------------------------------------------------------------------------------- Remotely Running X Applications. Introduction This is (supposed to be) a guide how to do remote X applications. The focus is on security issues. I have written this document for several reasons. * Many questions have appeared on usenet on how to run a remote X application. * I see many, many hints of use xhost +hostname or even xhost + to allow X connections. This is ridiculously insecure, and there are better methods. NOTE: Hints and tips for specific programs is available in the file info/X/User.txt An alternative to this document is Remote X Apps Mini-HowTo (Linux) http://www.linuxdoc.org/HOWTO/mini/Remote-X-Apps.html To run a X application (client) you need to tell that program two things for it to run :- 1/ Which X display server are you using (DISPLAY environment variable) 2/ Permission to run it on that display (xauth/xhost) and occasionally (not since 1994) 3/ A program does not understand the name server, usually on very very old UNIX machines (SunOS) so the DISPLAY variable must be converted to an IP Address for it to work. It is caused by a bug in the library where it does not understand DNS name lookup. ------------------------------------------------------------------------------- SSH and X windows... These days you generally do not have to worry about any of this as the SSH protocol handles the X window connection itself, piping it via an encrypted communications channel. It is now the preferred way of securely running X window command remotely. However by most SSH commands will NOT doing this, by default... If you connect using ssh -X ... Then you will ask "ssh" to create the encrypted X windows link to the remote machine (if allowed). This will set the DISPLAY and the "xauth" setup accordingly so as to use that link.. Try this... ssh -X user@remote xlogo You should see the 'xlogo' window pop up!!! If you add the lines... Host * ForwardX11 yes to a file ~/.ssh/config in your home directory you are SSH'ing from, then the -X flag is now the default. You then need to use -x to turn it off! See the specific application hint and tips... SSH Command... info/usage/ssh_howto.txt Also look at info/apps/ssh.txt Putty... info/apps/ssh_putty.txt TerraTerm info/apps/ssh_terraterm.hints ------------------------------------------------------------------------------- Remote X Windows on a PC.... Two things are needed on the PC, a SSH client (like TeraTerm) and a X Windows Server application, such as XWin32 * Install TeraTerm, including the SSH extensions, See http://css.cit.gu.edu.au/export/teraterm and view the README file for the steps involved. * Install X-Win32 (version 5 is much better than 4), and X-config32 * Set up Font Server -- very rarely needed... Run X-config32, and add the following to the font path tcp/UNIX_HOST:7100 Where "UNIX_HOST" is the machine you are running X window applications on. This allows special applications (like "ansys") to locate the X window fonts it needs to work correctly. * Start X-Win32 to start an X-server on the local windows PC. Don't worry about any xdm or other "login" method. You may get a blank "grey peppered" window, to start with, and nothing else, that is OK. * Run X-config32, and under the "Security" tab, either have a empty "X Host List" or ensure you include "localhost" in that list to allow ssh to pass X window connections to it from its encrypted X window link. * Run "TeraTerm" (the "ttssh" executable) Connect to the "UNIX_HOST". Login and get a UNIX shell prompt. * If you are successful, and ssh set up the encrypted X windows Link, the following command should report that you have your DISPLAY variable set. It should look something like "DISPLAY=localhost:13.0" env | grep DISPLAY * Type "xlogo" at the prompt to see if your X window display is working. A little window should popup on your screen with a X in it, either directly on your display, or in your large "grey peppered" window. * In the SSH terminal window, press the keys "Control" and "C" to kill that test program. * You can now run whatever X window application you need from the SSH terminal window. If you like a proper X window, you can launch one with.. xterm -ls & * When finished, you can close X-Win32 to close the X-server. You should closed all the X-windows applications, though most X clients automatically shutdown when the display is killed. Note that while "telnet" can be used instead of SSH, it is NOT recommended. And will NOT provide a "encrypted SSH link". The above completely re-written from notes by David Bussenchutt. ------------------------------------------------------------------------------- Remote X window Clients (In General).... Note: This is for direct X window connections, not ssh links (as above) First set the location of your display. You can either set a