RHEL7.4 Can't open display

Latest response

I am attempting to open an xwindow app ( like xterm) remotely on a newly built rhel7.4 Enterprise Linux Desktop machine.

On the remote machine:
export DISPLAY=newrhel74desktop:0
xterm

Return = xterm Xt error: Can't open display

Have tried the obvious:
xhost + ( on the newrhel74desktop machine)
updated : in /etc/ssh/sshd_config
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no

HA
Log in to join the conversation

Responses

Thomas Jones's picture Guru Community Member 3711 points
14 November 2017 11:41 PM

To redirect X, you need a couple things:

  • Xserver you're directing to needs to permit it
  • System hosting the Xserver needs to permit it

xhost takes care of the former (though, using Xauth or even tunneling X over SSH is better) The latter means your local firewall needs to allow the inbound connection. If you happen to be on a box with some types of malware protection, you may need to allow connection there, as well.

And, so as not to assume too much: the system you're attempting to display to actually has an Xserver running?

MK Guru 1972 points
15 November 2017 9:40 AM

There are two distinct ways to do it. 1.) using SSH X11 tunneling (pros: encrypted, authenticated, easy to start; cons: slightly less responsive) 2.) old-school direct X11 connection (pros: as responsive as a remote X11 connection can be; cons: a pain to set up properly, not secure)

For 1), you don't set the DISPLAY variable manually. Instead, you use ssh -X to connect from the local system you want the window to appear on, to the remote system you want to run the X11 application on. The sshd on the remote host will set up an X11 proxy on that host, and will set up the DISPLAY variable and the ~/.Xauthority file on the remote host appropriately for the connection.

Requirements:

  • the remote system needs to have X11Forwarding yes in its /etc/ssh/sshd_config
  • the remote system needs to have xauth command installed and executable (sshd uses it when a X11 forwarding connection is established)
  • the local system needs to have a valid DISPLAY variable available to the SSH client and the ~/.Xauthority file already set up (this is already done for you by the X display manager, if you have logged on using a X11 GUI)

For 2), you'll connect to the remote system using whatever method, set the DISPLAY variable on the remote system to point back to the display of the local system, and either use the xauth command on both hosts to copy the X11 session cookie from the local ~/.Xauthority file to the remote one, or use xhost + locally to disable X11 access control.

Requirements:

  • As Thomas Jones said, your local firewall needs to allow incoming connections in port (X11 display number + 6000)
  • The local host needs to have an X11 server running and enabled to listen for incoming remote connections.

The bolded bit is very commonly a problem: on practically all Linux distributions, the X11 server has been restricted to local UNIX socket connections only by default. This has been true practically since the beginning of this century. This is not a problem if you use SSH X11 forwarding, but if you use method 2), this is a showstopper unless you know how to undo the default protection.

This discussion here is about enabling incoming X11 connections on RHEL 6.x. On that version, the X11 server process needs to have the -nolisten tcp option removed from its command line. If you are using a standard RHEL GDM desktop, that means putting DisallowTCP=false to the [security] section of /etc/gdm/custom.conf.

But on RHEL 7.x, the logic has been reversed: instead of removing the -nolisten tcp option from the X11 server, you'll need to add a -listen tcp option. According to this post on the GNOME mailing list, the GDM setting DisallowTCP=false should still work: GDM is supposedly capable of figuring out whether it needs to remove the -nolisten tcp option or to add -listen tcp.

After changing /etc/gdm/custom.conf on the local system to enable remote TCP X11 connections, you will need to restart GDM and thus restart your local X11 session. After that, you should be able to confirm that -listen tcp is present on the X11 server process's command line by running ps ax | grep X, and that the X11 server is definitely listening on TCP port 6000 (corresponding to DISPLAY=:0.0) by running lsof -i tcp:6000.

HA Newbie 15 points
15 November 2017 4:44 PM

I do think that my problem is as mentioned above: . As Thomas Jones said, your local firewall needs to allow incoming connections in port (X11 display number + 6000) . The local host needs to have an X11 server running and enabled to listen for incoming remote connections

I am doing Option 2 above (set the DISPLAY variable on the remote system to point back to the display of the local system).

Here is some info from the local system that is running KDE: 1) /etc/kde/kdm ========> is an empty directory. No kdmrc file

2) /etc/gdm/custom.conf ==> in security section has DisallowTCP=false

3) ps -aef | grep X ======> /usr/bin/X :0 -background none -noreset -audit 4 -verbose -auth /run/gdm/auth-for-gdm-R5xe6l/database -seat seat0 vt1

4) /etc/ssh/ssh_config ===> Under Host * ForwardX11Trusted yes

5) /etc/ssh/sshd_config ==> X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost no

6) /usr/bin/xauth ========> Run this and got this: Using authority file /tmp/kde-root/xauth-0-_0

7) lsof -i tcp:6000 ======> Run this and got this:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

X 1342 root 5u IPv6 21854 0t0 TCP *:x11 (LISTEN)

X 1342 root 6u IPv4 21855 0t0 TCP *:x11 (LISTEN)

MK Guru 1972 points
15 November 2017 6:55 PM

Since you're doing Option 2, the points 4) and 5) in your list are completely irrelevant: as soon as you change the DISPLAY variable on the remote host, you are not using the X11 proxy/tunneling SSH might be providing for you.

Your ps -aef | grep X output indicates your X server is being controlled by gdm: apparently RHEL/CentOS won't even package kdm in this release, so no wonder /etc/kde/kdm/kdmrc does not exist. The command line does not have the -nolisten tcp option, and the lsof output indicates that the X server seems to be listening for incoming network connections.

If your RHEL74 is in default configuration, it is using firewalld and rejecting all incoming connection attempts that are not SSH. The simplest way to allow incoming X11 connections to local display :0.0 from anywhere would be:

# firewall-cmd --zone=public --add-port=6000/tcp   # do it right now
success

# firewall-cmd --permanent --zone=public --add-port=6000/tcp  #make it persistent
success

To accept incoming X11 connections from a particular network only won't be much more complicated:

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="6000" protocol="tcp" accept'    # do it now
success

# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="6000" protocol="tcp" accept'    #make it permanent
success

To properly set up xauth for this type of connection:

On newrhel74desktop, run xauth list :0.0 to view the X session cookie for that display. You'll get output like this:

$ xauth list :0.0
newrhel74desktop/unix:0  MIT-MAGIC-COOKIE-1   7413bd839c74057fb3c7a15d713ead19

Now, connect to the remote system, make sure it can resolve the IP address of the newrhel74desktop system, and set the DISPLAY and the X session cookie:

remotesystem$ getent hosts rhel74desktop  # or whatever command uses the standard resolver library on that architecture
192.168.1.2 rhel74desktop    # we got the correct IP address, good.

remotesystem$ export DISPLAY=rhel74desktop:0.0

remotesystem$ xauth add $DISPLAY . 7413bd839c74057fb3c7a15d713ead19

Now you're ready to start a graphic application on remotesystem.

If you want to, you can of course avoid the need to use xauth by running xhost + on newrhel74desktop, but that way you can get xroaches or worse on your display, if your co-workers are in the mood for pranks.

HA Newbie 15 points
16 November 2017 9:18 PM

The firewall-cmd above combined with editing /etc/gdm/custom.conf and adding Enable=true under the xdmcp section. Fixed my problem.

Thanks for your help!

MK Guru 1972 points
17 November 2017 1:20 PM

If you need XDMCP, it usually means you are remote-accessing not just a GUI application or two, but an entire GUI desktop session.

XDMCP would also have required opening UDP port 177 for the XDMCP protocol. I mention this just in case it might help other readers.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.