HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

X11 forwarding problem

 
SOLVED
Go to solution

X11 forwarding problem

hi,

X11 forwarding is a standard feature in SSH v2.
According to the TCPIP/SSH manual it is configured by setting AllowX11Forwarding yes
in SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG.; config file.

Now ssh v2 sessions should have X11 forwarding supported - it means that X applications should be tunnelled over SSH connection to client host X display.

It is important to note that DISPLAY should not be set. It will cause that X communication will not go through SSH tunnel, but beside, and will be unencrypted.

DEC AXPVMS TCPIP V5.4-15 on an OpenVMS V7.3-2 works as it should during initial SSH session:

ALPHAF_ZAY_PRIV $ sh disp
%DECW-W-OPENIN, error opening alphaf.essnet.se:13.0 as input -SYSTEM-F-IVDEVNAM, invalid device name

Even if display reports warning. DISPLAY is "valid" and it is possible top start some X application. For example:

ALPHAF_ZAY_PRIV $ cre/term/deta

Let examine the DISPLAY variable in new, child window:

ALPHAF_ZAY_PRIV $ sh disp
%DECW-W-OPENIN, error opening DECW$DISPLAY as input -SYSTEM-W-NOSUCHDEV, no such device available

There is no DISPLAY. It was not inherited from parent session, therefore next attempt will fail:

ALPHAF_ZAY_PRIV $ cre/term/deta
%DECW-E-CANT_OPEN_DISPL, Can't open display

If we set up DISPLAY in child session, then it is possible to use X applications, but they go unencrypted beside the SSH tunnel.

This behaviour is always reproducible and cause serious security problems dfor sensitive X applications.

Do I something wrong or it is "just" a bug?

Thank you in advance.

Regards, Z
2 REPLIES
Martin Kirby
Advisor
Solution

Re: X11 forwarding problem

I can explain some of the DECwindows behaviour.

>ALPHAF_ZAY_PRIV $ sh disp
>%DECW-W-OPENIN, error opening alphaf.essnet.se:13.0 as input -SYSTEM-F-IVDEVNAM, invalid device name

If you do a SHOW LOGICAL DECW$DISPLAY I expect you will see it defined as

"alphaf.essnet.se:13.0"

DECwindows allows you to use DECW$DISPLAY as either a WS* display device or a string. The SHOW DISPLAY command only copes with display devices and not string format.

It looks like starting a terminal won't pass a display logical as string to the created terminal.

If you do a:

SET DISPLAY/CREATE/NODE=alphaf.essnet.se/server=13/screen=0
then you should be connected through the secure channel thereafter.

You will need a command file that can parse the display string into its parts to set this display device since the server number may vary between invocations.

Regards,

Martin Kirby

Re: X11 forwarding problem

Thank you... it works as you described.

Regards, Z