Xephyr, RHEL5 and Mac OS X 10.5 | arfore dot com

by

When doing system administration it is often more convenient to connect to a server through some sort of remote connection setup rather than having to sit at a console in a datacenter.  The comfort of one’s office (or living-room) is often far superior in terms of noise and temperature than the environs of the datacenter itself.

When setting up the RHEL5 server this week here at VSU, I was forced to use the Sun iLOM connection to do the initial install of the server.  While I generally use command-line only tools, the ease of use one gains from the GUI tools can often make some tasks much simpler.  Towards this end I decided to setup the server and my client to allow XDMCP sessions so that I could have full access to the GUI when necessary.

On the server there are a couple of things that you need to configure in order to make this workFirew:

  1. Firewall ports
  2. GDM configuration options

On the client you will need to configure the OS X firewall, as well as use the correct Xephyr connection syntax.

Step 1: The server firewall

The firewall ports necessary for the use of XDMCP are:

  • 177/TCP,UDP – X Display Manager Control Protocol
  • 6000/TCP – X11 client/server communication
  • 6001/TCP – X11 client/server communication

The two common methods for allowing these ports are to either use the iptables command-line interface or the GUI system administration tool.

To change the firewall ports from inside the GUI you will need to be at the console or using an X11 session forwarded via SSH.

If you are logged into the console:

  1. Select the System menu from the menu bar
  2. Select Administration from the System menu
  3. Select Security Level and Firewall from the Administration sub-menu
  4. Authenticate as the root user if necessary (you didn’t login as root did you?)
  5. In the Security Level and Firewall dialog that comes up
    1. Make sure you are on the Firewall Options tab
    2. Expand the section at the bottom labeled Other ports
    3. Click Add
    4. In the dialog that pops up
      1. Put the port number(s) in the Port(s) field
      2. Select tcp or udp from the Protocol dropdown
      3. Click OK
    5. Click OK

To add the port from the command-line use the following command as a guideline and replace PROTOCOL with either tcp or udp and PORT_NUMBER with the number of the port exception that you are creating:

iptables -A INPUT -p PROTOCOL -m PROTOCOL --dport PORT_NUMBER -j ACCEPT

For example, to open port 80 on the firewall you would issue the following command:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Step 2: The GDM configuration

After you have opened the appropriate ports you still need to configure the login manager to allow XDMCP connections and to allow

  1. On the server open a terminal window (unless you editing this via SSH)
  2. Open the GDM configuration command as the root user using the editor of your choice (I like vim) 
    sudo vim /etc/gdm/custom.conf
  3. Add the following in the [XDMCP] section 
    Enable=true

At this point you should restart the login manager by issuing the following command

[webadm@elmo ~]$ sudo gdm-restart

After the login manager process has been restarted, you are finished with the server side of things.

Step 3: The client firewall

On the Mac OS X side of the security equation, you will need to change the way your security setup is configured for this to work.  By default, the Mac OS X firewall in Leopard is set to allow all incoming communications.  While this is all great and wonderful, it is really insecure, and you should change it.

  1. Open System Preferences
  2. Click on Security
  3. Click on the lock to authenticate (if necessary)
  4. Click on Firewall
  5. Select the radio button next to Set access for specific services and applications

Now that you have set some better security options, you have to specifically allow X11 and Xephyr to accept incoming connections

  1. Click the plus sign at the bottom left of the white box on the Firewall tab
  2. Press CMD + Shift + G on the keyboard to bring up the Go to the folder box
  3. Type the following into the text field and click OK 
    /usr/X11/bin
  4. Select Xephyr from the list and click Add
  5. Click the plus sign again
  6. Navigate to Applications
  7. Select Utilities then select X11
  8. Close System Preferences

Step 4: Connecting with Xephyr

Open X11 from the Utilities folder inside Applications.  When you open X11 an xterm window should open up automatically.  In the xterm window type the following command where SERVER_NAME is replaced by the FQDN of the server you are connecting to:

Xephyr -ac -query SERVER_NAME -screen 1280x1024 -br -reset -terminate :1

This should open an X11 window showing the login screen of the server.  If you wish to automate this process a little, you could use the customize option in the Applications menu of X11 to add an entry that saves you from having to enter the command each time.

References:

%d bloggers like this: