[GTALUG] Lightdm "Secure Remote connection"

Giles Orr gilesorr at gmail.com
Mon Feb 8 06:58:33 UTC 2016 

> On Sun, Feb 07, 2016 at 01:59:26PM -0500, Giles Orr wrote:
>> Lightdm offers as one of the options at the login screen, a "Secure
>> Remote connection" (this is on Debian jessie).  If this is selected,
>> you enter a username and password as usual, and when you click "Log
>> in" it asks for a "host:port" combination.  I haven't used this
>> before, so I guessed that 192.168.0.105:22 (a valid machine on my
>> network) would be appropriate.  After some cogitation and a bit of
>> screen flashing, this returns to the login prompt.
>>
>> What settings do I need locally and remotely for this to work?  Where
>> should I look for errors?  Any thoughts?
>>
>> A bunch of points that may help:
>> - ssh is installed on both machines, sshd is running and remote logins
>> work both ways
>> - the lightdm and lightdm-gtk-greeter packages are installed on both machines
>> - the remote machine is running Ubuntu trusty
>> - the remote user I'm trying to connect as is already running a local
>> X session on the remote machine: I'm assuming that doesn't matter?
>> - wireshark and the hard-to-read logs in /var/log/lightdm/ (on both
>> ends of the connection) suggest that ssh connects properly and X
>> starts ... and then fails, but I'm not clear on why.  Nor am I totally
>> sure I'm reading this right
>>
>> - this feature appears to be totally undocumented: the interface
>> explains nothing, there's nothing in the man page, and even Google
>> knows nothing ... I even resorted to code diving, but "Secure Remote
>> connection" isn't in there.  It's also not anywhere in /etc/ where I
>> would have expected to find it if it was an option configured by
>> Debian (although it could be under /usr/ ... I haven't done a grep of
>> that entire tree ...)
>>
>> Thanks for any assistance.

On 7 February 2016 at 14:25, William Park <opengeometry at yahoo.ca> wrote:
> 1. You may need to configure the remote Lightdm to accept incoming XDMCP
> connection.  If
>     X -query 192.168.0.105
> works, then it's accepting.  Search for "XDMCP" keyword.
>
> 2. Check the firewall on port 177 and 6000-6010.  No need, if #1 works.
> :-)
>
> 3. Now, encryption part...  I don't know what "Secure Remote Connection"
> means.  It could mean port forwarding via SSH (-X or -Y option).  Or, it
> could mean some new features of Lightdm, in which case, check its config
> file.

It seems to me that if it's doing what we're both guessing it's doing
- ie. using ssh to connect to the remote machine before forwarding the
connection - then the firewall rules are unnecessary because all
connections are local.  Nevertheless, I've applied them.  Still no
joy.

The only thing that made a difference (and only on localhost) was
changing /etc/X11/Xwrapper.config from "allow_users=console" to
"allow_users=anyone".  This changed the output of "X -query localhost"
from "you don't have permission" to:

    (EE)
    Fatal server error:
    (EE) Server is already active for display 0
            If this server is no longer running, remove /tmp/.X0-lock
            and start again.
    (EE)
    (EE)
    Please consult the The X.Org Foundation support
            at http://wiki.x.org
    for help.
    (EE)

A hint online suggested that since I already have X running on :0, I
should use "X -query localhost:1" which gets much the same error as
above, with one line changed:

    Fatal server error:
    (EE) Xserver: Name or service not known: -query localhost:1

And yet, this command:

    Xephyr -query localhost -screen 1024x768 -dpi 96 -terminate :1 &

works exactly as expected, starting X in a box.

-- 
Giles
http://www.gilesorr.com/
gilesorr at gmail.com

More information about the talk mailing list