XSecurty, SSH, XDMCP, xauth, etc.

[s243a]

I had some problems with ssh on tahrpup which I didn't have on fatdog64, so I started digging a bit into X related topics.

I would like this thread to cover a wide range of topics and not get too into any one approach or turn into an argument about which methods are best but I think that's going to be difficult.

I installed openssh via the puppy package manager. I can give you info about my sshd_config but I'd like to discuss other topics first. But let's paradoxically start with this anyway:

Code: Select all

 ssh -X root@127.0.0.1
root@127.0.0.1's password: 
Warning: No xauth data; using fake authentication data for X11 forwarding.
Warning: Remote host denied X11 forwarding.

the DISPLAY environmental variable is not getting set. I can't connect to any display other then :0 which is a unix socket. Installing xauth in the puppy package manager didn't help.

I was able to open a different display on a different socket with something like

Code: Select all

Xephyr :3 &
export DISPLAY=':3'
xterm #I think you need this if you are using ssh
geany

**Xephyr is available on tahrpup via the package manager.

It doesn't work with tcp sockets. i.e. using

Code: Select all

export DISPLAY='127.0.0.1:3' #Not sure if I need a space after the ip address

I should be able to use tcp sockets if I remove -nolisten from line 161 of /usr/bin/xwin (note I'm using tahrpup)

Code: Select all

/usr/bin/xinit /root/.xinitrc -- -br -nolisten tcp > /tmp/xerrs.log 2>&1

this shouldn't be necessary with ssh because ssh is supposed to be able to forward the unix sockets. However, it could be convenient if I address the security in other ways (or maybe I don't need to if there are no untrusted users on my system?)

Xserver provides some security features described at:
https://www.x.org/archive/X11R6.8.1/doc ... ity.7.html

I don't yet understand why they are or are not adequate for my needs but I found some info on this:

https://tstarling.com/blog/2016/06/x11- ... isolation/

as a note since initially we discussed modifying an argument to xinit, some info about what it does is interesting (if one doesn't know it):

xinit will look for a .xinitrc file in the user's home directory, to run as a shell script. If found, this then would in turn run whatever user specified commands to set up the environment, or launch programs that the file contained. If this file does not exist, xinit will use the following initial command:

Code: Select all

 xterm -geometry +1+1 -n login -display :0
 

If no .xserverrc is found in the user's home directory, X itself will be started with the following command:

Code: Select all

 X :0

http://www.tldp.org/HOWTO/XWindow-User- ... ningx.html

I'll post some more stuff once I learn more.

Also as noted one alternative way to remote than ssh XForwarding is XDMCP. Some info about it can be found at:
The XDMCP HOWTO
The XDM and X Terminal mini-HOWTO .

As a final note on ssh, if for some reason XForwarding isn't working one could try something like this instead:

Code: Select all

ssh -C -R 6000:127.0.0.1:6000 alice@server "DISPLAY=:0.0 xterm"

https://unix.stackexchange.com/question ... en-display

This though would require the removal of the nolisten option noted above.

The following link has a buch of links to related topics:
http://www.tldp.org/HOWTO/XWindow-User- ... html#links

[s243a]

So doing the following

Code: Select all

Xephyr :3 &
export DISPLAY=':3'
xterm #I think you need this if you are using ssh
geany 

didn't seem to work well. geany was mostly of the window in Xephyr and I wasn't able to type in xterm. Not sure if the following means anything to anyone

