Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Softpanorama Search

X11 Forwarding over SSH

News SSH Recommended Links Mini-tutorial Humor Etc

X11 tunneling is important for access to servers in DMZ and other restricted segments where X11 might be blocked by firewall.

X uses port 6000+display number, so display :0 is port 6000, :1 is 6001, and so on. The beauty with SSH is that you don't have to open up any ports, since it forwards it over its own encrypted tunnel connection. SSH can transparently encrypt another application's data stream. This is called port forwarding.

One of SSH's major benefits is transparency. A terminal session secured by SSH behaves like an ordinary, insecure one (e.g., created by telnet or rsh) once it has been established. Behind the scenes, however, SSH keeps the session secure with strong authentication, encryption, and integrity checking.

SSH forwarding isn't completely transparent, since it occurs at the application level, not the network level. Applications must be configured to participate in forwarding, and a few protocols are problematic to forward (FTP data channels are a notable example). But in most common situations, once a secure tunnel is set up, the participating applications appear to the user to operate normally. For complete application-level transparency, you need a network-level technique, such as IPSEC or a Virtual Private Network (VPN) technology.

Forwarding is a type of interaction with another network application. SSH intercepts a service request from some other program on one side of an SSH connection, sends it across the encrypted connection, and delivers it to the intended recipient on the other side. This process is mostly transparent to both sides of the connection: each believes it is talking directly to its partner and has no knowledge that forwarding is taking place. Even more powerfully, SSH forwarding can achieve certain types of communication that are impossible without it.

Forwarding isn't a new concept. The basic operation of a terminal connection over a network (say, using telnet) is also a kind of forwarding. In a telnet connection, you sit on one end, your remote shell is on the other, and both sides operate as if directly connected by a serial cable.

There is also another type of SSH forwarding, agent forwarding.  This let us create SSH connections from one computer, through a second computer, and onto a third using public-key authentication, but without installing our private key on the second machine. To accomplish this, an SSH server pretended to be an SSH agent, while transparently forwarding data to and from a remote agent. This paradigm holds true for TCP port forwarding and X forwarding, as the SSH server transparently masquerades as another network application.

Configuring X over SSH

  1. Make sure that the remote server sshd_config file has the line

    X11Forwarding yes

  2. On you  local machine you need to enable X11 forwarding in the SSH client. It is turned off by default.

    security-wice make sure your local ~/.Xauthority file is mode 600

    Be sure that these entries are in your local /etc/ssh/ssh_config file and any ~/ ssh/ssh_config files on your system:

       Host *
   ForwardX11 yes
   ForwardAgent no
  3. Type ssh -X username@server.ip.address into the X11 terminal (xterm) on your local machine.
     
  4. After your connected to the server via SSH type name of your windows manager  into the xterm terminal.

Old News ;-)

X11 Forwarding using SSH

As I have explained earlier, using XDMCP to display X across Internet is basically a no-no, due to it's lack of encryption across the Internet. One way to enforce the traffic security is to use the SSH by the way of X11 tunnelling or port forwarding. SSH (Secure Shell) is developed in 1995 by Tatu Ylonen to replace the insecure telnet, ftp, scp, rcp, rlogin, rsh, etc. The first thing you need to know is that X11 forwarding using SSH is different from your regular, non-secure way of running X Window.

To start this setup, you need an additional piece of information. First, you must have your SSH package installed. In Linux, they are the OpenSSH packages. Check your distribution to decide what package you need to install (some installed it as standard packages). Secondly, you need a Windows SSH Client (other OS version, like MAC, are also available). I recommend PuTTY. It is a wonderful free SSH client and you can download them from this link. Remember to download the document and read them carefully. The other good free SSH clients are: Tera Term Pro + TTSSH: An SSH Extension to Tera Term, SSH Secure Shell Client by SSH.com (only free for non-commercial use). I will break down again into steps, so it is easy for you to follow.

