As I described in an earlier post, I run my Raspberry Pi (RPi) as a headless system, using Cygwin/X‘s xterm for command line interaction with the RPi, with my PC being my X server to support any X Window applications. I can move files between the PC and the RPi via my pseudo-Dropbox. I really recommend this configuration and its working perfectly for me.
This configuration gives me a great deal of utility but no mobility …. I’m still tied to my desktop PC. Maybe I should consider replacing the desktop PC with a laptop but I don’t want to spend the money. I have seen some small, inexpensive keyboards and displays that could be connected directly to the RPi, and you could cobble together a mobile unit, or the more elegant Kindle version, but this still doesn’t give me the mobility look & feel I would like.
iPad to the rescue (assuming you have one ….)! I found a great app call iSSH by Zingersoft. Its claims that it is a “comprehensive VT100, VT102, VT220, ANSI, xterm, and xterm-color terminal emulator over SSH and telnet, integrated with a tunneled X server, RDP and VNC client. ” I installed it, configured it quickly, and got a terminal connection to the RPi without reading the documentation …. Impressive since successfully configuring ssh, Xserver, etc. can be challenging sometimes. (Note: The easy of this was largely due to setting up RPi environment properly in the first place. See the earlier post). To top it off, iSSH has a slick look & feel.
Zingersoft’s documentation on configuring iSSH is easy to follow and requires just a few steps. I had no problem getting an terminal session working to the RPi but I did have problems with graphics programs (i.e. X Window client programs). It appears that iSSH’s terminal isn’t really xterm but a terminal emulation (secured via ssh). The iSSH terminal doesn’t use the X server. In fact, while in the terminal session, to see the X server display (i.e. to see graphics applications rendered via the RPi X client) you must hit the button at the top right of the iPad display.
Frankly, the fact that the X application didn’t work the first time wasn’t a big surprise to me. I have been struggling with getting my X Window configuration set up to work reliably for some time. What I was observing was that X would work fine for sometime but at some point I would get the error message “couldn’t connect to display”.
This error is very common and nearly every X user has seen some version of this before. I assume that the right way to solve this was to gain a deeper understanding of X Windows and discover its root cause . I did gain a deeper understanding of X Windows, but a solution to my problem never jumped out from the “official” materials I read. I found the solution when I happened upon the blog “X11 Display Forwarding Fails After Some Time“.
The root cause of my error message is the time out of the X Forwarding. I have been using the -X option when using ssh. This is the more secure option for X Forwarding, but comes at a price, as shown below.
ssh -X, X forwarding is enabled in “Untrusted” mode, making use of various X security extensions, including a time-limited Xauth cookie.
ssh -Yto enable “Trusted” mode for X, which will enable complete access to your X server. There is no timeout for this option.
So my Display problem isn’t really an error, per say, but ssh timing out on me. To fix this, I added the entry
ForwardX11Timeout 596h into my
~/.ssh/config file on my PC. With this problem solved, I continued my journey into X.
My Journey to a Better Understanding of X
Using X Windows for the first time can be somewhat of a shock to someone familiar with other graphical environments, such as Microsoft Windows or Mac OS. X was designed from the beginning to be network-centric, and uses a “client-server” model. In the X model, the “X server” runs on the computer that has the keyboard, monitor, and mouse attached. The server’s responsibility includes tasks such as managing the display, handling input from the keyboard and mouse, and other input or output devices (i.e., a “tablet” can be used as an input device, and a video projector can be an output device, etc.). Each X application (such as xterm) is a “client”. A client sends messages to the server requesting things like “Please draw a window at these coordinates”, and the server sends back messages such as “The user just clicked on the OK button”. These standardized set of messages make up the X Protocol.
The X server and the X clients commonly run on the same computer. However, it is perfectly possible to run the X server on a less powerful computer (e.g. in my case a PC or iPad), and run X applications (the clients) on a powerful machine that serves multiple X servers (or it can be a simple RPi, as in my case). In this scenario the communication between the X client and server takes place over the network (WiFi for my iPad), via the X Protocol. There is nothing in the protocol that forces the client and server machines to be running the same operating system, or even to be running on the same type of computer.
