X11 Forwarding with Access Control on AIX

Backlog

X11 Forwarding with Access Control on AIX

avatar

I'm attempting to run X11 from an AIX server back to my Windows laptop running XMing. I am not allowed to use the -ac param in XMing to bypass the Access Controls. If I use -ac, the X11 prompt works as expected on AIX, but when I enable access controls by removing the -ac param, everything quits working.

I made this work in Linux pretty easily. I set the SSH Terminal Properties for X11 forwarding to Enable = Yes, X Display Location to blank, Protocol to MIT-Magic-Cookie-1, and X Authority File to blank. Upon connection, RDM populates the $DISPLAY variable on the Linux box, and the connection is subsequently successful with Access Controls in place.

I have not yet found any combination of settings that can have the same success on AIX. If anyone has a process that can create logs that might help or anything, I would appreciate.

# Log at the AIX server (IPs obfuscated)
$ echo $DISPLAY

$ export DISPLAY=10.1.1.1:0.0
$ xclock
Xlib: connection to "10.1.1.1:0.0" refused by server
Xlib: No protocol specified

Error: Can't open display: 10.1.1.1:0.0

# Log from XMing
AUDIT: Wed Jul 09 11:34:50 2025: 9932 C:\Program Files\Xming\Xming.exe: client 4 rejected from IP 10.2.2.2

All Comments (10)

avatar

Hello kmknox,

Thank you for reaching out to the Devolutions support team.

The Verbose logs on level 2 could probably provide more information on this.
Send SSH Shell logs and verbose - Devolutions Documentation

You can use this link to share your logs:
FOR-50509

Best regards,

Patrick Ouimet

avatar
Hello kmknox,

Thank you for reaching out to the Devolutions support team.

The Verbose logs on level 2 could probably provide more information on this.
Send SSH Shell logs and verbose - Devolutions Documentation

You can use this link to share your logs:
FOR-50509

Best regards,


@Patrick Ouimet

Thank you so much, Patrick. We did find the problem. We needed to enable 'X11Forwarding' in sshd service. Once that was done, XMing began to work normally on the AIX server. Sadly, that's not going to be enough to create a secure environment. XMing does not seem to allow xhost to limit which clients can connect to us, so we are looking at other solutions.

Someday, Devolutions is thinking about building an X Server into the product. I 1000% wish that day was yesterday, but we'll be glad for it when the day finally comes. When it comes, please go to the trouble of limiting who can hit the XServer to only clients already connected via SSH. Thank you.

avatar

Hello kmknox,

For a more secure environment, may I suggest using Devolutions Server as a data source and connecting it to your server with the Devolutions Gateway?

General knowledge - Devolutions Documentation
Conditional access policies - Devolutions Documentation

General knowledge - Devolutions Documentation

Best regards,

Patrick Ouimet

avatar

This is a great idea. I'll pass it up to the people who decide such things. Thank you.

avatar

Bonjour,
I am currently developing an X11 server for RDM, and i would appreciate it if you could tell me which X11 applications you intend to use.
Knowing this would allow me to focus my debugging and development efforts on the applications that matter most to you.

Thank you in advance for your assistance.

avatar
Bonjour,
I am currently developing an X11 server for RDM, and i would appreciate it if you could tell me which X11 applications you intend to use.
Knowing this would allow me to focus my debugging and development efforts on the applications that matter most to you.

Thank you in advance for your assistance.


@Luc Goulet
Test reply. My messages are not going through.

avatar
Bonjour,
I am currently developing an X11 server for RDM, and i would appreciate it if you could tell me which X11 applications you intend to use.
Knowing this would allow me to focus my debugging and development efforts on the applications that matter most to you.

Thank you in advance for your assistance.


@Luc Goulet
Hello Luc,

I'm not a member of the team actually using X11, so I don't know. What I do know is that I've always set up xclock successfully and my customer was able to use their application. They are not using xclock, but that's always been my standard test.

It's been a year and I've forgotten most this, but we did get all our customers working securely on XMing. The key point is that the X11 client must use MIT Magic Cookie 1 to prove the connection request is coming from a logged on session. It must be impossible for a random attacker to connect to the client's X11 server successfully.

avatar
Bonjour,
I am currently developing an X11 server for RDM, and i would appreciate it if you could tell me which X11 applications you intend to use.
Knowing this would allow me to focus my debugging and development efforts on the applications that matter most to you.

Thank you in advance for your assistance.


@Luc Goulet
Okay. It does not like something about the numbered list I was trying to submit to you. The key point is that in XMing, we require these settings:
Choose to create a launch configuration with Multiple Windows, No client, Display 0, and Clipboard set to True. Do not choose to disable Access Controls.

avatar

Hello kmknox,

Thank you for circling back with these details — and apologies for the formatting friction you ran into on the forum when posting your numbered list.

I'll make sure @Luc Goulet has the key points captured:

  • xclock is your standard smoke-test target, even though the actual end-users on AIX run applications you don't have direct visibility into.
  • Security model is the hard requirement: the X server must enforce MIT Magic Cookie 1 authentication so only clients tied to an authenticated SSH session can connect — i.e., the equivalent of "no -ac" / Access Controls enabled in XMing must be preserved (ideally as the default and non-overridable posture).
  • XMing reference configuration that works for your users today: Multiple Windows / No client / Display 0 / Clipboard true, with Access Controls left on.


This is genuinely useful input for the X11 server work in RDM. If anyone on the team actually running the X11 applications on AIX is later able to share even a partial list of what they launch (installer GUIs, sysadmin tools like smit, custom in-house apps, etc.), that would help Luc prioritize compatibility testing — but no pressure, the security constraint you've outlined is already the most important piece.

Best regards,

Patrick Ouimet

avatar
Hello kmknox,

Thank you for circling back with these details — and apologies for the formatting friction you ran into on the forum when posting your numbered list.

I'll make sure @Luc Goulet has the key points captured:
  • xclock is your standard smoke-test target, even though the actual end-users on AIX run applications you don't have direct visibility into.
  • Security model is the hard requirement: the X server must enforce MIT Magic Cookie 1 authentication so only clients tied to an authenticated SSH session can connect — i.e., the equivalent of "no -ac" / Access Controls enabled in XMing must be preserved (ideally as the default and non-overridable posture).
  • XMing reference configuration that works for your users today: Multiple Windows / No client / Display 0 / Clipboard true, with Access Controls left on.

This is genuinely useful input for the X11 server work in RDM. If anyone on the team actually running the X11 applications on AIX is later able to share even a partial list of what they launch (installer GUIs, sysadmin tools like smit, custom in-house apps, etc.), that would help Luc prioritize compatibility testing — but no pressure, the security constraint you've outlined is already the most important piece.

Best regards,


@Patrick Ouimet

Two main examples:

  • SAS Grid Manager Client Utility Version 9.47 (build date: Aug 5 2020)

Copyright (C) 2009-2017, SAS Institute Inc., Cary, NC, USA. All Rights Reserved

  • SoftwareAG/webMethods products