 

  1. Open up the command putty.exe by double-click it. It will brings up the interface. First, setup the connection info in Host Name (or use IP) field and select SSH (SSH is using port 22). In Connection Category, find the Connection tree. In SSH, expand it and you will see Tunnels window. Click "Enable X11 forwarding". It is setting the default to X display at "localhost:0". Now, go back to Session and save this session with a name you like. I normally use the Host Name to make me easily remember where I am connecting to.
  2. In the example of Hummingbird Exceed, this is what you need to do. (For other X client, the setup is similar). Open up the Xconfig from your Exceed folder. In your "Screen Definition", change to "Multiple" Window mode and save it. Next, open up your "Communication" icon and set the Startup mode to "Passive".
  3. Now you are done. To test it, first using PuTTY (or other SSH client) to connect to your server. The first time connection, it will ask you whether you want to cache the Security Key or not. (Yes is normal choice). Once log in is done, fire up your Exceed. It will stay in the background. Now you can execute any of your X application and it should forward the X application via SSH to your local screen. For example: 
    $ xclock &
     

    We should now see the Xclock is running on your local screen.

Now you see the difference is that you do not see all your X Window. You are simply running X application one by one and forwarding via SSH to your local screen. Therefore, you need to know the command for running each X application. All the control are done via SSH client window. To me, the security is worthy than the slightly inconvenience!

Hummingbird Exceed's newer version now support the SSH connection. I am sure other X application may be able to do the same in their latest new version. Check the application web site you are using or the Resources belowfor for more details).

If you are using X-Win32 and you want to use SSH with Port Forwarding, you can use this reference to set it up.

 

Remote X over SSH

X server and SSH client for Windows(r)

Putty (SSH client)
X server
X server

On UNIX, BSD or Linux you can use any X server and SSH client you want. 

$ ssh -CX user@1.2.3.4
user@1.2.3.4's password:
Then check the variable $DISPLAY. 
$ echo $DISPLAY
localhost:10.0

Starting the window manager

This will start the amiwm window manager in the background and display it on your X server window (xs.exe).
 
$ amiwm &

You can find amiwm here.

Recommended Links

In case of broken links please try to use Google search. If you find the page please notify us about new location
Google     

X over SSH - A Tutorial by Van Emery - May, 2003

How to tunnel X over ssh

http://www.tldp.org/HOWTO/XDMCP-HOWTO/ssh.html

X over ssh and vnc | Peter's Blog

Problems forwarding X over SSH - O'Reilly Linux DevCenter Blog

Digg - Tutorial- Forwarding GNOME over SSH

X11 forwarding

Remote X over SSH

Etc

Other types of forwarding

Random Bits- HOWTO- Tunneling HTTP over SSH with DD-WRT, DynDNS ...

Troubleshooting

SSH FAQ Section 7- Troubleshooting Secure Shell

SSH Configuration and Troubleshooting in Debian

Advanced Network Configuration and Troubleshooting (2.205.2)

Remote X Apps mini-HOWTO

Secure Shell FAQ Section 7- Troubleshooting Secure Shell

Trying to tunnel X over SSH - LinuxQuestions.org

Remote Access Troubleshooting

Troubleshooting

Additional reading via Safari (free trial available)

O'Reilly - Safari Books Online - 0596006403 - Linux Cookbook

Encrypting X by SSH Tunneling

From Linux in a Windows World by Roderick W. Smith

X Tunneling with SSH

From X Power Tools by Chris Tyler

Networking X Using the Secure Shell

From SAMS Teach Yourself Red Hat® Fedora™ 4 Linux® All in One by

Invoking Remote Programs

From Linux Security Cookbook by Daniel J. Barrett; Robert G. Byrnes; Richard Silverman

Understanding SSH

From Apple Training Series: Mac OS X System Administration Reference, Volume 1 by Schoun Regan, - Ed.

I Need to Run an X Application Remotely

From Linux Annoyances for Geeks by Michael Jang

The Secure Shell

From Building Clustered Linux Systems by Robert W. Lucke

Remote Login (SSH)

From Mac® OS X Security by Bruce Potter; Preston Norvell; Brian Wotring

Starting SSH in OS X

From Mac® OS X Unleashed by John Ray; William Ray

Activating SSH

From Mac OS® X Maximum Security by John Ray; Dr. William Ray

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

Last modified: August 12, 2009