It is important to remember that the X server is the is the software program which manages the monitor, keyboard, and pointing device. In the X window system, these three devices are collectively referred to as the “display”. Therefore, the X server serves displaying capabilities, via the display, to other programs, called X clients, that connect to the X server. All these connections are established via the X protocol.
The relationship between the X server and the display are tight, in that the X server is engineered to support a specific display (or set of displays). As a user of X, you don’t have any control over this relationship, only the software developer who created the server can modify this relationship (generally speaking). On the other hand, as a user you have free hand in configuring the X protocol connection between the X server and the X clients.
How do you establish a X Protocol connection between any given server and a client? This is done via the environment variable “DISPLAY”. A Linux environment variable DISPLAY tells all its X clients what display they should use for their windows. Its value is set by default in ordinary circumstances, when you start an X server and run jobs locally. Alternatively, you can specify the display yourself. One reason to do this is when you want log into another system, and run a X client there, and but have the window displayed at your local terminal. That is, the DISPLAY environment variable must point to your local terminal.
So the environment variable “DISPLAY” stores the address for X clients to connect to. These addresses are in the form:
hostnameis the name of the computer where the X server runs. An omitted
hostnamemeans the localhost.
displaynumberis a sequence number (usually 0). It can be varied if there are multiple displays connected to one computer.
screennumberis the screen number. A display can actually have multiple screens. Usually there’s only one screen though where 0 is the default.
Setting the DISPLAY variable depends of your shell, but for the Bourne, Bash or Korn shell, you could do the following to connect with the systems local display:
The remote server knows where it have to redirect the X network traffic via the definition of the DISPLAY environment variable which generally points to an X Display server located on your local computer.
So you see, as the user, you have full control over where you wish to display the X client window. So what prevents you from doing something malicious, like popping up window on someone else terminal or read their key strokes? After all, all you really need is their host name. X servers have three ways of authenticating connections to it: the host list mechanism (xhost) and the magic cookie mechanism (xauth). Then there is ssh, that can forward X connections, providing a protected connection between client and server over a network using a secure tunnelling protocol.
The xhost Command
xhost program is used to add and delete host (computer) names or user names to the list of machines and users that are allowed to make connections to the X server. This provides a rudimentary form of privacy control and security. A typical use is as follows: Let’s call the computer you are sitting at the “local host” and the computer you want to connect to the “remote host”. You first use xhost to specify which computer you want to give permission to connect to the X server of the local host. Then you connect to the remote host using telnet. Next you set the DISPLAY variable on the remote host. You want to set this DISPLAY variable to the local host. Now when you start up a program on the remote host, its GUI will show up on the local host (not on the remote host).
For example, assume the IP address of the local host is 184.108.40.206 and the IP address of the remote host is 220.127.116.11.
On the local host, type the following at the command line:
xhost + 18.104.22.168
Log on to the remote host
On the remote host (through the telnet connection), instruct the remote host to display windows on the local host by typing:
Now when you type xterm on the remote host, you should see an xterm window on the local host. You should remove the remote host from your access control list as follows.
xhost - 22.214.171.124
Some additional xhost commands:
xhost List all the hosts that have access to the X server
xhost + hostname Adds hostname to X server access control list.
xhost - hostname Removes hostname from X server access control list.
xhost + Turns off access control (all remote hosts will have access to X server … generally a bad thing to do)
xhost - Turns access control back on (all remote hosts blocked access to X server)
Xhost is a very insecure mechanism. It does not distinguish between different users on the remote host. Also, hostnames (addresses actually) can be spoofed. This is bad if you’re on an untrusted network.