Code: Select all

root# _XSERVTransSocketOpenCOTSServer: Unable to open socket for inet6
_XSERVTransOpen: transport open failed for inet6/puppypc5446:3
_XSERVTransMakeAllCOTSServerListeners: failed to open listener for inet6
Initializing built-in extension Generic Event Extension
Initializing built-in extension SHAPE
Initializing built-in extension MIT-SHM
Initializing built-in extension XInputExtension
Initializing built-in extension XTEST
Initializing built-in extension BIG-REQUESTS
Initializing built-in extension SYNC
Initializing built-in extension XKEYBOARD
Initializing built-in extension XC-MISC
Initializing built-in extension SECURITY
Initializing built-in extension XINERAMA
Initializing built-in extension XFIXES
Initializing built-in extension RENDER
Initializing built-in extension RANDR
Initializing built-in extension COMPOSITE
Initializing built-in extension DAMAGE
Initializing built-in extension MIT-SCREEN-SAVER
Initializing built-in extension DOUBLE-BUFFER
Initializing built-in extension RECORD
Initializing built-in extension DPMS
Initializing built-in extension Present
Initializing built-in extension DRI3
Initializing built-in extension X-Resource
Initializing built-in extension XVideo
Initializing built-in extension XVideo-MotionCompensation
Initializing built-in extension SELinux
Initializing built-in extension GLX
[dix] Could not init font path element /usr/share/fonts/X11/misc, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/cyrillic, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/100dpi/:unscaled, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/75dpi/:unscaled, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/Type1, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/100dpi, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/75dpi, removing from list!
syntax error: line 1 of pc
The XKEYBOARD keymap compiler (xkbcomp) reports:
> Error:            Error interpreting include file "pc"
>                   Exiting
>                   Abandoning symbols file "default"
Errors from xkbcomp are not fatal to the X server
^C

[s243a]

after removing nolisten from win and restarting jwm, I get the following error:

Code: Select all

root# xhost +SI:root:127.0.0.1
root:127.0.0.1 being added to access control list
X Error of failed request:  BadValue (integer parameter out of range for operation)
  Major opcode of failed request:  109 (X_ChangeHosts)
  Value in failed request:  0xe
  Serial number of failed request:  7
  Current serial number in output stream:  9

not sure what to do here.

[nosystemdthanks]

my understanding of this, based on convention and not necessarily fact, is this is something you can do but it doesnt really work-- its something you can make work but you really shouldnt use it.

i would not hesitate to combine ssh with x (ive dont it before, using faqs and howtos-- not in puppy) if it were between machines that were not exposed to the internet.

other than that it seems a bit insecure. there are security additions, but this feature is used so infrequently-- while other serious vulnerabilities were found in things more commonly used over the years-- i just cant imagine making ssh+x really secure without an overhaul of x.

if i sound like a wayland fanboy, i can assure you, i prefer x.

i want to ask what youre trying to do and why, but its purely out of curiosity; its not to challenge it. i wish i could help, seems unlikely.

[s243a]

so I learned that for Xerphy to work the DISPLAY environmental variable has to be set to an existing display. This works

Code: Select all

root# export DISPLAY=':0'
root# Xephyr :3 -screen 600X600 -reset -terminate -query 127.0.0.1 &

the xserver seems to be listening on port 3 of local host as is evident from the following:

Code: Select all

root# export DISPLAY='127.0.0.1:3'
root# geany
No protocol specified
Geany: cannot open display

root# export DISPLAY='127.0.0.1:2'
root# geany
Geany: cannot open display

root# 

but now I need to firgure out how to specify a protocol.

[s243a]

The keyboard isn't working for me on Xerphy. I found a possible solution:

You can try to read the keyboard configuration of :0 with setxkbmap and to set it on :1 with xkbcomp:

setxkbmap -display :0 -print | xkbcomp - :1

on another note, I noticed that Xephy is related to docker and the sandboxes in "Easy Os" that BaryK is calling "Easy Containers"
http://www.murga-linux.com/puppy/viewtopic.php?t=109527

these sound cool so I might give "Easy Os" a try.

[s243a]

my understanding of this, based on convention and not necessarily fact, is this is something you can do but it doesnt really work-- its something you can make work but you really shouldnt use it.

i would not hesitate to combine ssh with x (ive dont it before, using faqs and howtos-- not in puppy) if it were between machines that were not exposed to the internet.

other than that it seems a bit insecure. there are security additions, but this feature is used so infrequently-- while other serious vulnerabilities were found in things more commonly used over the years-- i just cant imagine making ssh+x really secure without an overhaul of x.

if i sound like a wayland fanboy, i can assure you, i prefer x.

i want to ask what youre trying to do and why, but its purely out of curiosity; its not to challenge it. i wish i could help, seems unlikely.

Just learning at this point but I think on my home network security isn't as much of a concern as it might be at a work environment or over the web.

