machine here, and hal9000 is the remote system I'm
trying to connect to while wanting the xterm (in this case, anyway) to
display here on hobbiton.  I've got the ForwardX11 option set to true on
both machines, both in the sshd_config and the ssh_config  Is there anything
else I need to do?
-- 
Mike Werner  KA8YSD   | He that is slow to believe anything and
  | everything is of great understanding,
'91 GS500E| for belief in one false principle is the
Morgantown WV | beginning of all unwisdom.



pgpa0yFDIxzHI.pgp
Description: PGP signature

Re: embarrassing X question

[Richard Black]

Richard Black wrote:

 Joost Kooij wrote:

  On Thu, Jul 19, 2001 at 08:27:49AM -0400, Richard Black wrote:
   For some reason, I can no longer remote login to another terminal and
   display stuff on mine!  This started happening last week (with,
   possibly, the changes to gdm...)
  
   I have tried many different things.  Typical is something like:
  
   [local machine]
   xhost +
   rlogin remote
  
   [remote machine]
   export DISPLAY=local:0.0
   nedit
  
   But all I get is:  NEdit: Can't open display
 
  The xfree86 packages have been changed to not accept tcp connections
  at all by default.  Check out the -nolisten option in your xserver
  manual page.
 
  If you want to turn it back on, change /etc/X11/xdm/Xservers or
  /etc/X11/xinit/xserverrc, depending on how you start your xserver.
 
  Generally, don't use xhost, it is not safe.  Instead use xauth.
 
  Cheers,
 
  Joost
 


 On Thu, Jul 19, 2001 at 10:40:40AM -0400, Richard Black wrote:
  Joost Kooij wrote:
   Generally, don't use xhost, it is not safe.  Instead use xauth.
 
  But...how do I use xauth?  I have tried doing what what suggested in the man
  page ie variants of
 
  xauth extract - $DISPLAY | rsh otherhost xauth merge -

 On the machine where you are running the xserver, retrieve the auth cookie
 like this:

   xauth list | grep `hostname -f` | awk '/COOKIE/ {print $2  $3}'

 It should print one line.  Copy that line.  Then login to the remote
 machine and set the DISPLAY variable.  Then type xauth add $DISPLAY
  and don't press enter, but paste the line retrieved above on the
 remainder of the command line to xauth and press enter.  Now if you run
 xauth list, it should show a line for the remote display.

 Try xterm  to see if it really works.

  but there still seems to be a problem.  One thing I was wondering is if this
  works when dhcpd is used.  In particular, the machine in my DISPLAY 
  variable on
  the remote machine is different from the machine in the .Xauthority file (on
the
  remote machine)

 As long as the remote machine knows to find the machine listed in $DISPLAY
 set on the remote host and it knows what the corresponding xauth cookie
 is for that remote display, it should work fine.  The hostname in the
 cookie may be different on the local and the remote machine.  That is
 not a vital part of the actual cookie.

  Is there a way to deal with this do you know?

 What are your problems still?

 Cheers,

 Joost

Okay, I followed the above and now I get:

[local]
$xauth list
torrblack1/unix:0  MIT-MAGIC-COOKIE-1  c118dfcf59431dd0b7ef738d5ea8f1df
torrblack1:0  MIT-MAGIC-COOKIE-1  c118dfcf59431dd0b7ef738d5ea8f1df

[remote]
$xauth list
tor-dhcp234:0  MIT-MAGIC-COOKIE-1  c118dfcf59431dd0b7ef738d5ea8f1df
$echo $DISPLAY
tor-dhcp234:0.0
$xterm 
xterm Xt error: Can't open display: tor-dhcp234:0.0

Is there anything I need to set on the local side to allow any remote access?

thanks for you help

Richard

Re: embarrassing X question

[D-Man]

On Thu, Jul 19, 2001 at 01:25:58PM -0400, Mike wrote:
| D-Man wrote:
|  
|  I would use ssh instead of rlogin if you can.  Also, enable the
|  ForwardX11 option in ssh.  If you do this then the display will be
|  setup for you and it will be encrypted as well.  This is also the
|  easiest (only?) way to display stuff back on a masq'd box.
| 
| How do you do this?  I've been trying to do this for some time now with no
| success.  Every time I get:
| 
| [EMAIL PROTECTED]:~$ ssh -f hal9000 xterm
| [EMAIL PROTECTED]'s password: 
| [EMAIL PROTECTED]:~$ xterm Xt error: Can't open display: hal9000:10.0
| 
| hobbiton is the local machine here, and hal9000 is the remote system I'm
| trying to connect to while wanting the xterm (in this case, anyway) to
| display here on hobbiton.  I've got the ForwardX11 option set to true on
| both machines, both in the sshd_config and the ssh_config  Is there anything
| else I need to do?

Other than enabling ForwardX11 in both the server and client (sshd and
ssh) I don't think you need to do anything.  What happens if you login
and get a shell, then run xterm?  The error message shows that DISPLAY
was set properly (sshd creates a display on the server, 10.0, which it
reads from, encrypts, and sends to the client who passes it on the
local DISPLAY) but that display couldn't be opened.  I'm wondering if
maybe ssh is closing the connection too soon.

On the Solaris box at school /etc/sshd_config has
X11Forwarding yes
X11DisplayOffset 10

On my Debian box in ~/.ssh/ssh_config I have in the section for the
remote machine
ForwardX11 yes

On the client side you can use the -X option instead of the config
file.  I like the config file because my options become persistant.

HTH,
-D

Re: embarrassing X question

[Mike]

D-Man wrote:
 On Thu, Jul 19, 2001 at 01:25:58PM -0400, Mike wrote:
 | D-Man wrote:
 |  
 |  I would use ssh instead of rlogin if you can.  Also, enable the
 |  ForwardX11 option in ssh.  If you do this then the display will be
 |  setup for you and it will be encrypted as well.  This is also the
 |  easiest (only?) way to display stuff back on a masq'd box.
 | 
 | How do you do this?  I've been trying to do this for some time now with no
 | success.  Every time I get:
 | 
 | [EMAIL PROTECTED]:~$ ssh -f hal9000 xterm
 | [EMAIL PROTECTED]'s password: 
 | [EMAIL PROTECTED]:~$ xterm Xt error: Can't open display: hal9000:10.0
 | 
 | hobbiton is the local machine here, and hal9000 is the remote system I'm
 | trying to connect to while wanting the xterm (in this case, anyway) to
 | display here on hobbiton.  I've got the ForwardX11 option set to true on
 | both machines, both in the sshd_config and the ssh_config  Is there anything
 | else I need to do?
 
 Other than enabling ForwardX11 in both the server and client (sshd and
 ssh) I don't think you need to do anything.  What happens if you login
 and get a shell, then run xterm?

I get the exact same error as when I try and run xterm as part of the ssh
command.

 The error message shows that DISPLAY was set properly (sshd creates a
 display on the server, 10.0, which it reads from, encrypts, and sends to
 the client who passes it on the local DISPLAY) but that display couldn't
 be opened.  I'm wondering if maybe ssh is closing the connection too soon.

Is that something that I can fix by tweaking something somewhere?
 
 On the Solaris box at school /etc/sshd_config has
 X11Forwarding yes
 X11DisplayOffset 10
 
 On my Debian box in ~/.ssh/ssh_config I have in the section for the
 remote machine
 ForwardX11 yes

I've got the same settings on both remote and local systems, respectively.
 
 On the client side you can use the -X option instead of the config
 file.  I like the config file because my options become persistant.

This might be a kinda dumb question, but does X need to be running on the
remote machine?  I've tried having X running on the remote machine, but it
hasn't seemed to make a difference.
-- 
Mike Werner  KA8YSD   | He that is slow to believe anything and
  | everything is of great understanding,
'91 GS500E| for belief in one false principle is the
Morgantown WV | beginning of all unwisdom.



pgptZzK3b5XdM.pgp
Description: PGP signature