Re: [vox-tech] Exporting displays
on Thu, Mar 17, 2005 at 02:11:06PM -0800, John Wojnaroski ([EMAIL PROTECTED]) wrote: Karsten M. Self wrote: on Wed, Mar 16, 2005 at 10:42:41PM -0800, Mark K. Kim ([EMAIL PROTECTED]) wrote: On Wed, 16 Mar 2005, John Wojnaroski wrote: [snip] I'm trying to login into a remote host and have the host export the screen display back to my machine [snip] export DISPLAY=my_ip_address:0.0 returns something like Xlib: client is not authorized to connect to server which seems to indicate that something is missing or lacking on the local machine. Any suggestions where to look? [snip] That'll work except your local computer isn't letting the connection through for security reasons. On your *local* computer, type this: $xhost + Actually, xhost + is quick and easy and since all the machines are trusted and on a LAN behind a firewall The firewall is dead. Memorial services pending: http://www.campus-technology.com/news_issue.asp?id=153IssueDate=9/18/2003 So for those who may need a reality check, let me be blunt: the intranet is dead. The inside of your institutional firewall is just like the outside of your institutional firewall: it is all ablaze. Irony note: I'm looking at an LTSP implmentation. The LAN/WAN in question is an intranet spanning over 30 campuses, with all internal nodes addressable. Turns out that tunnelling XDMCP is technically difficult. there should be no security problem. I'd limit that proviso to a household LAN in which I know all nodes and cabling, and have no legacy MS Windows systems (cesspits of malware) or wireless links. Running four machines on a distributed flight simulation and getting tired of jumping up to get to the other machines. Idea is to run everything from code editing, compiling, and testing from a single station. SSH tunneling is your friend. I do appreciate all the responses and the solid advice on how to use ssh when working with a remote machine over the Internet. s/Internet/Intranet/ Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Yeah, in the future NASA should just submit an Ask Slashdot whenever something goes wrong.. - seen on, um, some website. signature.asc Description: Digital signature ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
on Thu, Mar 17, 2005 at 02:13:21PM -0800, Ken Bloom ([EMAIL PROTECTED]) wrote: On Thu, 17 Mar 2005 13:28:27 -0800 Karsten M. Self kmself@ix.netcom.com wrote: on Wed, Mar 16, 2005 at 10:42:41PM -0800, Mark K. Kim ([EMAIL PROTECTED]) wrote: $xhost + BAD MARK. NO DONUT. OR COOKIE. Please do NOT suggest people try this, particularly... *but* this will work only if your local computer is connected directly to the Internet. ...on live Internet connections. Fortunately, most modern X servers toss a few additional roadbumps in front of idiots trying to attempt this. I'm not going to detail these here, and would appreciate if nobody else does. The act of Googling for the workarounds is itself an exercise which might educate same as to why this is a blatently *STUPID* idea and grossly incompetent advice. What sort of roadblocks? (Besides the NAT router sitting between me and the open internet). Thank you for demonstrating my point. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? I guess the El Pueblo de Nuestra Senora la Reina de los Angeles del Rio de Porciuncula diet just doesn't have the same ring signature.asc Description: Digital signature ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
on Thu, Mar 17, 2005 at 02:26:32PM -0800, Mark K. Kim ([EMAIL PROTECTED]) wrote: On Thu, 17 Mar 2005, Karsten M. Self wrote: on Wed, Mar 16, 2005 at 10:42:41PM -0800, Mark K. Kim [censored] wrote: [snip] $xhost + BAD MARK. NO DONUT. OR COOKIE. Lols. In theory, you're right that it's a bad advice. In practice, it's not a problem, especially for: 1. Brief connections. 2. Local/trusted connections. 3. Connection check before securing it. One should always be aware of security issues, of course, which I briefly touched upon and suggested using ssh instead for that reason. The MIT magic cookie thing would be the next best thing but it's so convoluted that nobody uses it. BTW, John, you can add a hostname after the '+' sign to allow connections only from that computer. Example: $xhost +remote_host_ip_or_name which would be the next next best thing to ssh -X and MIT magic cookie thingy. My autoshop teacher once told me that a good mechanic always uses the correct wrench for the correct nut, so a good mechanic should never use the monkey wrench (a.k.a. adjustable wrench.) But a good mechanic, he added, would never be without a monkey wrench in his toolbox. `xhost +` is one of those monkey wrenches for UNIX people, and it would always be a tool I'd teach people along with `ssh -X`. xhost is rather more like the guy who uses chisels as screwdrivers or for opening paint cans. Actually, using a chisel for live-circuit tests on 220VAC is probably about the right spirit. See my earlier response quoting Joe St. Sauver. The Intranet is dead but for the very smallest values of same. