Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Re-enable remote X viewing in 10.5.5 UNIX
When you upgrade to OS X 10.5.5, remote X viewing (via X11) gets disabled. This is fine for most people, however for those of us who use remote apps, it's a pain. The following defaults setting will take care of the issue. In Terminal, issue this command:
defaults write org.x.X11 nolisten_tcp 0
[robg adds: I haven't tested this one.]
    •    
  • Currently 1.20 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (5 votes cast)
 
[14,688 views]  

10.5: Re-enable remote X viewing in 10.5.5 | 10 comments | Create New Account
Click here to return to the '10.5: Re-enable remote X viewing in 10.5.5' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Re-enable remote X viewing in 10.5.5
Authored by: Soliman on Sep 18, '08 08:19:50AM
When possible, use ssh -X for remote apps, it's safer and works even if X does not listen to tcp connections (which seems like a reasonable default).

---
Sylvain

[ Reply to This | # ]

10.5: Re-enable remote X viewing in 10.5.5
Authored by: mzs on Sep 18, '08 08:23:01AM

With newer ssh clients you should use -Y instead of -X.



[ Reply to This | # ]
Why ssh -Y instead of -X?
Authored by: meitar on Sep 22, '08 06:49:07PM

I've always used ssh -X for my X11 sessions, and I've known about -Y for a short while but never used it. I know that I don't understand the intricacies of X11 very well at all, so maybe I'm misunderstanding the ssh man page, but it sounds like -Y is less secure than -X. The manual page on my system for -Y says:

Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

while it says the following for -X:

X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitor- ing.

For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information.

So am I to understand that using -X makes X11 sessions obey the X11 SECURITY extension (is that the xauth stuff?) whereas -Y trusts any and all X11 connections? How is that better? Or am I misreading something…?

---
-Meitar Moscovitz
Professional: http://MeitarMoscovitz.com/
Personal: http://maymay.net/

[ Reply to This | # ]

10.5: Re-enable remote X viewing in 10.5.5
Authored by: mrbucket on Sep 18, '08 08:48:35AM

Absolutely, especially on an insecure link.

This is on a protected network though, we choose to have TCP enabled.



[ Reply to This | # ]
10.5: Re-enable remote X viewing in 10.5.5
Authored by: McSvenster on Sep 18, '08 08:28:30AM

You can klick on "preferences" within X11, choose "security" and allow Network connections - so you don't have to use the terminal.

Greetings
SK



[ Reply to This | # ]
10.5: Re-enable remote X viewing in 10.5.5
Authored by: mrbucket on Sep 18, '08 08:47:04AM

For whatever reason I didn't even realize that there was an X11 preferences window. Thanks!



[ Reply to This | # ]
Not a great idea
Authored by: Westside guy on Sep 18, '08 12:53:33PM

I'm not sure why anyone who uses remote apps wouldn't know about X forwarding over ssh (as has already been commented on). Implementing this hint is really not a good idea security-wise - doubly so because there's no particular reason for doing this, AFAICT. You're basically just opening up a potential attack point for no good reason (yes, there have been remote X exploits).



[ Reply to This | # ]
Not a great idea
Authored by: olivermomo on Sep 18, '08 01:40:31PM

> I'm not sure why anyone who uses remote apps wouldn't know about X forwarding over ssh

I occasionally work on AIX and Solaris boxes for customers that don't have SSH installed so I have to telnet to them and then export apps to my display. In both cases another vendor installed and manages the UNIX systems and I am not in a position to mandate that SSH be implemented, though I've recommended it. We connect to those networks using a VPN connection, so at least the connection is secured as it travels over the Internet, though it travels in clear text over the customer's LAN.



[ Reply to This | # ]
10.5: Re-enable remote X viewing in 10.5.5
Authored by: Millard73 on Sep 20, '08 10:31:47AM

Well, every once in a great while there is a reason to prefer direct X11 connections to SSH forwarding, but they are few and far between. With "trusted forwarding (i.e. the -Y option) almost any X program should work. However, every once in a while you'll run into a program that will still not work (some TCL/Tk scripts come to mind).

If you absolutely must use direct X11 connections, be sure to use the xauth mechanism to limit connections to the system(s) that you are actually using by running "xhost +name.of.remote.machine". Your connections aren't encrypted and someone could spoof the host's IP, but it's better than nothing.

However, SSH X11 forwarding has other advantages. If you're behind a firewall that only allows port 22 connections or you're on a NAT, you don't have to worry about open ports, directing traffic to a specific system, etc. It just works.



[ Reply to This | # ]
10.5: Re-enable remote X viewing in 10.5.5
Authored by: Raaveni on Oct 02, '08 11:53:08PM

Well all very nice, but 10.5.5 X11-forwarding doesn't work for me... or well it works and doesn't. Taking an ssh -Y or ssh -X command works fine to a Linux box in case I'm using my own account. But since I'm a unix admin, I more of then than not need to use an application remotely with another account.

Why not use ssh -X <user>@host? Well I don't know the user's password and have no wish to change it for the testing purposes either. Could be done ofc, but not a good solution.

So I need to take a remote root connection and su to a user's account. Ofc the x-forwarding doesn't work then. Here's the big problem: in 10.5.5, "setenv DISPLAY host:0.0" no longer works. It doesn't transfer the display to my local machine.

Also the ssh -X/-Y option doesn't work on Solaris boxes with SunSSH either.

Any ideas would be welcome...

PS. I tried downloading MacPorts in order to replace the OpenSSH of 10.5.5 with a previous version. But the installation of MacPorts fails on some post installation script.



[ Reply to This | # ]