Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Enable X11 listening on port 6000 Network
Are you having difficulty redirecting X11 to your Mac running Leopard without using ssh -X? Someone figured out that Leopard turns off listening to X11 traffic on TCP port 6000 by default. The following steps will TCP listening back on, so that the X11 server will service a client request.

First see if your server has TCP listening turned off by executing the following command: defaults read org.x.X11 | grep nolisten. The output will read either "nolisten_tcp" = 1; which is bad, or "nolisten_tcp" = 0; which is good. If TCP listening is off, turn it back on. I did this both as root and my default non-root username, as I didn't know which one took precedence:
sudo defaults write org.x.X11 nolisten_tcp 0
defaults write org.x.X11 nolisten_tcp 0
Shut down your X11.app, then in Terminal, type xterm, and as normal, the X11 terminal should pop-up. In the xterm, enable all remote users by typing xhost +. Back in Terminal, type the following to see if the server is now listening for inbound TCP requests: netstat -na | grep 6000. You should see something like this output:
tcp4       0      0  *.6000            *.*               LISTEN
tcp6       0      0  *.6000            *.*               LISTEN
Now on your remote system things should be as before. Just setup your DISPLAY to point to the Mac and fire away. I assume this is persistent across a reboot, but I didn't try. The original solution was found here by Johannes Overmann.
    •    
  • Currently 3.00 / 5
  You rated: 2 / 5 (12 votes cast)
 
[22,520 views]  

10.5: Enable X11 listening on port 6000 | 9 comments | Create New Account
Click here to return to the '10.5: Enable X11 listening on port 6000' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Enable X11 listening on port 6000
Authored by: bbense on Dec 10, '08 08:02:43AM

That's a REALLY BAD idea, you just gave pretty much everybody access to all the keystrokes you type in ANY X11 window. There is a very good reason this access is
disabled. Tunneling through ssh is a much more secure way to do X11 between machines. At a minimum you should at least use xauth authentication, although that is not particularly secure.

_ Booker C. Bense



[ Reply to This | # ]
10.5: Enable X11 listening on port 6000
Authored by: smoked_2na on Dec 10, '08 08:08:57AM

So then instead of ( xhost + ) make it ( xhost hostname ).

Don't want to argue the merits of SSH .vs. basic X11 authority. Just wanted it to work as it has for YEARS!



[ Reply to This | # ]
10.5: Enable X11 listening on port 6000
Authored by: smoked_2na on Dec 10, '08 08:12:23AM

Another way is to use a ( .xsessions ) file in $HOME. Just add your trusted hosts in it.

[example]

xhost hosta
xhost hostb
xhost etc



[ Reply to This | # ]
10.5: Enable X11 listening on port 6000
Authored by: Keltia on Dec 10, '08 08:58:53AM

This is not good either. Xauth can probably be faked or the cookie can be obtained from your machine. This is not secure. Use ssh. It will work as it did before w/o you noticing ans as it is expected to work. The hint should probably be removed.



[ Reply to This | # ]
10.5: Enable X11 listening on port 6000
Authored by: smoked_2na on Dec 10, '08 09:46:38AM

It's a matter of personal choice if you use the hint or not!



[ Reply to This | # ]
10.5: Enable X11 listening on port 6000
Authored by: corienti on Dec 11, '08 09:05:28AM

Simply a "bad idea" with no qualification to that statement whatsoever?
Afraid I have disagree entirely.

This hint is perfectly fine if you're using it on a private (not office) local LAN - eg at home, and, of course, you are behind a firewall.

If you're worried about the outside world getting to the listening port 6000 on your machine... what the heck are you doing connected to the internet without either a firewall or NAT sitting inbetween?

Anyone who knows enough to understand networking and ports and X11 and how to perform this hint (and is using remote-forwarded X11 apps in the first place), will have enough of a clue to know they shouldn't use this on an open LAN and will also know you should always be behind a firewall or NAT.

I agree that the number of cases where this hint is a good idea are relatively few; better in many cases to use ssh -X.
However for people who DO know what they're doing, this hint is invaluable (I've known about it for ages) and absolutely vital for the right people to know - hence why it's great someone shared it here.

NB it's also probably not the best idea on laptops, where sometimes you're on a secure and private network, but other times you may not be.

I DO however completely agree that this hint should have included a disclaimer/warning about the security risk involved, for people who are not already aware.


As for me, my LAN at home sits behind a hardware NAT device and THEN behind an OpenBSD firewall (pf) configured in paranoid mode. The only other machines on my LAN are my machines (and none run windows, let me assure you!)
Is this hint still "really bad idea" for me?
If there's anyone else undetected on my LAN I've got much bigger worries than X11-app keystroke recording...!



[ Reply to This | # ]
10.5: Enable X11 listening on port 6000
Authored by: corienti on Dec 11, '08 09:10:54AM

NB... it is quite clear on this forum that many of you forget that many Unix veterans (and network security people) also use OS X.
This forum is for *everyone* who uses OS X, not only for users who don't have any understanding of network security...

It'd be nice if people remembered that some of us in the audience here are capable of looking after our own network and OS security and don't need the blanket alarmist responses that so often appear with the more technical hints! :-)



[ Reply to This | # ]
10.5: Enable X11 listening on port 6000
Authored by: rudedog on Dec 10, '08 04:05:46PM

No need to use the terminal; this is an option on the security tab of the xserver's preferences screen - start X, open preferences and make sure "Allow connections from network clients" is enabled.



[ Reply to This | # ]
10.5: Enable X11 listening on port 6000
Authored by: NinjaRat on Dec 11, '08 07:53:55AM

As noted, this is a major security hole. Use SSH to tunnel your X connections. It is both safer (as your X traffic is encrypted) and easier (since you don't have to worry about setting the DISPLAY -- SSH takes care of it automatically).



[ Reply to This | # ]