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? Moderator, Free Software Law Discussion mailing list: http://lists.alt.org/mailman/listinfo/fsl-discuss/ signature.asc Description: Digital signature ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thursday 17 March 2005 22:28, Mitch Patenaude wrote: On Thu, 17 Mar 2005 21:21:49 -0800, Richard Harke [EMAIL PROTECTED] wrote: I have to do xhost + in order to run firefox. I found this after googling because it wouldn't run at all. I am behind a NAT router but I would rather not do this. On the other hand, I have been using firefox more and more. Hmm... is Firefox running setuid? chroot'd? (If so, why?) If not.. then then I can't think of a reason why firefox would be any different than any other X app. The xhost + may just be masking a more fundamental problem, and it's likely making you less secure in the process. I just checked -- it is not setuid /usr/bin/firefox is a link to /usr/lob/mozilla-firefox/firefox This was installed by apt-get from Debian testingI just ran it again and got an updated version but the problem remains. I did xhost - and firefox refuses to run. I just tried running from the command line to see the error message and it loaded. So now it seems to load OK from the launcher so it seems fixed but time will tell. It would occasionally work without xhost + even before the update install. Richard ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
First: don't start a new thready by replying to a message from an existing one. Your email headers will cause your message to appear in the other (unrelated) thread. Compose a new message and address it to list instead. on Wed, Mar 16, 2005 at 10:19:02PM -0800, John Wojnaroski ([EMAIL PROTECTED]) wrote: Hi, I'm trying to login into a remote host and have the host export the screen display back to my machine Let's clarify understanding. You are at host 'foo' You are remotely logged in to host 'bar' You want a program on 'bar' to appear on 'foo' With export DISPLAY=:0.0 will result in the executing program using the remote host display. Right, this will run on the existing (if any) X display on 'bar', if you have permissions to do so, it exists, etc. Trying export DISPLAY=my_ip_address:0.0 returns something like Xlib: client is not authorized to connect to server which seems to indicate that something is missing or lacking on the local machine. Any suggestions where to look? First: you're not doing this right. You want to ssh to the remote host with X11 forwarding set. This both sets all your DISPLAY environment settings properly *AND* tunnels the session through an encrypted SSH session back to your local (foo) display. On the client side (foo): ssh -X bar connection established run X command You can shortcut this to: ssh -Xf bar command ...which will set up the SSH session, the X11 tunnel, run your command, then fork SSH to background until your X application closes. On the server side, it's necessary to enable X11 forwarding. Generally in /etc/ssh/sshd_conf . Many distros disable this by default (it's an access/security issue, though in the grand scheme of things, a lesser risk than many sins). You'll also find: - Mark Kim's xhost+ advice. DON'T DO THIS. EVER. Google for the reasons, they're well known and tedious to recount. Fortunately, most sane X servers don't allow this in their default sessions. - Most X servers don't allow remote TCP connections. These may also be blocked at other stages, including IP filters and (possibly) tcpwrappers (not sure on last). - You don't have a cookie. It's magic. It's from a secret recipie sold by MIT for $50,000. Wait, wrong chain mail Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? I was taking my bicycle on BART one afternoon. I have a FreeBSD sticker on it and a woman looked at it with her head cocked and then asked me, Who's BSD? - Skip Evans signature.asc Description: Digital signature ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thu, Mar 17, 2005 at 01:28:27PM -0800, Karsten M. Self wrote: on Wed, Mar 16, 2005 at 10:42:41PM -0800, Mark K. Kim ([EMAIL PROTECTED]) wrote: But this works only if the remote computer has a ssh server with X forwarding enabled, which it is by default on most systems I've seen. Not, FYI, Debian. Not sure of Ubuntu, haven't checked yet. On Warty Warthog: $ grep X11Forwarding /etc/ssh/sshd_config X11Forwarding yes -David ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
Karsten M. Self wrote: on Wed, Mar 16, 2005 at 10:42:41PM -0800, Mark K. Kim ([EMAIL PROTECTED]) wrote: On Wed, 16 Mar 2005, John Wojnaroski wrote: [snip] I'm trying to login into a remote host and have the host export the screen display back to my machine [snip] "export DISPLAY=my_ip_address:0.0" returns something like "Xlib: client is not authorized to connect to server" which seems to indicate that something is missing or lacking on the local machine. Any suggestions where to look? [snip] That'll work except your local computer isn't letting the connection through for security reasons. On your *local* computer, type this: $xhost + Actually, xhost + is quick and easy and since all the machines are trusted and on a LAN behind a firewall there should be no security problem. Running four machines on a distributed flight simulation and getting tired of jumping up to get to the other machines. Idea is to run everything from code editing, compiling, and testing from a single station. I do appreciate all the responses and the solid advice on how to use ssh when working with a remote machine over the Internet. We demo'd the simulation a month ago at the SCALE3x show here in LA http://www.socallinuxexpo.org/scale3x_day1.php As far as I can tell, this may be one of the few cockpit simulations using Linux as the platform rather than all that MS stuff... Additionall info on the flightgear website under the projects page http://www.flightgear.org/Projects Regards John W. ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thu, 17 Mar 2005 13:28:27 -0800 Karsten M. Self kmself@ix.netcom.com wrote: on Wed, Mar 16, 2005 at 10:42:41PM -0800, Mark K. Kim ([EMAIL PROTECTED]) wrote: $xhost + BAD MARK. NO DONUT. OR COOKIE. Please do NOT suggest people try this, particularly... *but* this will work only if your local computer is connected directly to the Internet. ...on live Internet connections. Fortunately, most modern X servers toss a few additional roadbumps in front of idiots trying to attempt this. I'm not going to detail these here, and would appreciate if nobody else does. The act of Googling for the workarounds is itself an exercise which might educate same as to why this is a blatently *STUPID* idea and grossly incompetent advice. What sort of roadblocks? (Besides the NAT router sitting between me and the open internet). --Ken Bloom -- I usually have a GPG digital signature included as an attachment. See http://www.gnupg.org/ for info about these digital signatures. pgpId23QnAdgb.pgp Description: PGP signature ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thu, 17 Mar 2005, Karsten M. Self wrote: on Wed, Mar 16, 2005 at 10:42:41PM -0800, Mark K. Kim [censored] wrote: [snip] $xhost + BAD MARK. NO DONUT. OR COOKIE. Lols. In theory, you're right that it's a bad advice. In practice, it's not a problem, especially for: 1. Brief connections. 2. Local/trusted connections. 3. Connection check before securing it. One should always be aware of security issues, of course, which I briefly touched upon and suggested using ssh instead for that reason. The MIT magic cookie thing would be the next best thing but it's so convoluted that nobody uses it. BTW, John, you can add a hostname after the '+' sign to allow connections only from that computer. Example: $xhost +remote_host_ip_or_name which would be the next next best thing to ssh -X and MIT magic cookie thingy. My autoshop teacher once told me that a good mechanic always uses the correct wrench for the correct nut, so a good mechanic should never use the monkey wrench (a.k.a. adjustable wrench.) But a good mechanic, he added, would never be without a monkey wrench in his toolbox. `xhost +` is one of those monkey wrenches for UNIX people, and it would always be a tool I'd teach people along with `ssh -X`. -Mark -- Mark K. Kim AIM: markus kimius Homepage: http://www.cbreak.org/ Xanga: http://www.xanga.com/vindaci Friendster: http://www.friendster.com/user.php?uid=13046 PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE PGP key available on the homepage ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thu 17 Mar 05, 2:26 PM, Mark K. Kim [EMAIL PROTECTED] said: My autoshop teacher once told me that a good mechanic always uses the correct wrench for the correct nut, so a good mechanic should never use the monkey wrench (a.k.a. adjustable wrench.) But a good mechanic, he added, would never be without a monkey wrench in his toolbox. `xhost +` is one of those monkey wrenches for UNIX people, and it would always be a tool I'd teach people along with `ssh -X`. -Mark You just floored me. This is a passage that could easily have come from Zen and the Art of Motorcycle Maintenance. It's so applicable, it could be sage advice for just about anything. I think this meme will be with me for the rest of my life. Thanks for teaching me! Pete -- Save Star Trek Enterprise from extinction: http://www.saveenterprise.com GPG Fingerprint: B9F1 6CF3 47C4 7CD8 D33E 70A9 A3B9 1945 67EA 951D ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
Mark K. Kim wrote: BTW, John, you can add a hostname after the '+' sign to allow connections only from that computer. Example: $xhost +remote_host_ip_or_name which would be the next next best thing to ssh -X and MIT magic cookie thingy. This is still fairly insecure on the internet, however, as it is vulnerable to IP and DNS spoofs. -Micah ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
Closely related topic: Opening an X11 client as a user different from the one one is logged in as. (The typical situation is that you wish to open some -- preferably small and conservatively coded -- X11 app with root-user authority, while logged in as a non-root user.) I've collected a list of the various ways: Root w/X11 on http://linuxmafia.com/kb/Security/ ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thu, Mar 17, 2005 at 02:11:06PM -0800, John Wojnaroski wrote: As far as I can tell, this may be one of the few cockpit simulations using Linux as the platform rather than all that MS stuff... Additionall info on the flightgear website under the projects page http://www.flightgear.org/Projects Heh, they actually came and spoke (and demo'd, with tons of monitors) at LUGOD a while back: Presentation notes: http://www.lugod.org/presentations/flightgear/ Lots of photos: http://www.lugod.org/photos/2002.05.07/ -- -bill! [EMAIL PROTECTED] I'm anticipating an all-out tactical http://newbreedsoftware.com/ dog-fight, followed by a light dinner. ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thu, Mar 17, 2005 at 01:21:52PM -0800, Karsten M. Self wrote: - Mark Kim's xhost+ advice. DON'T DO THIS. EVER. Google for the reasons, they're well known and tedious to recount. Fortunately, most sane X servers don't allow this in their default sessions. It's fine in a LAN behind a firewall, I'm sure. But on the open and evil Internet, yeah... scary :^) As bad as (if not worse than!) using telnet to login, or non-anonymous FTP. With SSH and friends properly set up, it's actually easier to go the SSH -X route, besides. :) -- -bill! [EMAIL PROTECTED] I'm anticipating an all-out tactical http://newbreedsoftware.com/ dog-fight, followed by a light dinner. ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thursday 17 March 2005 15:20, Bill Kendrick wrote: On Thu, Mar 17, 2005 at 01:21:52PM -0800, Karsten M. Self wrote: - Mark Kim's xhost+ advice. DON'T DO THIS. EVER. Google for the reasons, they're well known and tedious to recount. Fortunately, most sane X servers don't allow this in their default sessions. It's fine in a LAN behind a firewall, I'm sure. But on the open and evil Internet, yeah... scary :^) As bad as (if not worse than!) using telnet to login, or non-anonymous FTP. I have to do xhost + in order to run firefox. I found this after googling because it wouldn't run at all. I am behind a NAT router but I would rather not do this. On the other hand, I have been using firefox more and more. Richard Harke ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Thu, 17 Mar 2005 21:21:49 -0800, Richard Harke [EMAIL PROTECTED] wrote: I have to do xhost + in order to run firefox. I found this after googling because it wouldn't run at all. I am behind a NAT router but I would rather not do this. On the other hand, I have been using firefox more and more. Hmm... is Firefox running setuid? chroot'd? (If so, why?) If not.. then then I can't think of a reason why firefox would be any different than any other X app. The xhost + may just be masking a more fundamental problem, and it's likely making you less secure in the process. -- Mitch ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Wed, 16 Mar 2005, John Wojnaroski wrote: [snip] I'm trying to login into a remote host and have the host export the screen display back to my machine [snip] export DISPLAY=my_ip_address:0.0 returns something like Xlib: client is not authorized to connect to server which seems to indicate that something is missing or lacking on the local machine. Any suggestions where to look? [snip] That'll work except your local computer isn't letting the connection through for security reasons. On your *local* computer, type this: $xhost + *but* this will work only if your local computer is connected directly to the Internet. The better way is to use ssh with the -X option to connect to the remote computer in the first place. Not only does ssh setup the X forwarding for you automatically (not need to do export blah blah or xhost blah blah or be concerned about not being connected directly to the Internet), but your connection will be secure. But this works only if the remote computer has a ssh server with X forwarding enabled, which it is by default on most systems I've seen. The drawback is the connection will be a little slower than it would be on an insecure system, but it shouldn't be noticeable under most circumstances. -Mark -- Mark K. Kim AIM: markus kimius Homepage: http://www.cbreak.org/ Xanga: http://www.xanga.com/vindaci Friendster: http://www.friendster.com/user.php?uid=13046 PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE PGP key available on the homepage ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
Mark K. Kim wrote: On Wed, 16 Mar 2005, John Wojnaroski wrote: [snip] I'm trying to login into a remote host and have the host export the screen display back to my machine The better way is to use ssh with the -X option to connect to the remote computer in the first place. [snip] The drawback is the connection will be a little slower than it would be on an insecure system, but it shouldn't be noticeable under most circumstances. I've found the -C option to speed things up when forwarding X stuff with -X. It was quite noticeable with xpdf, for example. -Bryan -- Bryan Richter UCDTT President UC Davis Undergrad, Physics Dept. - A PGP signature is (probably) attached to this email. PGP Key ID: BB8E6CCC signature.asc Description: Digital signature ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] Exporting displays
On Wed, 16 Mar 2005, Bryan Richter wrote: Mark K. Kim wrote: On Wed, 16 Mar 2005, John Wojnaroski wrote: [snip] I'm trying to login into a remote host and have the host export the screen display back to my machine The better way is to use ssh with the -X option to connect to the remote computer in the first place. [snip] The drawback is the connection will be a little slower than it would be on an insecure system, but it shouldn't be noticeable under most circumstances. I've found the -C option to speed things up when forwarding X stuff with -X. It was quite noticeable with xpdf, for example. Nice~! -Mark -- Mark K. Kim AIM: markus kimius Homepage: http://www.cbreak.org/ Xanga: http://www.xanga.com/vindaci Friendster: http://www.friendster.com/user.php?uid=13046 PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE PGP key available on the homepage ___ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech
