X11 display issues

Andy Polyakov appro at fy.chalmers.se
Thu Feb 22 05:46:39 EST 2001 

> > This also has been discussed in SSHSCI's SSH context. All SSH versions
> > (both SSHSCI and OpenSSH) derive value for DISPLAY variable from
> > `uname -n`. The problem is that the returned value is not necessarily
> > resolvable to a valid IP number which in turn might cause a failure.
> 
> oh yes, this is a problem. i will probably change the sshd-X11-proxy
> from internet to unix domain sockets.

Say you run ssh against firewall in order to run X11 application on
computer behind the firewall. UNIX socket would kill the idea...

> libX is broken if i set DISPLAY=localhost:x.y and ignore any
> X cookies.

Note that I set it to anything *but* localhost:x.y (well, as long as you
don't ssh localhost, but that would be confusing from key management
viewpoint so that you don't normally do it).

> > To make it fool-proof I suggest to set DISPLAY to the interface's
> > address the user has reached the system in question through.
> 
> I tried this before, but it does not work since it uses AF_INET6 if
> i connect by
>         $ ssh -X ::1

Does libX11 talk IPv6 at all? Is libX11 capable to parse IPv6-style
number in DISPLAY variable? Last time I've checked the answers were "no"
for both...

> so it's not really acceptible. I'm still looking for a better
> solution...

Yes, UNIX domain sockets would eliminate the IPv4/6 issue, but I'm
afraid it would bring up more libX11-related problems than solutions.
Take the "desire" to share memory whenever DISPLAY=:X.Y for example...
It doesn't mean that we should give up the fight, but unfortunately for
the time being libX11 is not really there for us and we simply have no
hell of a choice but to stick to TCP (over IPv4) transport:-(

What's possible to do is to replace gethostbyaddr with getnameinfo and
check if it's AF_INET socket only if the latter fails so that it will
become IPv6 "savvy". Something like following:

	/* and now something completely different:-) <appro at fy.chalmers.se> */
	{
		struct sockaddr_storage me;
		socklen_t melen = sizeof(me);
		char h_name[NI_MAXHOST];

		if (getsockname(packet_get_connection_in(),
			(struct sockaddr *)&me, &melen) != 0) {
			error("[X11-broken-fwd] Unable to getsockname");
			packet_send_debug("[X11-broken-fwd] Unable to getsockname");

			shutdown(sock, SHUT_RDWR);
			close(sock);

			return NULL;
		}

#ifndef IPADDR_IN_DISPLAY
		if (getnameinfo ((void *)&me, melen,
			h_name,sizeof(h_name),NULL,0,NI_NAMEREQD) == 0)
			snprintf (display, sizeof(display),"%.*s:%d.%d",
				sizeof(h_name), h_name,
				display_number, screen_number);
		else
#endif
		{
			if (me.ss_family != AF_INET) {
				error("[X11-broken-fwd] Unsupported protocol family");
				packet_send_debug("[X11-broken-fwd] Unsupported protocol family");

				shutdown(sock, SHUT_RDWR);
				close(sock);

				return NULL;
			}
			else
			    snprintf(display, sizeof(display), "%.50s:%d.%d",
				inet_ntoa(((struct sockaddr_in *)&me)->sin_addr),
				display_number, screen_number);
		}
	}

No, still not perfect... Andy.

More information about the openssh-unix-dev mailing list