Edit: In my next post I'm playing with Xephyr because it should let me experiment with xforwarding on a single computer, rather then having to switch between computers. It will also let me learn some stuff about x startup and window managers.

[s243a]

I'm trying to do some experimentaiton with Xephyr

I can start Xephyr like this.

Code: Select all

Xephyr :10 -screen 1024X768 -reset -terminate -auth /root/.Xauthority 

Supposedly you can use the query paramater to make it listen on a network but it isn't working for me.

Code: Select all

_XSERVTransSocketOpenCOTSServer: Unable to open socket for inet6
_XSERVTransOpen: transport open failed for inet6/puppypc30757:10
_XSERVTransMakeAllCOTSServerListeners: failed to open listener for inet6
XDMCP warning: INET6 UDP socket creation failed

which are strange error messages since I'm not useing IPv6.

Now in a different shell set display=10

Code: Select all

export DISPLAY=:10

start some aps

Code: Select all

xterm &

then start the window manger like

Code: Select all

jwm &

or

Code: Select all

twm &

I get errors in the first part where I start Xephyr

Code: Select all

The XKEYBOARD keymap compiler (xkbcomp) reports:
> Error:            Error interpreting include file "pc"
>                   Exiting
>                   Abandoning symbols file "default"
Errors from xkbcomp are not fatal to the X server

which means I can't use keyboard input. I tried

Code: Select all

xrdb -merge $HOME/.Xresources

but this breaks my window.

Maybe I try starting Xphyr they way that is suggested on archwiki

Code: Select all

 $ startx -- /usr/bin/Xephyr :1

https://wiki.archlinux.org/index.php/Xephyr

Edit that last line did nothing. Back to the basics.

Edit2 Maybe I need to make my own startx script.

[rufwoof]

on another note, I noticed that Xephy is related to docker and the sandboxes in "Easy Os" that BaryK is calling "Easy Containers"
http://www.murga-linux.com/puppy/viewtopic.php?t=109527

these sound cool so I might give "Easy Os" a try.

I use OpenBSD installed on a old single core celeron box as a server - located on a separate lan segment all by itself (physical isolation, not the main cable hubs DMZ or anything like that). OpenBSD's X is different in that it runs under a restricted userid so its much more secure. To connect to that I typically use ...

Code: Select all

DISPLAY=:0 ssh -X user@192.168.1.3

The server needs xauth installed and sshd has to be configured to forward X etc.
The main hub blocks ssh, so its purely internal (rest of PC's etc are in a 10.0.x.x domain set behind another router). i.e. primarily the celeron box is just a http/https server (for web cams etc.).

EasyOS is really great. Before I was just using Puppy for admin purposes (liveCD to for instance get in if the root password on a installation was forgotten or other general admin). With EasyOS I can run most things as root, but run the browser in a container and chroot, as a restricted userid, and where capsh's are also applied and even where root inside that chroot is pretty much crippled (see this post and subsequent ones such as this). i.e. even root can't exit out of the chroot. Within that I've installed the latest firefox 59.03 and use that for all browsing and email (online email accounts). Pretty much everything else is local, so I run other programs as per normal puppy style (root). Firefox running in its sandbox, inside a chroot inside a container as a restricted userid and where even if privileges could be elevated to root that's still contained and restricted. Still not invulnerable, but greater comfort than standard Puppy running a browser as root (and more so if a outdated browser). Others are content that they're secure as they don't save and reboot freshly again, however a lot can occur if a penetration is achieved even briefly, such as hacking firmware/other devices on the same LAN and I feel better with that risk minimised as much as possible rather than being more blasé about such matters. So with the advent of EasyOS I'm back to three main boots on my desktop (pure Debian (single provider i.e. their main repos only), OpenBSD and EasyOS). Still running Debian Jessie as that just works for me (all installed programs collectively work well together and a extensive repository), but come when its LTS stops ??? SystemD and its modularised structure is nice, but I do like the simplicity of the likes of OpenBSD that I was more raised on. I tend to run older hardware (hand-me-downs) so ideally I'll be on the lookout for something more OpenBSD aligned for my next 'new' (to me) desktop. My current Acer is around a decade old (4 core 2GB) that was lightly used before coming to me, so there might still be a handful of years life left in it yet.

