|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
|News||SSH||Recommended Links||Reference||SSH Forwarding Minitutorial||SSH Configuration||Private and Public key management||FAQs|
|VNC over SSH||X11 forwaring over ssh||SOCKS4 proxy||SSH is Pipes||Sysadmin Horror Stories||Tips||Humor||Etc|
X11 tunneling is important for access to servers in DMZ and other restricted segments where X11 might be blocked by firewall.
X uses port 6000+display number, so display :0 is port 6000, :1 is 6001, and so on. The beauty with SSH is that you don't have to open up any ports, since it forwards it over its own encrypted tunnel connection. SSH can transparently encrypt another application's data stream. This is called port forwarding.
One of SSH's major benefits is transparency. A terminal session secured by SSH behaves like an ordinary, insecure one (e.g., created by telnet or rsh) once it has been established. Behind the scenes, however, SSH keeps the session secure with strong authentication, encryption, and integrity checking.
SSH forwarding isn't completely transparent, since it occurs at the application level, not the network level. Applications must be configured to participate in forwarding, and a few protocols are problematic to forward (FTP data channels are a notable example). But in most common situations, once a secure tunnel is set up, the participating applications appear to the user to operate normally. For complete application-level transparency, you need a network-level technique, such as IPSEC or a Virtual Private Network (VPN) technology.
Forwarding is a type of interaction with another network application. SSH intercepts a service request from some other program on one side of an SSH connection, sends it across the encrypted connection, and delivers it to the intended recipient on the other side. This process is mostly transparent to both sides of the connection: each believes it is talking directly to its partner and has no knowledge that forwarding is taking place. Even more powerfully, SSH forwarding can achieve certain types of communication that are impossible without it.
Forwarding isn't a new concept. The basic operation of a terminal connection over a network (say, using telnet) is also a kind of forwarding. In a telnet connection, you sit on one end, your remote shell is on the other, and both sides operate as if directly connected by a serial cable.
There is also another type of SSH forwarding, agent forwarding. This let us create SSH connections from one computer, through a second computer, and onto a third using public-key authentication, but without installing our private key on the second machine. To accomplish this, an SSH server pretended to be an SSH agent, while transparently forwarding data to and from a remote agent. This paradigm holds true for TCP port forwarding and X forwarding, as the SSH server transparently masquerades as another network application.
security-wise make sure your local ~/.Xauthority file is mode 600
Be sure that these entries are in your local /etc/ssh/ssh_config file and any ~/ssh/ssh_config files on your system:Host * ForwardX11 yes ForwardAgent no
As I have explained earlier, using XDMCP to display X across Internet is basically a no-no, due to it's lack of encryption across the Internet. One way to enforce the traffic security is to use the SSH by the way of X11 tunnelling or port forwarding. SSH (Secure Shell) is developed in 1995 by Tatu Ylonen to replace the insecure telnet, ftp, scp, rcp, rlogin, rsh, etc. The first thing you need to know is that X11 forwarding using SSH is different from your regular, non-secure way of running X Window.
To start this setup, you need an additional piece of information. First, you must have your SSH package installed. In Linux, they are the OpenSSH packages. Check your distribution to decide what package you need to install (some installed it as standard packages). Secondly, you need a Windows SSH Client (other OS version, like MAC, are also available). I recommend PuTTY. It is a wonderful free SSH client and you can download them from this link. Remember to download the document and read them carefully. The other good free SSH clients are: Tera Term Pro + TTSSH: An SSH Extension to Tera Term, SSH Secure Shell Client by SSH.com (only free for non-commercial use). I will break down again into steps, so it is easy for you to follow.
- Open up the command putty.exe by double-click it. It will brings up the interface. First, setup the connection info in Host Name (or use IP) field and select SSH (SSH is using port 22). In Connection Category, find the Connection tree. In SSH, expand it and you will see Tunnels window. Click "Enable X11 forwarding". It is setting the default to X display at "localhost:0". Now, go back to Session and save this session with a name you like. I normally use the Host Name to make me easily remember where I am connecting to.
- In the example of Hummingbird Exceed, this is what you need to do. (For other X client, the setup is similar). Open up the Xconfig from your Exceed folder. In your "Screen Definition", change to "Multiple" Window mode and save it. Next, open up your "Communication" icon and set the Startup mode to "Passive".
