SSH Tunneling of X protocol from non-interactive session - Linux

Hallo,

I need to forward X terminal through the firewall from non-interactive
session.


Situation:
M - my computer
F - firewall
C - cluster with application

M --- F ---- C

The final point is to run a X application on C from a queuing system and
display on M.

First setup simple test. I am sitting at M. I would like to open tunnel
from C to M tunneling X protocol.

M> xhost +
M> ssh -x C
C> ssh -L6001:localhost:6000 M

Now I try to run application on C and forward the X protocol to M. Open
another termimal (still leaving the tunnel opened) and

M> ssh -x C
C> export DISPLAY=C:1
C> xterm

and error message appear:
xterm Xt error: Can't open display: C:1

Does anybody know why? Is there a problem with authorization? On M all
the connections are allowed (it was xhost +).

If this would work I would write a script creating tunnel from C to M
and running the application on C with display C:1 forwarded to M. When
the script is executed terminal would open on my desktop...


Thanks for all the help!!!



Jiri


P.S.: I use OpenSSH_3.7.1p2, however I don't think it is important...

Dobes Jiri wrote:

> Hallo,
>
> I need to forward X terminal through the firewall from non-interactive
> session.
>
>
> Situation:
> M - my computer
> F - firewall
> C - cluster with application
>
> M --- F ---- C
>
> The final point is to run a X application on C from a queuing system
> and display on M.
>
> First setup simple test. I am sitting at M. I would like to open
> tunnel from C to M tunneling X protocol.
>
> M> xhost +
> M> ssh -x C
> C> ssh -L6001:localhost:6000 M
>
> Now I try to run application on C and forward the X protocol to M.
> Open another termimal (still leaving the tunnel opened) and
>
> M> ssh -x C
> C> export DISPLAY=C:1
> C> xterm
>
> and error message appear:
> xterm Xt error: Can't open display: C:1
>
> Does anybody know why? Is there a problem with authorization? On M all
> the connections are allowed (it was xhost +).
>
> If this would work I would write a script creating tunnel from C to M
> and running the application on C with display C:1 forwarded to M. When
> the script is executed terminal would open on my desktop...
>
>
> Thanks for all the help!!!
>
>
>
> Jiri
>
>
> P.S.: I use OpenSSH_3.7.1p2, however I don't think it is important...
>

First remark: why exactly do you want to forward the X connection
manually instead of letting ssh do the dirty work (M>ssh -Y C) ? You
lose the encryption.
Second: Are you sure that X is listening on localhost:6000 on M ? It
might be possible that the X server was launched with the -nolisten flag.

Mihai

Mihai Osian wrote:

> Dobes Jiri wrote:
>
>> Hallo,
>>
>> I need to forward X terminal through the firewall from
>> non-interactive session.
>>
>>
>> Situation:
>> M - my computer
>> F - firewall
>> C - cluster with application
>>
>> M --- F ---- C
>>
>> The final point is to run a X application on C from a queuing system
>> and display on M.
>>
>> First setup simple test. I am sitting at M. I would like to open
>> tunnel from C to M tunneling X protocol.
>>
>> M> xhost +
>> M> ssh -x C
>> C> ssh -L6001:localhost:6000 M
>>
>> Now I try to run application on C and forward the X protocol to M.
>> Open another termimal (still leaving the tunnel opened) and
>>
>> M> ssh -x C
>> C> export DISPLAY=C:1
>> C> xterm
>>
>> and error message appear:
>> xterm Xt error: Can't open display: C:1
>>
>> Does anybody know why? Is there a problem with authorization? On M
>> all the connections are allowed (it was xhost +).
>>
>> If this would work I would write a script creating tunnel from C to M
>> and running the application on C with display C:1 forwarded to M.
>> When the script is executed terminal would open on my desktop...
>>
>>
>> Thanks for all the help!!!
>>
>>
>>
>> Jiri
>>
>>
>> P.S.: I use OpenSSH_3.7.1p2, however I don't think it is important...
>>
>
> First remark: why exactly do you want to forward the X connection
> manually instead of letting ssh do the dirty work (M>ssh -Y C) ? You
> lose the encryption.

Ah, sorry. I was dreaming - please ignore the "missing encryption".

> Second: Are you sure that X is listening on localhost:6000 on M ? It
> might be possible that the X server was launched with the -nolisten flag.
>
> Mihai

Crosspost deleted and followups set to comp.windows.x

In comp.windows.x Dobes Jiri wrote:

> M> ssh -x C

This disables X fordwarding not enables it.

You need

M> ssh -Y C

This enables trusted X11 forwarding.

Using -X enables untrusted forwarding and things like copy and paste won't
work.

You do not need xhost+ and you do not need to se the display environment
variable and you do not need to explictly forward the X ports.

On C you should get something like

C> echo $DISPLAY
localhost:18.0

If you then do

C> xterm &

It should display on the X server running on M.

