Computer Law Politics

The Future of Freedom

A Feature Interview with NSA Whistleblower William Binney

Here you will find insights to the emergence of the global surveillance state!

William E. Binney was a highly placed intelligence official with the United States National Security Agency (NSA) for more than 30 years.

In this feature interview William Binney blows the whistle on NSA’s blatant wrong doings and disregard of US laws, the US constitution and international law. NSA apparently consistently lies to US congress about its doings. Absurdly NSA has their own secret interpretation of US data protection laws. NSA is according to William Binney in the process of building an empire based on curruption and secrecy.

People forget about history. Freedom is an enemy of a totalitarian state. Surveillance of everbody is a prime feature of a totalitarian state. It is the PR of totalitarian state that surveillance of everybody is for the public good, but in fact is about control of the general public. People living in East Germany under the Stasi regime remembers the surveillance state. According to William Binney they know because they are now living in a post-fascist state, but importantly they are talking about the US as a pre-fascist state.

Facts: NSA haven’t stopped a single terror attack on US soil with their collection of data. NSA have tap points on more or less all internet connections world wide. NSA capture daily meta and content data on hundred of millions of people in the US and Globally without any prof or indication of malice or wrong doings! Basicly no digital device, network or OS is secure now.

If you blow the whistle on NSA, they will come after you with everything the have. And this includes framing people wrongly if needed!

Nothing could be more wrong than the naive world view: “I have nothing to hide, so I have nothing to fear!”

The idea of the surveillance state is grotesque and goes against the very foundation of a democracy. People everywhere should be informed and they should be marching in the streets to protest this. This is about the future of freedom!

Computer Politics

Fight for Freedom on the Internet 2015

For the People it is all about freedom. For the people in power it is all about control.

Campaign #Fight4Internet2015 #ContraSurveillanceState #FreeInternet with #Tor and #OTR

United Nations Declaration of Human Rights

Article 12.
• No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

Article 19.
• Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

Freedom online is not something you can take for granted – it is something you have to fight for in 2015!

The current state of PRIVACY AND HUMAN RIGHTS on the Internet.

You can reclaim your privacy, anonymity, and freedom of speech online with apps like:

TorBrowser – browse anonymously everywhere on the web
pidgin – chat anonymously
Adium – chat anonymously (Mac)
Anomos – download torrents anonymously

Tips, Tools and How-tos for Safer Online Communications
The Guardian view on the freedom of the internet: it’s under attack around the world The Guardian, Thursday 11 December 2014
Hubertus Knabe: The dark secrets of a surveillance state ( about Stasi in DDR )
Inside the NSA’s War on Internet Security Der Spiegel

Reconstructing narratives – transparency in the service of justice 30. December 2014 by Jacob Appelbaum & Luara Poitras  Chaos Computer Club



Advanced Bash-Scripting Guide

An in-depth exploration of the art of shell scripting

Mendel Cooper


This tutorial assumes no previous knowledge of scripting or programming, but progresses rapidly toward an intermediate/advanced level of instruction . . . all the while sneaking in little nuggets of UNIX® wisdom and lore. It serves as a textbook, a manual for self-study, and as a reference and source of knowledge on shell scripting techniques. The exercises and heavily-commented examples invite active reader participation, under the premise that the only way to really learn scripting is to write scripts.

This book is suitable for classroom use as a general introduction to programming concepts.

Advanced Bash-Scripting Guide
Advanced Bash-Scripting Guide (original)


My Mac OS X Desktop icon’s Disappeared

Today suddenly all icon’s on my Mac OS X Desktop disappeared or went missing and showed only the default icons. When I opened the Console app and searched for the icon process I saw messages like this:

24/11/13 13.36.30,122[262]: main Failed to composit image for binding VariantBinding [0x34b] flags: 0x8 binding: FileInfoBinding [0x253] - extension: jpg, UTI: public.jpeg, fileType: ????.

Ahh…. it’s the  “” who is the culprit.

Well, I just removed the “Finder” preference file in my home folder and restarted Finder.

$ rm ~/Library/Preferences/; sudo killall -v Finder



How to install Lubuntu Server on Cubietruck from Mac OS X

This is how to install and set-up the latest Lubuntu software pack on to the NAND Flash on the Cubietruck  from a Mac OS X computer.



The Cubietruck is a 5V 2A single-board computer “SBC” / PC on Board “PCB” – much like the Raspberry Pi that has taken the World with a craze – but the Cubietruck is just faster, better and stronger..  In realty Cubietruck is more like a real Mini PC.

The Cubietruck is based on the dual core Cortex-A7 (912MHz each) ARM  Allwinner  CPU with 2 GB Ram. Cubietruck has 8 GB onboard bootable NAND flash memory and it is expandable with a micro sdcard up to 32GB. You can connect a monitor/TV via the VGA or HDMI interface. The Cubietruck comes equipped with both Wifi and Bluetooth, Gigabit Ethernet, 2 USB 2.0, 1 Micro USB, OTG, SPDIF, IR, and Headphone. You can easily add a and fit a 2.5 inch Hard Disk Drive to the Cubietruck out the box. Power:DC5V @ 2.5A with HDD and support Li-battery & Real Time Clock “RTC”.

The Cubitruck was released for sale on the 31th. of October 2013 from

Supported Operative Systems  “OS”:

  • Android
  • Fedora
  • Lubuntu
  • Lbuntu Server

BTW: I look forward to an Arch Linux distro for Cubietruck ( you can check here: )!

The Cubietruck comes with Android preinstalled on the NAND – and it works out the box. Cubietruck looks after a bootable OS on the Micro SDcard before it boots from the NAND flash memory.

There are 3 different ways to install and run Lubuntu on the Cubietruck:

  1. NAND flash
  2. Micro SD card
  3. 2.5 HHD / SSD ( or a 3.5 HHD with an external power supply )

1. NAND Installation of the Lubuntu Server

You need this in advance:

  • A Mac running a newer version of OS X with access to the Internet. I am doing this from a MacBook Pro Retina running OS X version 10.9 Mavericks.
  • An assembled Cubietruck with incl. cables with 2.5 HHD
  • USB Power supply 5v 2/2.5A.
  • An ethernet Internet connection.

Get the software

Download and install the LiveSuit NAND installer in your app folder:

Download the latest Lubuntu NAND image for Cubietruck: Cubietruck Lubuntu Desktop Releases or A20-Cubietruck Lubuntu Server Releases

Connect the mini USB to your mac (mac only).

Open LiveSuit and Select the downloaded Lubuntu NAND image (.img)

Cubietruck_FEL_buttonEnter FEL Mode

  1. Press FEL key and hold it in
  2. Plug in mini usb cable to the Cubietruck and wait for the prompt
  3. Release FEL key

Flash to Board

When you see the prompt, you have entered FEL mode. Select Yes to continue.

That’s it!

2. Customizing

Changing Boot Parameters

# mount /dev/nanda /mnt
# vi /mnt/uEnv.txt

Change it as you want!

# umount /mnt
# sync
# reboot

Update Lubuntu Sever

Normally its good practice to update and upgrade your system to the latest version.

# apt-get update; apt-get upgrade
# apt-get install python-apt

NB! You need to install the python-apt package to use do-release-upgrade.

# do-release-upgrade

Modify System Files

To change your local timezone, you need to edit the file /etc/timezone.

# ls /usr/share/zoneinfo

Ex.:  “Europe/Copenhagen”

Remove your old timezone link and make a new one.

# rm /etc/localtime

You can now create a symlink to the appropriate timezone information.

# ln -s /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime

Change timezone ex. “Europe/Copenhagen”.

# nano /etc/timezone

( Use CTRL-x to exit, hit Y to save the file in nano. )

Change hostname /etc/hostname and the hosts file /etc/hosts .

# nano /etc/hostname

Change “Cubietruck” to the name you have in mind. I like cubietruck, so I keep it! 🙂

Edit the /etc/hosts file to reflect the hostname.

# nano /etc/hosts

Modify the line of the file to read: localhost yourhostname

If not already so replacing your hostname with the name you put in /etc/hostname.

Mac OS X specific linux software & daemons

In order for your Mac’s to automatically see and discover services on your Cubietruck it is convenient to install Apple’s zero conf network service “Bonjour” or “Rendezvous” and Netatalk AFP

#apt-get install avahi-daemon

You can verify the install of Bonjour on Cubietruck in your with ping on your Terminal App on your Mac OS X computer.

# ping cubietruck.local

If you want to connect you Cubietruck with Apple’s file service AFP “AppleTalk” so your Cubietruck automatically shows up in Finder, you need to install the open source version Netatalk.

#apt-get install netatalk

You will find the Netatalk config files in /etc/netatalk.


Its good practice to change the root password straight away.

NB! You should also remove the default user linaro and and disable ssh for root.

# passwd

Create a new regular user :

# adduser

Follow the prompts; use whatever username you’d like to log in. The next available UID is fine. Use the default users as the initial group.

Add the user to the Super User Do list.

Logout, and relogin as the regular user:

# logout
login: newuser
password: yourpassword

3. Moving Rootfs From Nandflash To Hard Drive


Prepeare the drive for rootfs

Th drive must have a primary partition formated with filesystem “ext4”. You can use the Linaro user interface DISK app, gparted or use the following shell commands to partition your HDD.

List all available drives:

# fdisk -l

Choose the drive you want to make changes to (e.g. sda):

# fdisk /dev/sda

Use “p” (print partition of a drive), “d” deletea partition or “n” (create new partition). The partition should be of type “83”.

Format the partition for rootfs with EXT4 filesystem:

# mkfs.ext4 /dev/sda1

Copying Rootfs

Assuming that /dev/sda is the hard drive we want to install.

$ sudo su - root
# dd if=/dev/nandb of=/dev/sda1 bs=1M

Changing Boot Parameters

$ sudo su - root
# mount /dev/nanda /mnt
# nano /mnt/uEnv.txt

extraargs=console=ttyS0,115200 disp.screen0_output_mode=EDID:1280x720p50 rootwait panic=10 rootfstype=ext4 rootflags=discard


Change the contents of uEnv.txt  from “nand_root=/dev/nandb” to “nand_root=/dev/sda1“. And check the changes with cat command.

# cat /mnt/uEnv.txt

Unmount the partition.

# umount /mnt

Flush the file system buffers with sync.

# sync
# reboot

That’s it!


Cubieboard3: Cubietruck is all ready with links software etc.
LiveSuit Guide
Moving Rootfs From Nandflash To Hard Drive
Tutorials for Cubietruck
FAQ specs and faq’s
A20-Cubietruck specs from SUNXI
Cubieforum for Q&A’s


The Debian Administrator’s Handbook by Raphaël Hertzog and Roland Mas
How to use Logical Volume Manager (LVM) to grow etx4 file systems online

InstallingANewHardDrive – Installing a new HHD,

Computer Law Politics

Hounding of Snowden must stop

Amnesty International meets US whistleblower Edward Snowden

Right of asylum

Computer Politics

The right to Privacy for All

Open letter to the Police State and its supporters,

The right to privacy is a basic human need – as is the right to mingle with others freely. This is at the very foundation of human life – and maybe life it self. I believe we call it it freedom in the human world.

Imagine a world where privacy is no longer possible. Whatever you do, whatever you say, where ever you go, with whom you are together is recorded and stored centrally by a National Security Agency in a Police State.

It is no longer possible to have a private conversation with a friend without the Police State listens in, record and store your conversation. And you even have to worry about friends backgrounds because your very association with them is on public record. Its no longer possible to help a friend, talk to your neighbor, do business in privacy because all is on public record.

Your hobbies, interests, readings, private life and political views is recorded, analyzed and stored. Your eating habits, your consumption of unhealthy foods, alcohol and drugs are recorded. Your childhood, adolescence, adult life and family history now also belongs to the Police State. Even your sexual preference is on public record for safety reasons. Your medical record, health history and genetic make up belongs to the archives in the Police State. And all your private property and significant belongings is under constant surveillance by the National Security Agency.

For public safety reasons in the Police State the National Security Agency pieces every imaginable sort of information it can collect about you together and fits it into a complete and auto updated profile on you. The Police State will hold such records for themselves on all citizens of the world.

Just imagine this!

Now realize that this scenario is very close to the reality we currently live in or at least realize that is a near likely future of the world.

To be able to spy on all citizens in the world in all aspects without limitation of any kind is the aspiration, hopes and dreams of almost every National Security Agency all over the world!

How can this kind of surveillance power only exist for the safety of the public when it belongs to the few in power?

This is ‘not something I’m willing to live under’!

I will rather live with uncertainty, insecurity and fear in a fragile democracy, than live in a certain, secure and peaceful surveillance Police State. I object to the idea of a Police State. And I will work against the realization of a world wide Police State.

Reference:Edward Snowden: US surveillance ‘not something I’m willing to live under’ Interview by Glenn Greenwald in theguardian, 8th. of July 2013

The Universal Declaration of Human Rights United Nations ( UN )

Snowden made the right call when he fled the U.S. 8th. of July 2013 by Daniel Ellsberg
2011: A Brave New Dystopia by Chris Hedges 27. December 2010

Online Privacy:
Internet Privacy
The Tor Project – Web Online Anonymity
DuckDuckGo – Anonymous Searching of the Internet
Pretty Good Privacy – Protect your files and email with open source encryption

Support Online Privacy Organizations:
Electronic Frontier Foundation – Electronic Privacy Information Center
Internet Defense League

Nineteen Eighty-Four by George Orwell
Brave New World by Aldous Huxley

Computer Law Politics

I support a free Internet

I support freedom of speech.

I support the right of privacy.

I support a free Internet.

Supoort Electronic Frontier Foundation in its effort to make the US Government and the like aware of the digital rights of the people in this world!

And do join the Internet Defense League with the rest of us and defend the free internet!

Share this 4th. of July message with others!

Reference: The NSA Files

Business Computer

No need for more hot air in the cloud

Is Amazon’s new music cloud the real deal? This is what Amazon CEO and Founder, Jeff Bezos, is offering you:

“Dear Customers,

Managing a digital music collection can be a bit messy. You can buy music from your phone, but how do you transfer it to your home or work computer? Also, if you’re not regularly backing up your music collection, you can lose it with a disk drive crash.

Today, we’re introducing an important new service to give you a simple way to keep your music safe and have it with you, everywhere. It’s called Amazon Cloud Player. MP3 songs and albums you purchase from, even those you purchased in the past, will be available in Cloud Player, which means you’ll have a secure backup copy of the MP3s you buy at Amazon, free of charge. We’ve also made it easy to get the rest of the music that’s on your computer to Cloud Player, even music purchased from iTunes or uploaded from CDs. We’ll match the songs on your computer to’s catalogue of over 20 million songs. All songs we match are instantly made available in Cloud Player and upgraded to high-quality 256 kbps audio. Music we can’t match will be uploaded to Cloud Player, so your entire digital music collection will be available.”

Yes, managing a digital music collection can be a bit messy at times. So it might be sensible and practical with the security that amazon offers your precious music collection. Just remember its only a backup solution for the music you purchased at Amazon. For Amazon there  is no need for more hot air in the cloud. All Jeff Bezos is offering you is a link to a music file in the Amazon music archive.

Reference:  Amazon Cloud Player

Business Computer Philosophy Politics Science Spiritual

Critical Thinking

Business Computer Culture Politics Science Spiritual

The Story of Stuff

Reference: The Story of Stuff

Computer Law Politics

We No Longer Trust Google

Who is lurking in the darkness? Google is lurking the darkness as Gmonster if you ask me, friends of the Internet as well as quite a few grand organizations, legislators, government officials around the world dealing with privacy, security and data protection issues.

Recently Google has been caught with their cute innocent Googli map cars sucking the data right out private WiFi networks around the globe in big citys. Reluctantly Google has admitted to this infringement on peoples privacy and has come up with an apology to the citizens of the World Wide Web. Google did not tell the whole truth at first. Google softly claims it to be an error of some unknowing technician. Ha ha.. Is this a joke!?

This mishap might end up having devastating consequences for Google. And this is not the only report about dodgy Google behavior. Google is known to suppress and censor certain undesirable data. Google sniff search keywords not yet submitted in search fields. Google does things to your gmail account you do not even wanna hear about. It all adds up. On behalf of the people of the Internet:


Google: Eric Schmidt hints at China ambitions

Google Data Admission Angers European Officials 15. May 2010
WiFi data collection: an update 14. May 2010
Data collected by Google cars 27. April 2010

Background (just a few):
Countries ask Google to drop “launch now, fix later” policy
Google Rethinks Privacy, Scales Back Data Collection


Understanding SSH

SSH lets you send secure, encrypted commands to a computer remotely, as if you were sitting at the computer. You use the ssh tool in Terminal to open a command-line connection to a remote computer. While the connection is open, commands you enter are performed on the remote computer.

Note: If the SSH service ( sshd daemon ) is enabled you can use any application that supports SSH to connect to a computer running Mac OS X or Mac OS X Server.

How SSH Works

SSH works by setting up encrypted tunnels using public and private keys. Here is a description of an SSH session:

  1. The local and remote computers exchange public keys. If the local computer has never encountered a given public key, SSH and your web browser prompt you whether to accept the unknown key.
  2. The two computers use the public keys to negotiate a session key used to encrypt subsequent session data.
  3. The remote computer attempts to authenticate the local computer using RSA or DSA certificates. If this is not possible, the local computer is prompted for a standard user-name/password combination.
  4. After successful authentication, the session begins and remote shell, a secure file transfer, a remote command, or other action is begun through the encrypted tunnel.

The following are SSH tools:

  • sshd—Daemon that acts as a server to all other commands
  • ssh—Primary user tool that includes a remote shell, remote command, and port-
  • forwarding sessions
  • scp—Secure copy, a tool for automated file transfers
  • sftp—Secure FTP, a replacement for FTP

Generating Key Pairs for Key-Based SSH Connections

By default, SSH supports the use of password, key, and Kerberos authentication. The standard method of SSH authentication is to supply login credentials in the form of a user name and password. Identity key pair authentication enables you to log in to the server without supplying a password.

Key-based authentication is more secure than password authentication because it requires that you have the private key file and know the password that lets you access that key file. Password authentication can be compromised without a private key file.

This process works as follows:

  1. A private and a public key are generated, each associated with a user name to establish that user’s authenticity.
  2. When you attempt to log in as that user, the user name is sent to the remote computer.
  3. The remote computer looks in the user’s .ssh/ folder for the user’s public key. This folder is created after using SSH the first time.
  4. A challenge is sent to the user based on his or her public key.
  5. The user verifies his or her identity by using the private portion of the key pair to decode the challenge.
  6. After the key is decoded, the user is logged in without the need for a password. This is especially useful when automating remote scripts.

Note: If the server uses FileVault to encrypt the home folder of the user you want to use SSH to connect as, you must be logged in on the server to use SSH. Alternatively, you can store the keys for the user in a location that is not protected by FileVault, but this is not secure.

To generate the identity key pair:

  1. Enter the following command on the local computer: $ ssh-keygen -t dsa
  2. When prompted, enter a filename in the user’s folder to save the keys in; then enter a password followed by password verification (empty for no password).For example:
    Generating public/private dsa key pair. Enter file in which to save the key (/Users/anne/.ssh/id_dsa): frog Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in frog. Your public key has been saved in The key fingerprint is: 4a:5c:6e:9f:3e:35:8b:e5:c9:5a:ac:00:e6:b8:d7:96

    This creates two files. Your identification or private key is saved in one file (frog in our example) and your public key is saved in the other ( in our example).

    The key fingerprint, which is derived cryptographically from the public key value, also appears. This secures the public key, making it computationally infeasible for duplication.

  3. Copy the resulting public file, which contains the local computer’s public key, to the .ssh/authorized_keys file in the user’s home folder on the remote computer (~/.ssh/ authorized_keys).
  4. The next time you log in to the remote computer from the local computer you won’t need to enter a password.

Note: If you are using an Open Directory user account and have logged in using the account, you do not need to supply a password for SSH login. On Mac OS X Server computers, SSH uses Kerberos for single sign-on authentication with any user account that has an Open Directory password. (Kerberos must be running on the Open Directory server.) For more information, see Open Directory Administration.

Updating SSH Key Fingerprints

The first time you connect to a remote computer using SSH, the local computer prompts for permission to add the remote computer’s fingerprint (or encrypted public key) to a list of known remote computers. You might see a message like this:

The authenticity of host "" can’t be established. RSA key fingerprint is a8:0d:27:63:74:f1:ad:bd:6a:e4:0d:a3:47:a8:f7. Are you sure you want to continue connecting (yes/no)?

The first time you connect, you have no way of knowing whether this is the correct host key. Most people respond “yes.” The host key is then inserted into the ~/.ssh/ known_hosts file so it can be verified in later sessions.

Be sure this is the correct key before accepting it. If possible, provide users with the encryption key through FTP, mail, or a download from the web, so they can be sure of the identity of the server.

If you later see a warning message about a man-in-the-middle attack (see below) when you try to connect, it might be because the key on the remote computer no longer matches the key stored on the local computer. This can happen if you:

Change your SSH configuration on the local or remote computer.

Perform a clean installation of the server software on the computer you are attempting to log in to using SSH.

StartupfromaMacOSXServerCDonthecomputeryouareattemptingtologinto using SSH.

AttempttouseSSHtoaccessacomputerthathasthesameIPaddressasacomputer that you used SSH with on another network.

To connect again, delete the entries corresponding to the remote computer (which can be stored by name and IP address) in the file ~/.ssh/known_hosts.

An SSH Man-in-the-Middle Attack

Sometimes an attacker can access your network and compromise routing information, so that packets intended for a remote computer are routed to the attacker, who then impersonates the remote computer to the local computer and the local computer to the remote computer.

Here’s a typical scenario: A user connects to the remote computer using SSH. By means of spoofing techniques, the attacker poses as the remote computer and receives information from the local computer. The attacker then relays the information to the intended remote computer, receives a response, and then relays the remote computer’s response to the local computer.

Throughout the process, the attacker is privy to all information that goes back and forth, and can modify it.

A sign that can indicate a man-in-the-middle attack is the following message that appears when connecting to the remote computer using SSH.


Protect for this type of attack by verifying that the host key sent back is the correct host key for the computer you are trying to reach. Be watchful for the warning message, and alert your users to its meaning.

Important: Removing an entry from the known_hosts file bypasses a security mechanism that would help you avoid imposters and man-in-the-middle attacks. Before you delete its entry from the known_hosts file, be sure you understand why the key on the remote computer has changed.

Connecting to a remote computer using SSH

Use the ssh tool to create a secure shell connection to a remote computer. To access a remote computer using ssh:

  1. Open Terminal.
  2. Log in to the remote computer by entering the following command:
    $ ssh -l username server Replace username with the name of an administrator user on the remote computer.
    Replace server with the name or IP address of the remote computer. For example:
    $ ssh -l anne
    If this is the first time you’ve connected to the remote computer, you’re prompted to continue connecting after the remote computer’s RSA fingerprint appears.
  3. Enter yes.
  4. When prompted, enter the user’s password for the remote computer.
    The command prompt changes to show that you’re connected to the remote computer. In the case of the previous example, the prompt might look like this: anne$
  5. To send a command to the remote computer, enter the command.
  6. To close a remote connection, enter logout.
    You can authenticate and send a command using a single line by appending the command to execute to the basic ssh tool. For example, to delete a file you could use:
    $ ssh -l anne rm /Users/anne/Documents/report
    $ ssh -l “rm /Users/anne/Documents/report”
    You’re prompted for the user’s password.

Mac OS X Server (v10.3 or Later): CommandLine Administration (Manual) p. 31 – 35


Test the SMTP Service

To test the SMTP service, follow these steps:
1. Type Telnet at a command prompt (Terminal) , and then press ENTER.
2. At the telnet prompt, type set LocalEcho, press ENTER, and then type open 25, and then press ENTER.
3. Type helo me, and then press ENTER.
The output resembles the following:
250 OK
4. Type mail, and then press ENTER.
The output resembles the following:
250 OK – mail from
5. Type rcpt, and then press ENTER.
The output resembles the following:
250 OK – Recipient
6. Type Data, and then press ENTER.
The output resembles the following:
354 Send data. End with CRLF.CRLF
7. Type Subject:This is a test, and then press ENTER two times.
8. Type Testing, and then press ENTER.
9. Press ENTER, type a period (.), and then press ENTER.
The output resembles the following:
250 OK
10. Type quit, and then press ENTER.
The output resembles the following:
221 Closing Port / Mail queued for delivery


How to enable X11 Forwarding with SSH on Mac OS X Leopard

Apple Remote Desktop (ARD) or VNC is a wonderful invention if you want full control over a remote desktop, but what if you only want to access the user display of one single X11 program on a remote machine?

This is possible on Mac OS X with X11 Forwarding.

THIS ARTICLE HAS BEEN REWRITTEN (Manual set of the $DISPLAY variable is insecure!)


X11 environments on both the local and remote machine (see man X). Ensure network access for X11. In Mac OS X  on X11 Quartz check the authorization and client access options under Preferences in the Security pane.

Enable X11 Forwarding with the “X11Forwarding yes” option set in “/private/etc/sshd_config” for your SSH Daemon own local X11 host in order to recieve X11 client request back from  the remote machine through ‘ssh‘ with the -X option set.

Start or restart the Remote Login (SSH) Service  under System Preference / Sharing pane on Mac OS X. The SSH daemon should run on the remote machine as well!

See “man ssh”,  “man ssh_config” and “man sshd_config” for the complete explanation.

3 Simple Steps to X11 Forward on Mac OS X

1. Open  “Terminal” in Mac OS X Leopard.

2. ssh -X X11 Forward to your remote host (See “man ssh” for the use of the -X or -Y flag X11 forward):

ssh -X johndoe@123.456.789

3. Start your remote X11 program and view the user display on your local machine:

xeyes &

Voila it works! The X application will start up your X11 environment. Its quite easy to do X11 forwarding when you first get the hang of it.

Do elegant X11 stuff with ssh -X -f  like:

ssh -X -f user@remotehost xcalc -bg black -fg green

Caveat Notes:

Have the latest and updated versions of Mac OS X, Developer and X11.

3 Clues to successful X11 forwarding:

A. When you make changes to /etc/sshd_config remember to restart the Remote Login Service (SSH).

B. Remember to allow incoming access to X11 in the X11 preferences and through your firewall(s) and router!

C. And you have will of curse have to be accurate about your local and remote machine naming convention i.e. John-Does-iMac.local or Check with “echo $HOSTNAME”. On the remote machine you could also do a check with $REMOTEHOST (if set) to check your own machine name on the remote host.

NOT! Sometimes it is necessary to use xhost +remotehost and set the $DISPLAY environment variable manually on Mac OS X (something -X or -Y flag in ssh should normally do for you). Try “echo $DISPLAY” on the local machine and remote to get hints of the $DISPLAY status. You can always check your environment with “env” and “$”. On Mac OS X Leopard you use EXPORT with bash shell to set environment variables as opposed to tcsh that uses setenv. You should only set the $DISPLAY variable manually in a secure environment i.e. local network.

NEW! Do not set the DISPLAY variable on the client. You will most likely disable encryption. (X connections forwarded through Secure Shell use a special local display setting.)

If you have further problems try to use -v, -vv or even -vvv verbose flag with ssh to debug.

X11 Forwarding:
X11 Forwarding
Configurering and running X11 Applications on Mac OS X
X11 FAQ  – Technical Q&A QA1232
Technical Q&A QA1383 Enabling X11 Forwarding
Forwarding X11 from a Remote Computer to the Mac
ssh X forwarding debugging
Display Names

X Window System
The X Window System (Introduktion from FreeBSD Handbook)
XQuartz project (X11)

Command-Line Administration Version 10.5 Leopard (PDF) (Connecting to Remote Computers p. 31 – 37)
Introduction to Command-Line Administration Version 10.6 Snow Leopard (PDF) (Connecting to Remote Computers p. 27 – 33)

Connecting to Remote Computers p. 27 – 33
Introduction to Command-Line Administration Version 10.6 Snow Leopard (PDF)

Open Source X11
UNIX & Open Source downloads