--- /dev/null
+[[!meta title="mxconns"]]
+
+[Lionel Cons][LC]'s [mxconns][] is an X Windows monitor and proxy.
+The author suggests you use it to enhance the security of your X
+server by monitoring for connection attempts and dangerous requests
+(e.g. keylogging).
+
+I ran into it while trying to get X forwarding working with my
+[[cluster|Abax]]. Ususally if you [[SSH]] into a remote computer and
+want to run X applications, you use `ssh -Y` to forward your X
+connection to the remote host, and everything works as expected.
+However, I could not figure out how to expose the forwarded server so
+it could except connections from other nodes in the cluster. For
+example, if a job I had running on `n1` wanted to talk to my X server
+(e.g. via [[MPE]]), it would need to connect to `n0`:
+
+ home <--(ssh -Y)----> n0 <--(???)----> n
+
+`mxconns` fills the gap by providing a proxy between the local socket
+provided by `ssh -Y` and a new publicly exposed X socket available to
+`n*`:
+
+ home <--(ssh -Y)----> n0 <--(mxconns)----> n1
+
+`mxconns` needs a configuration file telling it to trust all the
+computers on the cluster, which should look something like:
+
+ n0$ cat ~/.mxconns
+ 192.168.2.* allow
+
+After you've set that up, a full connection will look like
+
+ home$ ssh -Y n0
+ n0$ export DISPLAY=`mxconns -config ~/.mxconns -fork -hunt -verbose`
+ n0$ echo $DISPLAY
+ n0.*.edu:5
+
+after which you can do things like
+
+ n0$ ssh n1
+ n1$ export DISPLAY=n0:5 xeyes
+
+You can explicitly kill `mxconns` when you're done:
+
+ n0$ killall mxconns
+
+or just wait and it will die naturally when you close your initial X
+connection to `n0`.
+
+Packaging
+---------
+
+`mxconns` is enough of a niche app that it's not widely packaged at
+the moment. However, building and installing it is really easy, and
+is well explained in the `README` file. I've added an ebuild to my
+[[Gentoo overlay]] if you're running Gentoo.
+
+Messy details
+-------------
+
+`ssh -Y` sets up an X proxy on `n0` on 127.0.0.1:6010 and sets my
+`DISPLAY` to `localhost:10.0`:
+
+ n0$ netstat -an | grep 6010
+ tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN
+ tcp6 0 0 ::1:6010 :::* LISTEN
+
+However, I *want* the X proxy to bind to `eth0` (192.168.2.100) not
+localhost (127.0.0.1), so other nodes can connect. If you're using
+[OpenSSH][]'s `sshd` on `n0`, you can set `X11UseLocalhost no` in your
+`sshd_config`. However, this binds the `ssh -Y` X connection to the
+wildcard address, exposing it to the world through eth1 (which is bad)
+as well as to the cluster through eth0 (which is good).
+
+X authentication is handled with cookies, and getting cookie detection
+working in `mxconns` turned out to be a key part of patching `mxconns`
+to work in this situation. The `ssh -Y` connection stores its X
+authority cookie under `hostname/unix:dpynum`:
+
+ n0$ xauth list
+ n0/unix:10 MIT-MAGIC-COOKIE-1 ...
+
+as described under the `DISPLAY NAMES` section of [xauth(1)][xauth].
+
+[LC]: http://cons.web.cern.ch/cons/
+[mxconns]: http://mxconns.web.cern.ch/mxconns/
+[OpenSSH]: http://www.openssh.com/
+[xauth]: http://www.x.org/archive/X11R6.8.1/doc/xauth.1.html#sect5