Get X11 to forward in Gnome on Fedora 12 or 13
X Forwarding through SSH
If you just want to tunnel through ssh, you shouldn’t need to do anything extra. Just add the -X or -Y switch to your ssh command and you’re off.
$ ssh -X dude@computer xclock
No manual exporting of DISPLAY needed over ssh.
There’s just one problem with ssh. Since the display is encrypted, there’s some additional processing overhead involved in forwarding displays this way. For modern machines over high speed network connections, this shouldn’t be a problem at all. 99% of all use cases won’t have a problem with tunneling in ssh. It’s easy to configure, and it just works.
Native Xorg client/server communication:
X tunneled over SSH with a slow network connection:
Old School X Forwarding
If you need to forward X clients the old school unencrypted way, you need to add one line to gdm’s custom.conf file and restart the desktop. Without this, the old “xhost +” won’t do a thing because the out of the box Xorg configuration includes this flag:
-nolisten tcp
To allow simple X forwarding
(without forwarding through an encrypted ssh tunnel)
Take a look at /etc/gdm/custom.conf. It probably looks pretty empty like this:
# GDM configuration storage
[xdmcp]
[chooser]
[security]
[debug]
Add the DisallowTCP line to the security section and restart X.
# GDM configuration storage
[xdmcp]
[chooser]
[security]
DisallowTCP=false[debug]
Before:
$ ps -efT | grep Xorg
/usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-viTswk/database -nolisten tcp vt1
After:
$ ps -efT | grep Xorg
/usr/bin/Xorg :0 -nr -verbose -auth /var/run/gdm/auth-for-gdm-RnjtYr/database vt1
This isn’t secure by any means. Any X client you run is talking to your server unencrypted, and if you still use xhost, anyone can connect to your server and display anything they want. On a private network at home this probably isn’t a problem, but if you want to limit which machines can use your display, use xauth.
From xauth’s site:
Xauth requires the account on the remote machine to know a secret quantity for your display called an MIT-MAGIC-COOKIE-1. If the remote user knows this quantity it can have complete access to the local display.
Access is limited to just me, but I can add more hosts if I want them to be able to use my desktop session. If anyone else starts a new display, they’ll get their own list.
$ xauth list
myhost/unix:0 MIT-MAGIC-COOKIE-1 6e3c25d8fed8rus7a85b1749nc
$ xauth info
Authority file: /var/run/gdm/auth-for-dude-7h34p/database File new: no File locked: no Number of entries: 1 Changes honored: yes Changes made: no Current input: (argv):1
Related Posts
Like this post? Share it!
4 Comments
Oct 26, 20108:22 am
Hi,
I’m useing Fedora 12 and I’ve edited the file: /etc/gdm/custom.conf. to:
cat /etc/gdm/custom.conf
# GDM configuration storage
[xdmcp]
[chooser]
[security]
DisallowTCP=false
[debug]
restart X server and still:
ps -ef |grep Xorg
root 5499 5498 19 16:15 tty7 00:01:12 /usr/bin/Xorg :0 -br -verbose -auth /var/run/gdm/auth-for-gdm-Xp6UeE/database -nolisten tcp
Any ideas?
Thanks,
Doron
Oct 26, 201011:49 am
Try setting DisallowTCP in gdm.schemas too. (/etc/gdm/gdm.schemas)
<schema> <key>security/DisallowTCP</key> <signature>b</signature> <default>false</default> </schema>
Blog RSS Feed
12:16 am
Hello,
THANK YOU VERY MUCH!!
You have spared me a great deal of headaches.
It resolved exactly my problem - I have an IBM AIX 5.2 host that cannot tunnel X11 through ssh - and I haven’t noticed that in between Fedora has changed the defaults for X11 forwarding. Great. Thanks again.