-p
--
"What goes up must come down, ask any system administrator"
--------------------------------------------------------------------

Mihai Osian wrote:
> Mihai Osian wrote:
>
>> Dobes Jiri wrote:
>>
>>> Hallo,
>>>
>>> I need to forward X terminal through the firewall from
>>> non-interactive session.
>>>
>>>
>>> Situation:
>>> M - my computer
>>> F - firewall
>>> C - cluster with application
>>>
>>> M --- F ---- C
>>>
>>> The final point is to run a X application on C from a queuing system
>>> and display on M.
>>>
>>> First setup simple test. I am sitting at M. I would like to open
>>> tunnel from C to M tunneling X protocol.
>>>
>>> M> xhost +
>>> M> ssh -x C
>>> C> ssh -L6001:localhost:6000 M
>>>
>>> Now I try to run application on C and forward the X protocol to M.
>>> Open another termimal (still leaving the tunnel opened) and
>>>
>>> M> ssh -x C
>>> C> export DISPLAY=C:1
>>> C> xterm
>>>
>>> and error message appear:
>>> xterm Xt error: Can't open display: C:1
>>>
>>> Does anybody know why? Is there a problem with authorization? On M
>>> all the connections are allowed (it was xhost +).
>>>
>>> If this would work I would write a script creating tunnel from C to M
>>> and running the application on C with display C:1 forwarded to M.
>>> When the script is executed terminal would open on my desktop...
>>>
>>>
>>> Thanks for all the help!!!
>>>
>>>
>>>
>>> Jiri
>>>
>>>
>>> P.S.: I use OpenSSH_3.7.1p2, however I don't think it is important...
>>>
>>
>> First remark: why exactly do you want to forward the X connection
>> manually instead of letting ssh do the dirty work (M>ssh -Y C) ?


I cannot use -X or -Y option, because I have to run *noninteractivelly*
from computer C to display M. I plan to sumbmit script like

export DISPLAY=C:1
xterm -e gdb my_executable

while there is a open tunnel from C:6001 to M:6000.

It is because C is a 50 nodes cluster and I need to run debuging job in
a parallel enviroment. I don't sit on front of the C, but at terminal M,
it is 1000 km away [700 miles]. Normally, you have to prepare script on
C, submit the script using PBS system and when the cluster is free
[usually imediatelly] the job starts. When the job starts, I would like
it to open terminal with the debugger on my computer M and I can start
to debug interactivelly. I was doing that, but there is a firewall now
and I don't know how to work it out.

>> Second: Are you sure that X is listening on localhost:6000 on M ? It
>> might be possible that the X server was launched with the -nolisten
flag.

It should be listening. The X is running with
/usr/X11R6/bin/X vt7 -auth /var/lib/xdm/authdir/authfiles/A:0-qCOhba
I can go to another machine, point display to M:0.0 and open a terminal.
How can I recognise on which port does it listen (it should be 6000
normally). netstat -a gives me this line:
tcp 0 0 *:x11 *:* LISTEN

Any idea?

Jiri

Dobes Jiri wrote:

> Mihai Osian wrote:
>
>> Mihai Osian wrote:
>>
>>> Dobes Jiri wrote:
>>>
>>>> Hallo,
>>>>
>>>> I need to forward X terminal through the firewall from
>>>> non-interactive session.
>>>>
>>>>
>>>> Situation:
>>>> M - my computer
>>>> F - firewall
>>>> C - cluster with application
>>>>
>>>> M --- F ---- C
>>>>
>>>> The final point is to run a X application on C from a queuing
>>>> system and display on M.
>>>>
>>>> First setup simple test. I am sitting at M. I would like to open
>>>> tunnel from C to M tunneling X protocol.
>>>>
>>>> M> xhost +
>>>> M> ssh -x C
>>>> C> ssh -L6001:localhost:6000 M
>>>>
>>>> Now I try to run application on C and forward the X protocol to M.
>>>> Open another termimal (still leaving the tunnel opened) and
>>>>
>>>> M> ssh -x C
>>>> C> export DISPLAY=C:1
>>>> C> xterm
>>>>
>>>> and error message appear:
>>>> xterm Xt error: Can't open display: C:1
>>>>
>>>> Does anybody know why? Is there a problem with authorization? On M
>>>> all the connections are allowed (it was xhost +).
>>>>
>>>> If this would work I would write a script creating tunnel from C to
>>>> M and running the application on C with display C:1 forwarded to M.
>>>> When the script is executed terminal would open on my desktop...
>>>>
>>>>
>>>> Thanks for all the help!!!
>>>>
>>>>
>>>>
>>>> Jiri
>>>>
>>>>
>>>> P.S.: I use OpenSSH_3.7.1p2, however I don't think it is important...
>>>>
>>>
>>> First remark: why exactly do you want to forward the X connection
>>> manually instead of letting ssh do the dirty work (M>ssh -Y C) ?
>>
>
>
> I cannot use -X or -Y option, because I have to run
> *noninteractivelly* from computer C to display M. I plan to sumbmit
> script like
>
> export DISPLAY=C:1
> xterm -e gdb my_executable
>
> while there is a open tunnel from C:6001 to M:6000.
>
> It is because C is a 50 nodes cluster and I need to run debuging job
> in a parallel enviroment. I don't sit on front of the C, but at
> terminal M, it is 1000 km away [700 miles]. Normally, you have to
> prepare script on C, submit the script using PBS system and when the
> cluster is free [usually imediatelly] the job starts. When the job
> starts, I would like it to open terminal with the debugger on my
> computer M and I can start to debug interactivelly. I was doing that,
> but there is a firewall now and I don't know how to work it out.
>
> >> Second: Are you sure that X is listening on localhost:6000 on M ? It
> >> might be possible that the X server was launched with the -nolisten
> flag.
>
> It should be listening. The X is running with
> /usr/X11R6/bin/X vt7 -auth /var/lib/xdm/authdir/authfiles/A:0-qCOhba
> I can go to another machine, point display to M:0.0 and open a
> terminal. How can I recognise on which port does it listen (it should
> be 6000 normally). netstat -a gives me this line:
> tcp 0 0 *:x11 *:* LISTEN
>
> Any idea?
>
> Jiri