[rufwoof]

or

Code: Select all

twm &

twm generally is included as part of Xorg so if X is installed more usually twm will be available (Puppy is one of the exceptions). If you use colours for menus it can look/feel reasonable. Celebrated its 30th birthday a few months back so I used it solely for a while in celebration of that. Better suited to mouse heavy style, for laptops - keyboard heavy style cwm is great (at least in OpenBSD). Mostly now however when I connect to the server I just use cli and mc (and scp files between desktop/server). So much so that my OpenBSD install is just the very secure OpenBSD base system + firefox.

[s243a]

So here is another way I can start it.

I created a script called xwin_jwc

Code: Select all

#!/bin/sh
HOME=${HOME:-/root}
NESTDISPLAY=${NESTDISPLAY:-':10'}
DISPLAY=${DISPLAY:-':10'}; export DISPLAY
#From Line 161 of xwin
#/usr/bin/xinit /root/.xinitrc -- -br > /tmp/xerrs.log 2>&1
export DIPLAAY=:0
/usr/bin/xinit /root/.xinitrc_jwc -- /usr/bin/Xephyr "$NESTDISPLAY" -screen 1024X768 -reset -terminate -auth /root/.Xauthority

which uses another script I created called .xinitrc_jwc to intialize the window manager. Basically, I stripped out of the pupy .xiniitrc what I thought I could. Although I didn't strip out enough and it doesn't solve my keyboard issues:

Code: Select all

#!/bin/sh
DISPLAY=${DISPLAY:-':10'};
WM=${WM:-'$1'};
WM=${WM:-'jwm'};
userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
sysresources=/usr/lib/X11/xinit/Xresources
sysmodmap=/usr/lib/X11/xinit/.Xmodmap

# merge in defaults and keymaps

if [ -f $sysresources ]; then
    xrdb -merge -nocpp $sysresources
fi

if [ -f $sysmodmap ]; then
    xmodmap $sysmodmap
fi

if [ -f $userresources ]; then
    xrdb -merge -nocpp $userresources
fi

if [ -f $usermodmap ]; then
    xmodmap $usermodmap
fi

#such as rxvt that use the selection-buffer...
[ -f /usr/bin/autocutsel ] && /usr/bin/autocutsel &
#...disadvantage of this is it creates a little square bottom-right of screen.


if [ -f /root/.fonts/fonts.dir ];then
 xset fp+ /root/.fonts/
fi

exec "$WM"

Here's some output:

Code: Select all

root# sh ./xwin_jwc

_XSERVTransSocketOpenCOTSServer: Unable to open socket for inet6
_XSERVTransOpen: transport open failed for inet6/puppypc30757:10
_XSERVTransMakeAllCOTSServerListeners: failed to open listener for inet6
Initializing built-in extension Generic Event Extension
Initializing built-in extension SHAPE
Initializing built-in extension MIT-SHM
Initializing built-in extension XInputExtension
Initializing built-in extension XTEST
Initializing built-in extension BIG-REQUESTS
Initializing built-in extension SYNC
Initializing built-in extension XKEYBOARD
Initializing built-in extension XC-MISC
Initializing built-in extension SECURITY
Initializing built-in extension XINERAMA
Initializing built-in extension XFIXES
Initializing built-in extension RENDER
Initializing built-in extension RANDR
Initializing built-in extension COMPOSITE
Initializing built-in extension DAMAGE
Initializing built-in extension MIT-SCREEN-SAVER
Initializing built-in extension DOUBLE-BUFFER
Initializing built-in extension RECORD
Initializing built-in extension DPMS
Initializing built-in extension Present
Initializing built-in extension DRI3
Initializing built-in extension X-Resource
Initializing built-in extension XVideo
Initializing built-in extension XVideo-MotionCompensation
Initializing built-in extension SELinux
Initializing built-in extension GLX
[dix] Could not init font path element /usr/share/fonts/X11/misc, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/cyrillic, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/100dpi/:unscaled, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/75dpi/:unscaled, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/Type1, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/100dpi, removing from list!
[dix] Could not init font path element /usr/share/fonts/X11/75dpi, removing from list!
syntax error: line 1 of pc
The XKEYBOARD keymap compiler (xkbcomp) reports:
> Error:            Error interpreting include file "pc"
>                   Exiting
>                   Abandoning symbols file "default"
Errors from xkbcomp are not fatal to the X server
/usr/bin/xinit: XFree86_VT property unexpectedly has 0 items instead of 1
JWM: warning: Specified KeySym is not defined for any KeyCode
JWM: warning: modifier not found for keysym 0xffe5
JWM: warning: Specified KeySym is not defined for any KeyCode
JWM: warning: modifier not found for keysym 0xff7f