- Now you are done. To test it, first using PuTTY (or other SSH client) to connect to your server. The first time connection, it will ask you whether you want to cache the Security Key or not. (Yes is normal choice). Once log in is done, fire up your Exceed. It will stay in the background. Now you can execute any of your X application and it should forward the X application via SSH to your local screen. For example:$ xclock &
We should now see the Xclock is running on your local screen.
Now you see the difference is that you do not see all your X Window. You are simply running X application one by one and forwarding via SSH to your local screen. Therefore, you need to know the command for running each X application. All the control are done via SSH client window. To me, the security is worthy than the slightly inconvenience!
Hummingbird Exceed's newer version now support the SSH connection. I am sure other X application may be able to do the same in their latest new version. Check the application web site you are using or the Resources belowfor for more details).
If you are using X-Win32 and you want to use SSH with Port Forwarding, you can use this reference to set it up.
X server and SSH client for Windows(r)Putty (SSH client)
- start xs.exe
- start Putty
- activate X11 forwarding in Putty
- activate SSH 2 protokoll
- configure SSH port, normally 22
- connect to server firstname.lastname@example.org
- enter password
On UNIX, BSD or Linux you can use any X server and SSH client you want.$ ssh -CX email@example.com firstname.lastname@example.org's password:Then check the variable $DISPLAY.$ echo $DISPLAY localhost:10.0
Starting the window managerThis will start the amiwm window manager in the background and display it on your X server window (xs.exe).
$ amiwm &
You can find amiwm here.
Google matched content
X over SSH - A Tutorial by Van Emery - May, 2003
How to tunnel X over ssh
X over ssh and vnc | Peter's Blog
Problems forwarding X over SSH - O'Reilly Linux DevCenter Blog
Digg - Tutorial- Forwarding GNOME over SSH
Remote X over SSH
http://www.vanemery.com/Linux/XoverSSH/X-over-SSH2.html -- huge tutorial 91K
http://www.marcelgagne.com/ -- excellent chapter on X11
http://www.strath.ac.uk/CC/Courses/oldXC/xc.html -- X tutirual
I have a question. I have been trying to find a replacement for VNC. So I decided to utilize the OpenSSH that came with the install of Slack 9. I have it working and I am able to ssh into my test server with my laptop. I can type "gedit, mozilla, nautilus, etc" and they all load fine.
Here is the question:
Can the desktop of the remote machine be displayed like it is in VNC with OpenSSH?
If so could someone please help me with the settings for ssh_config and sshd_config as well as what needs to be set in hosts.allow for it to work correctly. Thanks.NoryungiYes, it is possible to re-direct (through ssh) an X11 display to another machine, running an X11 client. I don't do this myself (ssh is fine for what I need to do), but here is a tutorial which may be useful for you:
abr@Those tutorials were very informative. However, they did not cover
"forwarding" of an Xsession. After playing around with the forwarding of local
and remote ports I was still unable to view the desktop of the remote machine
using OpenSSH. Any more input would be greatly appreciated. Thanks.NoryungiHere
is exporting X11 display:
Random Bits- HOWTO- Tunneling HTTP over SSH with DD-WRT, DynDNS ...
SSH FAQ Section 7- Troubleshooting Secure Shell
SSH Configuration and Troubleshooting in Debian
Advanced Network Configuration and Troubleshooting (2.205.2)
Remote X Apps mini-HOWTO
Secure Shell FAQ Section 7- Troubleshooting Secure Shell
Trying to tunnel X over SSH - LinuxQuestions.org
Remote Access Troubleshooting
O'Reilly - Safari Books Online - 0596006403 - Linux CookbookEncrypting X by SSH Tunneling
From Linux in a Windows World by Roderick W. Smith
X Tunneling with SSHFrom X Power Tools by Chris Tyler
Networking X Using the Secure ShellFrom SAMS Teach Yourself Red Hat® Fedora™ 4 Linux® All in One by
Invoking Remote ProgramsFrom Linux Security Cookbook by Daniel J. Barrett; Robert G. Byrnes; Richard Silverman
Understanding SSHFrom Apple Training Series: Mac OS X System Administration Reference, Volume 1 by Schoun Regan, - Ed.
I Need to Run an X Application RemotelyFrom Linux Annoyances for Geeks by Michael Jang
The Secure ShellFrom Building Clustered Linux Systems by Robert W. Lucke
Remote Login (SSH)From Mac® OS X Security by Bruce Potter; Preston Norvell; Brian Wotring
Starting SSH in OS XFrom Mac® OS X Unleashed by John Ray; William Ray
Activating SSHFrom Mac OS® X Maximum Security by John Ray; Dr. William Ray
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March 12, 2019