[vox-tech] Exporting displays

Karsten M. Self kmself at ix.netcom.com
Thu Mar 17 13:28:27 PST 2005 

on Wed, Mar 16, 2005 at 10:42:41PM -0800, Mark K. Kim (lugod at cbreak.org) wrote:
> On Wed, 16 Mar 2005, John Wojnaroski wrote:
> [snip]
> > I'm trying to login into a remote host and have the host export the screen
> > display back to my machine
> [snip]
> > "export DISPLAY=my_ip_address:0.0"  returns something like "Xlib: client is
> > not authorized to connect to server" which seems to indicate that something
> > is missing or lacking on the local machine.  Any suggestions where to look?
> [snip]
> 
> That'll work except your local computer isn't letting the connection
> through for security reasons.  On your *local* computer, type this:
> 
>    $xhost +

BAD MARK.  NO DONUT.  OR COOKIE.

Please do NOT suggest people try this, particularly...
 
> *but* this will work only if your local computer is connected directly to
> the Internet.

...on live Internet connections.


Fortunately, most modern X servers toss a few additional roadbumps in
front of idiots trying to attempt this.  I'm not going to detail these
here, and would appreciate if nobody else does.  The act of Googling for
the workarounds is itself an exercise which might educate same as to why
this is a blatently *STUPID* idea and grossly incompetent advice.
 
> The better way is to use ssh with the -X option to connect to the remote
> computer in the first place.  

This should be your only answer.

> Not only does ssh setup the X forwarding for
> you automatically (not need to do "export blah blah" or "xhost blah blah"
> or be concerned about not being connected directly to the Internet), but
> your connection will be secure.  But this works only if the remote
> computer has a ssh server with X forwarding enabled, which it is by
> default on most systems I've seen.  

Not, FYI, Debian.  Not sure of Ubuntu, haven't checked yet.  I've got
access to 9.x builds of MDK and SuSE to look at as well.

> The drawback is the connection will be a little slower than it would
> be on an insecure system, but it shouldn't be noticeable under most
> circumstances.

More specifically:  video and multimedia performance will likely be
unsatisfactory (flash, DVD viewing, etc.).  There's too much processing
overhead.

The '-C' option compresses the data (this actually _increases_ latency,
but decreases total bandwith requirements and may speed systems on slow
links).  Using a fast cipher (Blowfish) can alleviate problems,
particularly on slower hardware.  Hardware lacking an FPU (floating
point (processing) unit) will perform _far_ worse than those with.

Use of lbxproxy may also provide performance benefits in some
configurations (slow links).


Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    MX Radio - With Bob Edwards, who needs NPR?       http://www.xmradio.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050317/a783edb8/attachment.bin

More information about the vox-tech mailing list