[s243a]

No progress at the keyboard but better integration with the startup files:
my xwin_jwc:

Code: Select all

export HOME=${HOME:-/root}
export NESTDISPLAY=${NESTDISPLAY:-':13'}
export DISPLAY=${DISPLAY:-':0'}
/usr/bin/xinit /root/.xinitrc_jwc -- /usr/bin/Xephyr -ac "$NESTDISPLAY" -screen 1024X768 -reset -terminate -nolisten inet6 #-auth /root/.Xauthority 

-nolisten inet6 gets rid of the error

Code: Select all

_XSERVTransOpen: transport open failed for inet6/puppypc5446:3 

since I don't have IPv6 configured. the "-ac" disables xauth. I will remove (i.e. re-enable) it once I get other stuff working and uncomment out my Xauthority file.

my: ~/.Xinitrc_jwc

Code: Select all

set -xv
exec &> /mnt/sdc6/xinitrc_jwc.log
#sleep 1
export DISPLAY=${DISPLAY:-':0'};
NESTDISPLAY=${NESTDISPLAY:-':13'};
export HOME=${HOME:-/root}
WindowManager=${WindowManager:-'jwm'}
userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
sysresources=/usr/lib/X11/xinit/Xresources
sysmodmap=/usr/lib/X11/xinit/.Xmodmap

# merge in defaults and keymaps
# https://wiki.archlinux.org/index.php/X_resources
if [ -f $sysresources ]; then
    xrdb -retain -display $NESTDISPLAY -merge -nocpp $sysresources
fi

# https://linux.die.net/man/1/xmodmap
if [ -f $sysmodmap ]; then
    xmodmap -display $NESTDISPLAY $sysmodmap
fi

if [ -f $userresources ]; then
    xrdb -retain -display $NESTDISPLAY -merge -nocpp $userresources
fi

if [ -f $usermodmap ]; then
    xmodmap -display $NESTDISPLAY  $usermodmap
fi

[ -f /usr/bin/autocutsel ] && /usr/bin/autocutsel &

if [ -f /root/.fonts/fonts.dir ];then
 xset -display $NESTDISPLAY fp+ /root/.fonts/
fi

setxkbmap  -retain -display $NESTDISPLAY -option keypad:pointerkeys

eval "exec $WindowManager -display $NESTDISPLAY"

I have the "-retain" option in several places. This is needed or the Xserver will restart, and it won't just restart for Xephry, it will restart for your entire desktop.

Code: Select all

if [ -f $userresources ]; then
    xrdb -retain -display $NESTDISPLAY -merge -nocpp $userresources
fi

None of the other config files exist but the if blocks are there because these are standard things that people would try to configure. See
http://www.tldp.org/HOWTO/XWindow-User- ... ningx.html

Also note that the only above if block that currently gets executed is the userresources one:

Code: Select all

if [ -f $sysresources ]; then
    xrdb -retain -display $NESTDISPLAY -merge -nocpp $sysresources
fi

also note that one feature of startx doesn't seem to be implemented in puppylinux:

Anything after the double dashes are passed as arguments directly to the X server via xinit.

http://www.tldp.org/HOWTO/XWindow-User- ... ningx.html

but I need to verify this.

