unfolding disasters/ posts/ mxconns

Lionel Cons's mxconns is an X Windows monitor and proxy. The author suggests you use it to enhance the security of your X server by monitoring for connection attempts and dangerous requests (e.g. keylogging). I tend to use it as a flexible proxy fo X forwarding with my cluster.

Ususally if you SSH into a remote computer and want to run X applications, you use ssh -Y to forward your X connection to the remote host, and everything works as expected. However, I could not figure out how to expose the forwarded server so it could except connections from other nodes in the cluster. For example, if a job I had running on n1 wanted to talk to my X server (e.g. via MPE), it would need to connect to n0:

home <--(ssh -Y)----> n0 <--(???)----> n*

mxconns fills the gap by providing a proxy between the local socket provided by ssh -Y and a new publicly exposed X socket available to n*:

home <--(ssh -Y)----> n0 <--(mxconns)----> n*

mxconns needs a configuration file telling it to trust all the computers on the cluster, which should look something like:

n0$ cat ~/.mxconns 
192.168.2.*     allow

After you've set that up, a full connection will look like:

home$ ssh -Y n0
n0$ export DISPLAY=`mxconns -config ~/.mxconns -fork -hunt -verbose`
n0$ echo $DISPLAY
n0.*.edu:5

after which you can do things like:

n0$ ssh n1
n1$ export DISPLAY=n0:5 xeyes

You can explicitly kill mxconns when you're done:

n0$ killall mxconns

or just wait and it will die naturally when you close your initial X connection to n0.

Packaging

mxconns is enough of a niche app that it's not widely packaged at the moment. However, building and installing it is really easy, and is well explained in the README file. I've added an ebuild to my Gentoo overlay if you're running Gentoo.

Messy details

ssh -Y sets up an X proxy on n0 on 127.0.0.1:6010 and sets my DISPLAY to localhost:10.0:

n0$ netstat -an | grep 6010
tcp     0    0    127.0.0.1:6010    0.0.0.0:*    LISTEN
tcp6    0    0    ::1:6010          :::*         LISTEN

However, I want the X proxy to bind to eth0 (192.168.2.100) not localhost (127.0.0.1), so other nodes can connect. If you're using OpenSSH's sshd on n0, you can set X11UseLocalhost no in your sshd_config. However, this binds the ssh -Y X connection to the wildcard address, exposing it to the world through eth1 (which is bad) as well as to the cluster through eth0 (which is good). With mxconns you can explicitly specify the interfaces you want to bind.

X authentication is handled with cookies, and getting cookie detection working in mxconns turned out to be a key part of patching mxconns to work in this situation. The ssh -Y connection stores its X authority cookie under hostname/unix:dpynum:

n0$ xauth list
n0/unix:10  MIT-MAGIC-COOKIE-1  ...

as described under the DISPLAY NAMES section of xauth(1).