I love a command line. It's numerous advantages over GUI is hard to list, but there are situations, where you need a remote X Windows connection. I've been asked many times by my colleagues, how to set up remote X Windows (X11, as the most recent version of X Windows is 11) on AIX, why it doesn't work, etc.
Basic overview of X11 Windows architecture
X11 is a client / server architecture. You need to know two things:
- an application e.g. xclock is an X11 client
- the application's content is displayed by an X11 server
Anyway, some people are confused here: I'm connecting to an AIX server using ssh/telnet, thus my workstation is an ssh/telnet client. What do I have to run on my local machine: an X11 client or an X11 server? You obviously need to install and run an X11 server on your local workstation. If you run e.g. xclock on a remote machine (AIX), that's an X11 client.
Let's have a quick look at a connection between an X11 client and an X11 server. The connection can be a unix socket or TCP/IP. The socket is used, when the client and the server run on the same machine, which is not our case. Remote X Windows connection is using the TCP/IP. To tell the client, where the X11 server runs, you need to set up a DISPLAY environment variable. By default an X11 server listens on port 6000. You can have more X server instances, but that's out of the topic.
Your workstation
If you want to display a program on your local workstation, that is running on a remote AIX, you need to install and run an X server locally. If you run Linux on your workstation and you're reading this in a browser, you're done. On Windows there is a few X servers; some are commercial, some are free. Very popular is Xming, I use Cygwin.
A quick Cygwin howto:
- Install Cygwin from www.cygwin.org
- select at least the following extra packages: xorg-server xinit xauth xclock xterm xhost
- Make an entry in your Startup folder:
C:\cygwin64\bin\run.exe --quote /usr/bin/bash.exe -l -c "xinit
/etc/X11/xinit/startxwinrc -- /usr/bin/XWin :0 -multiwindow
-multiplemonitors -listen tcp -auth"
Start the X11 server from the Startup folder and from a Windows command line check, if it's listening for TCP/IP connection on port 6000:
C:\Users\IBM_ADMIN>netstat -atn | findstr 6000
TCP 0.0.0.0:6000 0.0.0.0:0 LISTENING InHost
TCP [::]:6000 [::]:0 LISTENING InHost
If you see the output like this, you're done with your workstation.
Remote AIX server
An X Windows minimum installation includes filesets: X11.base.lib X11.base.rte X11.apps.config. I suggest to install X11.apps.clients too, that contains xclock program. By running this program I check the time, and of course the X11 setup. For an X11 client to run, it needs to establish TCP/IP connection to your X11 server. You can do this directly or you can tunnel the connection.
Direct X11 TCP/IP connection
The simplest scenario. It works, if there is no firewall blocking port 6000 to your workstation and there is no NAT. Try to ping your workstation from the AIX server, and if it works, try telnet to port 6000 to your workstation. If everything is fine, set the DISPLAY variable to an IP address of your workstation, for example export DISPLAY=192.168.0.100:0. On your workstation, allow the IP address of the AIX server to open an X11 session using xhost + <ip_address_of_the_aix_server>. Run xclock on AIX and enjoy.
SSH X11 port forwarding
This is the way professionals do it, as ssh is installed by default on AIX now. Advantages:
- you do not care about network infrastructure, VPNs, NATs and firewalls between you and the target server. All you need is a working ssh connection
- you do not care about DISPLAY anymore
- X11 session is automatically authenticated
- X11 session is automatically encrypted
On the AIX check, that ssh X11 forwarding requests are allowed:
# grep X11Forwarding /etc/ssh/sshd_config
X11Forwarding yes
If it's necessary, change the value and restart the ssh service. You can do it while you're logged in, your current ssh session will not be dropped. Keep in mind, that the ssh X11 forwarding will apply only to new ssh sessions, that are opened with X forwarding.
stopsrc –s sshd; sleep 2; startsrc –s sshd
Now set the X11 forwarding on your workstation. If you have an command line ssh client e.g. as part of Cygwin, run ssh -X <server_ip> to log in. If you use Putty, check that X11 forwarding is set for your session and don't forget to save the change. For other ssh clients check a documentation (or browse through all the session settings, as pros do....)
After you log in, check the DISPLAY and authentification value. If it is as on an example below, run xclock and enjoy.
# echo $DISPLAY
DISPLAY=localhost:10
# xauth list
server/unix:10 MIT-MAGIC-COOKIE-1 6299564796e4cf089e38619a354cfdcc
Note: If you open more ssh sessions to one host, with the X11 forwarding turned on, every session will have different offset number in the DISPLAY variable. The offset number is the one after a colon, e.g. 10 in the example above.
Issues
A few FAQ's I'm being asked
I run xclock, but it hangs out and does not display anything
- X11 windows usually opens underneath other windows. Check again.
- A DISPLAY variable is not set or is set incorrectly. In this case it takes few minutes for an application to terminate.
- The X11 server is not running on your local machine.
I use ssh the X11 forwarding, but the DISPLAY variable is not set
- Check X11Forwarding directive in sshd_config
- Check that ssh client has X11 forwarding option set
- The AIX machine is missing xauth programm. Install X11.apps.config fileset.
- There are some older OpenSSH or OpenSSL versions that are buggy. I have had issues with OpenSSH versions 4.6.X, OpenSSH_4.3p2, OpenSSL 0.9.7l 28
Everything looks OK, still X11 doesn't work
I found an issue somehow related to TCPv6, I think ssh tries to open a new channel for X11 forwarding using TCPv6. Try to set
#AddressFamily any
to
AddressFamily inet
and restart
I'm getting xauth errors immediately after logon
If you get an error after you log in with ssh X11 forwarding on, that looks like this one (the string in quotes can be different):
/usr/bin/X11/xauth: (stdin):1: 1356-373 unknown command "odstr"
/usr/bin/X11/xauth: (stdin):2: 1356-373 unknown command "prida"
and every xauth command gives you this message:
p740a10:/root>xauth
1356-364 xauth: creating new authority file /root/.Xauthority
while no .Xauthority file is actually created, the issue is with the language environment setting on the AIX server. I believe this is a bug. It looks like if you have the system language set to other that en_US language and you do have a openssh message catalogue of that language, xauth commands "add" and "remove" are being translated into the non en_US language for any reason and it just doesn't work. These commands are run automatically by ssh in order to deploy your X11 authentication token on the remote server. To solve this issue, either:
- set the system language to en_US, C or POSIX
- uninstall the openssh message catalogue of that language
@#$%&!
#Db2