X11 Forwarding with Access Control on AIX
I'm attempting to run X11 from an AIX server back to my Windows laptop running XMing. I am not allowed to use the -ac param in XMing to bypass the Access Controls. If I use -ac, the X11 prompt works as expected on AIX, but when I enable access controls by removing the -ac param, everything quits working.
I made this work in Linux pretty easily. I set the SSH Terminal Properties for X11 forwarding to Enable = Yes, X Display Location to blank, Protocol to MIT-Magic-Cookie-1, and X Authority File to blank. Upon connection, RDM populates the $DISPLAY variable on the Linux box, and the connection is subsequently successful with Access Controls in place.
I have not yet found any combination of settings that can have the same success on AIX. If anyone has a process that can create logs that might help or anything, I would appreciate.
# Log at the AIX server (IPs obfuscated)
$ echo $DISPLAY
$ export DISPLAY=10.1.1.1:0.0
$ xclock
Xlib: connection to "10.1.1.1:0.0" refused by server
Xlib: No protocol specified
Error: Can't open display: 10.1.1.1:0.0
# Log from XMing
AUDIT: Wed Jul 09 11:34:50 2025: 9932 C:\Program Files\Xming\Xming.exe: client 4 rejected from IP 10.2.2.2
All Comments (4)
Hello kmknox,
Thank you for reaching out to the Devolutions support team.
The Verbose logs on level 2 could probably provide more information on this.
Send SSH Shell logs and verbose - Devolutions Documentation
You can use this link to share your logs:
FOR-50509
Best regards,
Patrick Ouimet
Hello kmknox,
Thank you for reaching out to the Devolutions support team.
The Verbose logs on level 2 could probably provide more information on this.
Send SSH Shell logs and verbose - Devolutions Documentation
You can use this link to share your logs:
FOR-50509
Best regards,
@Patrick Ouimet
Thank you so much, Patrick. We did find the problem. We needed to enable 'X11Forwarding' in sshd service. Once that was done, XMing began to work normally on the AIX server. Sadly, that's not going to be enough to create a secure environment. XMing does not seem to allow xhost to limit which clients can connect to us, so we are looking at other solutions.
Someday, Devolutions is thinking about building an X Server into the product. I 1000% wish that day was yesterday, but we'll be glad for it when the day finally comes. When it comes, please go to the trouble of limiting who can hit the XServer to only clients already connected via SSH. Thank you.
Hello kmknox,
For a more secure environment, may I suggest using Devolutions Server as a data source and connecting it to your server with the Devolutions Gateway?
General knowledge - Devolutions Documentation
Conditional access policies - Devolutions Documentation
General knowledge - Devolutions Documentation
Best regards,
Patrick Ouimet
This is a great idea. I'll pass it up to the people who decide such things. Thank you.