Humm... One question, regarding the following line:
C> export DISPLAY=C:1
"C:1" might refer to C's external IP address, while the ssh tunnel is
made to the loopback address (localhost:6000 on C). Once the tunnel is
setup, can you run "telnet localhost:60001" on C and get a successful
connection ? If you can not, then try this:
C> export DISPLAY=localhost:1
and see what happens.

Mihai

: Dobes Jiri
: I cannot use -X or -Y option, because I have to run
: *noninteractivelly* from computer C to display M. I plan to sumbmit
: script like
:
: export DISPLAY=C:1 xterm -e gdb my_executable
:
: while there is a open tunnel from C:6001 to M:6000.

But all -X or -Y do, when going from M to C, is open
a tunnel from (typically) C:6010 to (typically) M:6000.
Plus handle xauth protocol; without that, you'd need
to do xauth processing "by hand".

So, since you will be running an ssh session to keep
the tunnel open, why not just run an ssh session and keep
the same tunnel open with -X?

Possibly, because you don't want to have a shell left running on C? You
could use some other innocuous process rather than a shell; that might
not work with -N, though.

In any event, if you are launching the debug by a non-interactive
process, and then rendezvousing with it later, I'd suggest using
Xvnc, (or Xvfb with x11vnc or the like), so that the debugging session
could launch its own X server, rather than just a proxy. This has
the advantage that if the network goes down, you can reconnect to
your debugging session.

So. On C, to start the debugger, something like

Xvnc :1 &
env DISPLAY=:1 xterm -e gdb my_executable &

(though possibly you may also want to run a window manager),
and then on M, you use vncviewer with -via, or an explicit ssh tunnel
and vncviewer to localhost, to rendezvous with the debugger. You may
also want to use some other Xvnc options, such as -auth and -rfbauth for
authentication and passwords, and -localhost to encourage use of
tunneling and encryption. Or possibly use the vncserver script to
launch the Xvnc.

Pros: you can reconnect, you can collaborate, you don't need to launch
the debugger while you have the tunnel running, your X services are done
locally with much lower latency.

Cons: the server must have Xvnc installed, what's transported to
the remote site is a bitmap, you are consuming more resources on C.

Note, of course, that if you are using gdb, you could launch it
under "screen" also, and wouldn't need X at all; depends on what
else you'd be using X for, but if you run an xterm on M, then an
ssh session to reach M, then screen -r to attach to the existing
gdb session, you'd have the same capabilities as if you
were running the xterm on M displaying to C, but less data
would be going between M and C.


Wayne Throop throopw@sheol.org http://sheol.org/throopw

Dobes Jiri wrote:
> Hallo,
>
> I need to forward X terminal through the firewall from non-interactive
> session.
>
>
> Situation:
> M - my computer
> F - firewall
> C - cluster with application
>
> M --- F ---- C
>
> The final point is to run a X application on C from a queuing system and
> display on M.
>
> First setup simple test. I am sitting at M. I would like to open tunnel
> from C to M tunneling X protocol.
>
> M> xhost +
> M> ssh -x C
> C> ssh -L6001:localhost:6000 M
>
> Now I try to run application on C and forward the X protocol to M. Open
> another termimal (still leaving the tunnel opened) and
>
> M> ssh -x C
> C> export DISPLAY=C:1
> C> xterm
>
> and error message appear:
> xterm Xt error: Can't open display: C:1
>
> Does anybody know why? Is there a problem with authorization? On M all
> the connections are allowed (it was xhost +).
>
> If this would work I would write a script creating tunnel from C to M
> and running the application on C with display C:1 forwarded to M. When
> the script is executed terminal would open on my desktop...
>
>
> Thanks for all the help!!!
>
>
>
> Jiri
>
>
> P.S.: I use OpenSSH_3.7.1p2, however I don't think it is important...
>

I remember my network admin having to alter the router configuration to
get X to work through the router. I'm not sure if this is an intranet or
internet solution. Mine was a intranet solution and I had to get the
network admin to enable the route of the "xdmcp" protocol for it to
work! I assume you firewall has to be setup to pass this protocol as well!

After that it worked with the xhost and DISPLAY solutions. Here are the
services in question;

xdmcp 177/tcp # X Display Mgr. Control Proto
xdmcp 177/udp