As a side note, I did find online one hack that might fix the keyboard issue:

Code: Select all

$ setxkbmap -query  
rules:      evdev  
model:      pc105  
layout:     de  
options:    grp:alts_toggle  
$ Xephyr -keybd ephyr,,,xkbmodel=pc105,xkblayout=de,xkbrules=evdev,xkboption=grp:alts_toogle -ac -reset -screen 1672x1022 -retro :50 &

https://superuser.com/questions/209433/ ... ard-layout

I think from reading the above link that I can get the info via setxkbmap -query but maybe then I can use setxkbmap to set this info on my Xephry display instead of passing in command line arguments to Xephyr as noted in the superuser.com example. This would still probably be a hack, I need to figure out how puppy sets this up.

[s243a]

I uploaded what I got so far to pastebin

.xinitr_jwc
xwin_jwc

keyboard still not working and still getting errors:

Code: Select all

JWM: warning: Specified KeySym is not defined for any KeyCode
JWM: warning: modifier not found for keysym 0xffe5
JWM: warning: Specified KeySym is not defined for any KeyCode
JWM: warning: modifier not found for keysym 0xff7f

** (ROX-Filer:18880): WARNING **: Existing ROX-Filer process is not responding! Try with -n
Warning: Unknown keyboard shortcut: ctrl+space
Warning: Unknown keyboard shortcut: ctrl+shift+space
Warning: Unknown keyboard shortcut: ctrl+grave
Warning: Unknown keyboard shortcut: ctrl+shift+period

** (ROX-Filer:19031): WARNING **: Existing ROX-Filer process is not responding! Try with -n

** (ROX-Filer:19170): WARNING **: Existing ROX-Filer process is not responding! Try with -n

[s243a]

The following worked for me:

Code: Select all

usr/bin/xinit /root/.xinitrc_jwc -- /usr/bin/Xephyr \
  -ac "$NESTDISPLAY" -screen 768X768 -reset -terminate  \
  -nolisten inet6 -keybd ephyr,,,xkbmodel=pc102,xkblayout=us,xkbrules=xorg,xkboption=keypad:pointerkeys,terminate:ctrl_alt_bksp 

https://unix.stackexchange.com/question ... le_rich_qa
https://superuser.com/questions/70428/h ... le_rich_qa

as noted, I'll remove the -ac option and add the .Xauthority option later .

I got the info from:

Code: Select all

root# setxkbmap -query
rules:      xorg
model:      pc102
layout:     us
options:    keypad:pointerkeys,terminate:ctrl_alt_bksp

https://superuser.com/questions/209433/ ... ard-layout

I couldn't get other methods to work using xkbcomp and setxkbmap.

[s243a]

or

Code: Select all

twm &

twm generally is included as part of Xorg so if X is installed more usually twm will be available (Puppy is one of the exceptions). If you use colours for menus it can look/feel reasonable. Celebrated its 30th birthday a few months back so I used it solely for a while in celebration of that. Better suited to mouse heavy style, for laptops - keyboard heavy style cwm is great (at least in OpenBSD). Mostly now however when I connect to the server I just use cli and mc (and scp files between desktop/server). So much so that my OpenBSD install is just the very secure OpenBSD base system + firefox.

I installed twm via the puppy package manager on tahrup. It kind of gives me nostalgia even though I don't think I ever owned a system that uses it...yet somehow it looks familiar, the way it resizes windows and minimizes icons. I just don't have the foggiest idea where I might have used it before.

It might actually be better in some ways, because when items get small on a taskbar I can't tell what each window is. A menu interface may be preferable to a task bar. Also the task bar won't exist if I use jwm without the desktop (i.e. rox), which might present problems if I minimize a window.

[s243a]

So, I got something more working with ssh. Here's a draft tutorial (Will post an actual tutorial when I figure everything out). Right now, I'm doing ssh XForwarding on my local machine and displaying on a Xephry window. The distribution I'm using is tahrpup. The point of this is to experiment with ssh XForwarding on a single machine, but it could also have applications for setting up chroot environments.