The xauth Command
Xauth allows access to anyone who knows the right secret. Such a secret is called an authorization record, or a magic cookie. This authorization scheme is formally called
MIT-MAGIC-COOKIE-1. The cookies for different displays are stored together in the file
.Xauthority in the user’s home directory (you can specify a different cookie file with the
XAUTHORITY environment variable). The
xauth application is a utility for accessing the
On starting a session, the X server reads a cookie from the
.Xauthority file. After that, the server only allows connections from clients that know the same cookie (Note: When the cookie in
.Xauthority changes, the server will not pick up the change.). If you want to use xauth, you must start the X server with the
-auth authfile argument. You can generate a magic cookie for the
.Xauthority file using the utility
mcookie (typical usage:
xauth add :0 . `mcookie`).
Now that you have started your X session on the server and have your cookie in
.Xauthority, you will have to transfer the cookie to the client host. There are a few ways to do this. The most basic way is to transfer the cookie manually by listing the magic cookie for your display with
xauth list and injecting it into the remote hosts
.Xauthority via the
Xauth has a clear security advantage over xhost. You can limit access to specific users on specific computers and it does not suffer from spoofed addresses as xhost does.
X Over SSH
Even with the
xauth methods, the the X protocol is transmitted over the network with no encryption. If you’re worried someone might snoop on your connections (and you should worry), use ssh. SSH, or the Secure Shell, allows secure (encrypted and authenticated) connections between any two devices running SSH. These connections may include terminal sessions, file transfers, TCP port forwarding, or X Window System forwarding. SSH supports a wide variety of encryption algorithms. It supports various MAC algorithms, and it can use public-key cryptography for authentication or the traditional username/password.
SSH can do something called “X Forwarding” makes the communication secure by “tunneling” the X protocol over the SSH secure link. Forwarding is a type of interaction with another network application, through a inter-mediator, in this case SSH. SSH intercepts a service request from some other program on one side of an SSH connection, sends it across the encrypted connection, and delivers it to the intended recipient on the other side. This process is mostly transparent to both sides of the connection: each believes it is talking directly to its partner and has no knowledge that forwarding is taking place. This is called tunneling since X protocol is encapsulated within the a SSH protocol.
When setting up an SSH tunnel for X11, the Xauth key will automatically be copied to the remote system(in a munged form to reduce the risk of forgery) and the DISPLAY variable will be set.
To turn on X forwarding over ssh, use the command line switch
-X or write the following in your local ssh configuration file:
The current version of SSH supports the X11 SECURITY extension, which provides two classes of clients: trusted clients, which can do anything with the display, and untrusted clients, which cannot inject synthetic events (mouse movement, keypresses) or read data from other windows (e.g., take screenshots). It should be possible to run almost all clients as untrusted, leaving the trusted category for screencapture and screencast programs, macro recorders, and other specialized utilities.
If you use
ssh -X remotemachine the remote machine is treated as an untrusted client and
ssh -Y remotemachine the remote machine is treated as trusted client. ‘-X’ is supposedly the safe alternative to ‘-Y’. However, as a Cygwin/X maintainer says “this is widely considered to be not useful, because the Security extension uses an arbitrary and limited access control policy, which results in a lot of applications not working correctly and what is really a false sense of security”.
You can configuring SSH via the following files:
- per-user configuration is in
- system-wide client configuration is in
- system-wide daemon configuration is in
The ssh server (
sshd) at the remote end automatically sets
DISPLAY to point to its end of the X forwarding tunnel. The remote tunnel end gets its own cookie; the remote ssh server generates it for you and puts it in
~/.Xauthority there. So, X authorization with ssh is fully automatic.
X over SSH solves some of the problems inherent to classic X networking. For example, SSH can tunnel X traffic through firewalls and NAT, and the X configuration for the session is taken care of automatically. It will also handle compression for low-bandwidth links. Also, if you’re using X11 forwarding, you may want to consider setting ForwardX11Trusted no to guard against malicious clients.
The Window Manager
The X design philosophy is much like the Linux/UNIX design philosophy, “tools, not policy”. This philosophy extends to X not dictating what windows should look like on screen, how to move them around with the mouse, what keystrokes should be used to move between windows, what the title bars on each window should look like, etc. Instead, X delegates this responsibility to an application called a “Window Manager”.
