Operating System - OpenVMS
Showing results for 
Search instead for 
Did you mean: 

X11 forwarding problem

Go to solution

X11 forwarding problem


X11 forwarding is a standard feature in SSH v2.
According to the TCPIP/SSH manual it is configured by setting AllowX11Forwarding yes

Now ssh v2 sessions should have X11 forwarding supported - it means that X applications should be tunnelled over SSH connection to client host X display.

It is important to note that DISPLAY should not be set. It will cause that X communication will not go through SSH tunnel, but beside, and will be unencrypted.

DEC AXPVMS TCPIP V5.4-15 on an OpenVMS V7.3-2 works as it should during initial SSH session:

%DECW-W-OPENIN, error opening alphaf.essnet.se:13.0 as input -SYSTEM-F-IVDEVNAM, invalid device name

Even if display reports warning. DISPLAY is "valid" and it is possible top start some X application. For example:

ALPHAF_ZAY_PRIV $ cre/term/deta

Let examine the DISPLAY variable in new, child window:

%DECW-W-OPENIN, error opening DECW$DISPLAY as input -SYSTEM-W-NOSUCHDEV, no such device available

There is no DISPLAY. It was not inherited from parent session, therefore next attempt will fail:

ALPHAF_ZAY_PRIV $ cre/term/deta
%DECW-E-CANT_OPEN_DISPL, Can't open display

If we set up DISPLAY in child session, then it is possible to use X applications, but they go unencrypted beside the SSH tunnel.

This behaviour is always reproducible and cause serious security problems dfor sensitive X applications.

Do I something wrong or it is "just" a bug?

Thank you in advance.

Regards, Z
Martin Kirby

Re: X11 forwarding problem

I can explain some of the DECwindows behaviour.

>ALPHAF_ZAY_PRIV $ sh disp
>%DECW-W-OPENIN, error opening alphaf.essnet.se:13.0 as input -SYSTEM-F-IVDEVNAM, invalid device name

If you do a SHOW LOGICAL DECW$DISPLAY I expect you will see it defined as


DECwindows allows you to use DECW$DISPLAY as either a WS* display device or a string. The SHOW DISPLAY command only copes with display devices and not string format.

It looks like starting a terminal won't pass a display logical as string to the created terminal.

If you do a:

SET DISPLAY/CREATE/NODE=alphaf.essnet.se/server=13/screen=0
then you should be connected through the secure channel thereafter.

You will need a command file that can parse the display string into its parts to set this display device since the server number may vary between invocations.


Martin Kirby

Re: X11 forwarding problem

Thank you... it works as you described.

Regards, Z