Here are the steps:
1. install openSSH via the puppy package manager.
2. optionally install xauth from the puppy package manager #May not be necessary. Need to experiment more.
3. install Xephyr from the puppy package manager.
4. install twm from the puppy package manager #Not necessary but it will work better for this than jwm.
5. edit /etc/hosts.allow as follows:

Code: Select all

ALL: LOCAL
ALL: 127.0.0.1

the blank line at the end of the file is necessary.
Configure your ssh client and server. My configuration files are:
/etc/ssh/sshd_config #for the server
/etc/ssh/ssh_config #for the client

clink on the above links to see my configuration. My configureation files at this point are fairly permissive because I'm just trying to get things working.

6. Start Xephyr. Here is the script that I created to do so:

Code: Select all

#!/bin/bash
set -xv
exec &> /mnt/sdc6/start_Xephyr.log
export HOME=${HOME:-/root}
export NESTDISPLAY=${NESTDISPLAY:-':10'}
export DISPLAY=${DISPLAY:-':0'}
exec /usr/bin/Xephyr \
  -ac "$NESTDISPLAY" -screen 768X768 -reset -terminate  \
  -nolisten inet6 -keybd ephyr,,,xkbmodel=pc102,xkblayout=us,xkbrules=xorg,xkboption=keypad:pointerkeys,terminate:ctrl_alt_bksp

use "setxkbmap -query " to adapt the script to your keyboard. Also as noted above for better security remove the -ac option and specify the location of the Xautority file. However, it might be better to try to make things work first before tightening up the security.

7. Start the ssh server:

Code: Select all

/etc/init.s/ssh start

8. Connect to the ssh server

Code: Select all

ssh -Y root@127.0.0.1

Either the -Y or -X option should work to give X11 Forwarding but in my case it isn't doing anything because I get this error:

Code: Select all

Warning: No xauth data; using fake authentication data for X11 forwarding.
X11 forwarding request failed on channel 0

You can try doing the following before logging in with ssh

Code: Select all

export DISPLAY=:10

but this didn't work for me. All is not lost. Make sure the display variable is set with the above export statment and then type

Code: Select all

twm & #if you want you can use a different window manager such as jwm but twm is better here. 

and hit enter twice.

It seems that in an ssh shell I have to start the window manager first but if I do it in a regular console the order doesn't seem to mater. You can now start other aps:

Code: Select all

geany &

or

Code: Select all

rox &

I'll figure out later how to start them without having to press enter twice.

[s243a]

Some notes for me. You can see which ports are being used by X11 as follows:

Code: Select all

root# netstat -atunp
Proto Recv-Q Send-Q Local Address  Foreign Address  State   PID/Program name
tcp        0      0 0.0.0.0:6010   0.0.0.0:*        LISTEN  24423/Xephyr

https://askubuntu.com/questions/90920/x ... -listening

I was able to solve some errors with xauth by adding
to ~/.profile the following:

Code: Select all

case $DISPLAY:$XAUTHORITY in
  :*:?*)
    # DISPLAY is set and points to a local display, and XAUTHORITY is
    # set, so merge the contents of `$XAUTHORITY` into ~/.Xauthority.
    XAUTHORITY=~/.Xauthority xauth merge "$XAUTHORITY";;
esac

https://unix.stackexchange.com/question ... 0126#10126

If I start Xephyr on display :10 ssh forwarding seems to use the next available display for the forwarding. So if my sshoffset is 10, then DISPLAY=:11 would be the next available. The display variable looks like this

Code: Select all

echo "$DISPLAY"
puppypc25156:11.0

which is in the format (HOSTNAME:DISPLAY:SCREEN).

This isn't a valid format for the display input to Xephyr. Rather Xephyr should be called like

Code: Select all

Xephyr :11

if we actually wanted to use display 11, which we don't. One could get the host name as follows:

Code: Select all

NESTDISPLAY=":${DISPLAY##*:}"

and IP address as follows:

Code: Select all

IP_Addr=$(getent -i hosts ${NESTDISPLAY%%:*} | cut -d$' ' -f1)

https://serverfault.com/questions/49850 ... -etc-hosts
Note that the host command won't work because it doesn't look in your host file. Instead it does a direct DNS lookup, and even if you installed either bind or dig, the host command won't work because the libgost.so library is missing from the openssh package in tahrpup. This can be fixed by installing libssl1.0.0 from ubuntu.com but as I noted wouldn't be what we want anyway.