There are many window managers available for X and each provides a different look and feel. Some of them support highly configurable virtual desktops like, KDE and GNOME, some of them are lightweight desktop like LXDE which comes with the RPi, or you can operate bare bones (like I am on my PC while using the RPi) and let MS Windows be your Window Manager via Cygwin/X. The iPad’s iSSH can run without a Window Manager. In effect, X server uses the display as it sees fit and your unable to control where things loaded. iSSH does have a Window Manage your can use as an option called dwm. Its a tiling window manager, which is a reasonable way to go given that your pointing device is your finger on the iPad.
X Display Manager
The X Display Manager (XDM) is an optional part of the X Window System that is used for login session management. XDM provides a graphical interface for choosing which display server to connect to, and entering authorization information such as a login & password. Like the Linux getty utility, it performs system logins to the display being connected to and then runs a session manager on behalf of the user (usually an X window manager). XDM then waits for this program to exit, signaling that the user is done and should be logged out of the display. At this point, XDM can display the login and display chooser screens for the next user to login.
In the small world of my RPi’s, a PC, and an iPad, I have no need for an XDM and don’t use one.
Enough of the X Journey … Now in Conclusion
So what does the iSSH give me? I can now sit on the couch, watch TV, and simultaneously login into the RPi with full X Windows support. Some would call this Nirvana but I call it just VERY NICE. The iPad/iSSH combination isn’t the perfect user experience but Zingersoft did a good job.
By the way …. the above iPad screen shot of the X Server display with a globe was rendered using the following code:
#!/usr/bin/env python """ Source: http://www.scipy.org/Cookbook/Matplotlib/Maps """ from mpl_toolkits.basemap import Basemap import matplotlib.pyplot as plt import numpy as np Use_NASA_blue_marble_image = False # set up orthographic map projection with # perspective of satellite looking down at 50N, 100W. # use low resolution coastlines. # don't plot features that are smaller than 1000 square km. map = Basemap(projection='ortho', lat_0=50, lon_0=-100, resolution='l', area_thresh=1000.) # draw coastlines, country boundaries, fill continents. if Use_NASA_blue_marble_image: map.bluemarble() else: map.drawcoastlines() map.drawcountries() map.fillcontinents(color='coral') # draw the edge of the map projection region (the projection limb) map.drawmapboundary() # draw lat/lon grid lines every 30 degrees. map.drawmeridians(np.arange(0, 360, 30)) map.drawparallels(np.arange(-90, 90, 30)) # lat/lon coordinates of five cities. lats = [40.02, 32.73, 38.55, 48.25, 17.29] lons = [-105.16, -117.16, -77.00, -114.21, -88.10] cities = ['Boulder, CO', 'San Diego, CA', 'Washington, DC', 'Whitefish, MT', 'Belize City, Belize'] # compute the native map projection coordinates for cities. x, y = map(lons, lats) # plot filled circles at the locations of the cities. map.plot(x, y, 'bo') # plot the names of those five cities. for name, xpt, ypt in zip(cities, x, y): plt.text(xpt + 50000, ypt + 50000, name) # make up some data on a regular lat/lon grid. nlats = 73 nlons = 145 delta = 2. * np.pi / (nlons - 1) lats = (0.5 * np.pi - delta * np.indices((nlats, nlons))[0, :, :]) lons = (delta * np.indices((nlats, nlons))[1, :, :]) wave = 0.75 * (np.sin(2. * lats) ** 8 * np.cos(4. * lons)) mean = 0.5 * np.cos(2. * lats) * ((np.sin(2. * lats)) ** 2 + 2.) # compute native map projection coordinates of lat/lon grid. x, y = map(lons * 180. / np.pi, lats * 180. / np.pi) # contour data over the map. CS = map.contour(x, y, wave + mean, 15, linewidths=1.5) plt.show()