environment variable for the client to get the display server from... setenv DISPLAY :0 For example setenv DISPLAY ncdhon53:0 Or you can specify it on the command line of the client xlogo -display :0 or xlogo -d :0 for example gvim -d ncdhon53:0 To have permission to you your display, is not so easy to specify. All X servers have some security requirement. Previously you had to run on a particular set of specified hosts. Today you need a display authorization. This is the job of the "xauth" program. You can look at this authorization on the machine you logged in on (NOT THE REMOTE MACHINE), with :- :::prompt:::> xauth list gomez.cit.gu.edu.au:0 MIT-MAGIC-COOKIE-1 bac72dc238d176da00f6b07aacebaef5 gomez/unix:0 MIT-MAGIC-COOKIE-1 bac72dc238d176da00f6b07aacebaef5 The long number is the authorization `password' to your display, or in the above example my current "gomez" X window session. This number changes every time you login to a display and for every display. You may also see some old authorization codes from previous logins which are no longer valid. To pass this authorization to another machine do the following... On the machine you initially logged into (where you did the list above) ::::prompt:::> xauth nextract - $DISPLAY ...Some String of Numbers... The Numbers output is a encoding of the authorization for your current display and is something understood by xauth program. Now use the first mouse button and highlight the complete output of the above xauth command. Then goto the login window of the remote (destination) machine and type :- :::prompt:::> xauth nmerge - ...paste the numbers here... ^D The ^D above is a Ctrl-D and marks the end of the input to xauth. Now if you use a xauth list on the remote machine you shoud find you now are authorized to use this display. Alternativally, you could just grab the authorization from the "xauth list" output and insert it on the remove machine with "xauth add" (See xauth manpage). Doing this however has the remote posibility of some lucky person seeing your display authorization in a "ps" listing on the remote machine. This is very unlikely but still possible. NOTES: 1/ A couple of Client that we not compiled locally (Asterix, Frame, WP) are statically linked to the original Sun libraries. These programs do NOT understand the name server usage on our systems. SOLUTION: set your display to the x-terminals IP instead of its name. EG: oldIFS=$IFS; IFS=:; set -- $DISPLAY; IFS=$oldIFS; Machine=$1; Screen=$2 IPNumber=`/usr/etc/arp $Machine | sed 's/[^(]*(\([^)]*\).*/\1/'` DISPLAY="$IPNumber:$Screen" export DISPLAY echo "DISPLAY=$DISPLAY ($Machine)" The Scripts "Asterix" and "Frame" do this for you automatically. 2/ A few odd ball clients check the xhost settings of the Xserver. These clients will work with Xauthority, but that programs themselves decide that it can't and WILL NOT RUN. Complain to the Developers. To use these clients, set xhost, run client, then RESET XHOST after the client program has started. ------------------------------------------------------------------------------- Graphical Login to Remote Machine When I login to "mortisha" (with a color X display) what I really what to do is to login to my own machine "gomez" but using "mortisha"'s color display. IE: login to "mortisha" minimally, then run all my X clients including the window manager as if I logged directly into "gomez". To do this I do the following.... Login to the local display you are using as minimally as possible. Some sites this is the default, on others (like ours) you need to press `F1' at the end of your passwd. It is important at this point NOT to be running a window manager other other clients, though it still should work to a degree even if this is not the case. Then I do the following in the xterm running. * xauth list * select the appropriate authorization line * telnet and login to the remote machine "gomez" * xauth add ...the..authorization..string... * setenv DISPLAY mortisha.my.domain:0 * sh ~/.xsession This will run the X session on "mortisha"'s display as if you logged directly onto the machine "gomez". To speedup this method I have the following two aliases in my ".cshrc" file. alias setx 'setenv DISPLAY \!:1; xauth add \!:*' alias gox 'setx \!:*; sh ~/.xsession& logout' Syntax setx ...the..authorization..string... gox ...the..authorization..string... The first will just set the authorization string (xauth add) AND your display variable. The second will also run the xsession file. Using the above aliases the above sequence becomes * minimal login to "mortisha" (F1 at end of passwd) * xauth list * select the appropriate authorization line * telnet and login to the remote machine "gomez" * gox ...the..authorization..string... The aliases will then do the rest. -------------------------------------------------------------------------------