X11 forwarding over ssh applications very slow to start
Solution 1
Problem is that ssh does things on the loopback with ipv6 and I had ip6tables setup to drop all traffic. Just did the following and it works now:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A FORWARD -i lo -o lo -j ACCEPT
Thanks to ezakimak on #gentoo for pointing out the ipv6 angle.
Solution 2
What is the latency/RTT to the server (a simple ping would suffice)? What application you are trying to start?
X11 is a synchronous protocol, with serialized drawing call. If the latency is high or the application execute many drawing call, its load time will increase.
If you can, you should install freenx on the server and use a nx client (eg: remmina or nomachine.com client): they work by de-serializing X11 drawing calls, giving much improved performances.
Related videos on Youtube
CrazyCasta
Updated on September 18, 2022Comments
-
CrazyCasta over 1 year
I have a server that is extremely slow (takes 3-5 minutes) at starting X11 applications over a forwarded X11 link. I have tried connecting to it with 2-3 different machines with different operating systems. After the applications start everything seems to be fine. I am connecting using trusted X11 forwarding (ssh -Y) and using cert based authentication (not that that should matter).
The operating system is Gentoo Linux on amd64. None of the applications give any messages related to the X environment (one shows nothing, another just a standard welcome message and the last an error message about a resource being in use (which the window that finally popped up told me about as well).
As per Bertera's suggestion I ran with the -v option. It doesn't print anything until the window shows up when it prints:
debug1: client_input_channel_open: ctype x11 rchan 3 win 87380 max 16384 debug1: client_request_x11: request from 127.0.0.1 43716 debug1: channel 1: new [x11] debug1: confirm x11
Also, I have tested ssh port forwarding and it is extremely slow as well (and I'm guessing this could be the problem with the X11 forwarding).
-
Dom about 11 yearscheck if your IP address is known in all the servers. Check the logs, you will maybe see an IP instead of a FQDN.
-
Bertera about 11 yearsmaybe a DNS issue ? try to use -v option to see where ssh stuck.
-
CrazyCasta about 11 yearsI'm unclear how DNS could be related to this. In any case, if I connect to the IP instead of the FQDN it still takes a really long time. As for using the -v option, nothing is printed out at the point that it gets stuck.
-
CrazyCasta about 11 yearsP.S. Just to be clear, it's not the ssh connection that is taking forever, it's the starting of an application after having connected.
-
MastaJeet about 11 yearsTo troubleshoot you could run tcpdump on the xserver, filtering for traffic from the client. If there is no traffic then something is happening on the client. If there is a large amount of traffic it may be the X protocol being chatty. I believe for modern apps the client renders the decorations and will have to be initially transmitted as bitmaps to the server, which caches them thereafter.
-
-
Michael Hampton about 11 yearsOf course.
localhost
is an IPv6 address by default, and port forwards connect/bind to/fromlocalhost
on the remote system. -
CrazyCasta about 11 yearsNo, it all depends on how the listener is listening. On my machine localhost is 127.0.0.1, but because ssh is listening on an IPv6 socket it uses the IPv6 version of that.
-
CrazyCasta about 9 yearsAs you see, I've already figured out the problem. Furthermore I have no interest in installing extra junk like nomachine.
-
Felix Frank over 8 years@CrazyCasta ...and that's why you downvoted a seemingly legitimate answer?
-
CrazyCasta over 8 years@FelixFrank Yes, when there's already an answer completely that completely fixes the problem I don't see the point in adding an answer 1) asks questions 2) provides an incorrect answer (has nothing to do with the X11 serialization) and 3) suggests that I try some other software for a problem that I've already fixed. It doesn't rise to the level of flagging the answer, but I don't see it as constructive.
-
Felix Frank over 8 years@CrazyCasta I disagree completely. Yes, your particular issue was solved, but for future readers of your questions (e.g., your's truly), shodanshok's answer is actually more helpful because it offers general approaches that are valuable even in the general case when the reader does not happen to suffer from your exact issue.
-
Walter A about 4 yearsMy
ip6tables -L INPUT
showed policyDROP
. Even a simplessh localhost exit
was very slow. Afterip6tables -P INPUT ACCEPT
it was fixed. -
CrazyCasta about 4 years@WalterA You really really don't want to do
ip6tables -P INPUT ACCEPT
. You should do like I did, or open other ports on a one-by-one basis so as not to compromise your firewall. -
Walter A about 4 years@CrazyCasta I never heard of ip6tables before I found your post. When I compared 2 sites where one was working and the other not, I found that the other had INPUT ACCEPT. Other options I found was changing sshd_config, that looked like a worse solution. Just now I understand that
-i lo
limits the ACCEPT rule to the loopback interface. Tx!