X11 Forwarding over SSH

X11 tunneling is important for access to servers in DMZ and other restricted segments where X11 might be blocked by firewall.

X uses port 6000+display number, so display :0 is port 6000, :1 is 6001, and so on. The beauty with SSH is that you don't have to open up any ports, since it forwards it over its own encrypted tunnel connection. SSH can transparently encrypt another application's data stream. This is called port forwarding.

One of SSH's major benefits is transparency. A terminal session secured by SSH behaves like an ordinary, insecure one (e.g., created by telnet or rsh) once it has been established. Behind the scenes, however, SSH keeps the session secure with strong authentication, encryption, and integrity checking.

SSH forwarding isn't completely transparent, since it occurs at the application level, not the network level. Applications must be configured to participate in forwarding, and a few protocols are problematic to forward (FTP data channels are a notable example). But in most common situations, once a secure tunnel is set up, the participating applications appear to the user to operate normally. For complete application-level transparency, you need a network-level technique, such as IPSEC or a Virtual Private Network (VPN) technology.

Forwarding is a type of interaction with another network application. SSH intercepts a service request from some other program on one side of an SSH connection, sends it across the encrypted connection, and delivers it to the intended recipient on the other side. This process is mostly transparent to both sides of the connection: each believes it is talking directly to its partner and has no knowledge that forwarding is taking place. Even more powerfully, SSH forwarding can achieve certain types of communication that are impossible without it.

Forwarding isn't a new concept. The basic operation of a terminal connection over a network (say, using telnet) is also a kind of forwarding. In a telnet connection, you sit on one end, your remote shell is on the other, and both sides operate as if directly connected by a serial cable.

There is also another type of SSH forwarding, agent forwarding.  This let us create SSH connections from one computer, through a second computer, and onto a third using public-key authentication, but without installing our private key on the second machine. To accomplish this, an SSH server pretended to be an SSH agent, while transparently forwarding data to and from a remote agent. This paradigm holds true for TCP port forwarding and X forwarding, as the SSH server transparently masquerades as another network application.

Configuring X over SSH

1. Make sure that the remote server sshd_config file has the line

   X11Forwarding yes

2. On you  local machine you need to enable X11 forwarding in the SSH client. It is turned off by default.

   security-wise make sure your local ~/.Xauthority file is mode 600

   Be sure that these entries are in your local /etc/ssh/ssh_config file and any ~/ssh/ssh_config files on your system:

   Host *
   ForwardX11 yes
   ForwardAgent no

3. Type ssh -X [email protected] into the X11 terminal (xterm) on your local machine.
    
4. After your connected to the server via SSH type name of your windows manager  into the xterm terminal.

NEWS CONTENTS

• 190313 : X11 Forwarding using SSH ( X11 Forwarding using SSH, )
• 190313 : Remote X over SSH ( Remote X over SSH, )
• 190313 : Starting the window manager ( )

Old News ;-)

X11 Forwarding using SSH

As I have explained earlier, using XDMCP to display X across Internet is basically a no-no, due to it's lack of encryption across the Internet. One way to enforce the traffic security is to use the SSH by the way of X11 tunnelling or port forwarding. SSH (Secure Shell) is developed in 1995 by Tatu Ylonen to replace the insecure telnet, ftp, scp, rcp, rlogin, rsh, etc. The first thing you need to know is that X11 forwarding using SSH is different from your regular, non-secure way of running X Window.

To start this setup, you need an additional piece of information. First, you must have your SSH package installed. In Linux, they are the OpenSSH packages. Check your distribution to decide what package you need to install (some installed it as standard packages). Secondly, you need a Windows SSH Client (other OS version, like MAC, are also available). I recommend PuTTY. It is a wonderful free SSH client and you can download them from this link. Remember to download the document and read them carefully. The other good free SSH clients are: Tera Term Pro + TTSSH: An SSH Extension to Tera Term, SSH Secure Shell Client by SSH.com (only free for non-commercial use). I will break down again into steps, so it is easy for you to follow.

1. Open up the command putty.exe by double-click it. It will brings up the interface. First, setup the connection info in Host Name (or use IP) field and select SSH (SSH is using port 22). In Connection Category, find the Connection tree. In SSH, expand it and you will see Tunnels window. Click "Enable X11 forwarding". It is setting the default to X display at "localhost:0". Now, go back to Session and save this session with a name you like. I normally use the Host Name to make me easily remember where I am connecting to.
2. In the example of Hummingbird Exceed, this is what you need to do. (For other X client, the setup is similar). Open up the Xconfig from your Exceed folder. In your "Screen Definition", change to "Multiple" Window mode and save it. Next, open up your "Communication" icon and set the Startup mode to "Passive".
3. Now you are done. To test it, first using PuTTY (or other SSH client) to connect to your server. The first time connection, it will ask you whether you want to cache the Security Key or not. (Yes is normal choice). Once log in is done, fire up your Exceed. It will stay in the background. Now you can execute any of your X application and it should forward the X application via SSH to your local screen. For example:

   $ xclock &

   We should now see the Xclock is running on your local screen.

Now you see the difference is that you do not see all your X Window. You are simply running X application one by one and forwarding via SSH to your local screen. Therefore, you need to know the command for running each X application. All the control are done via SSH client window. To me, the security is worthy than the slightly inconvenience!

Hummingbird Exceed's newer version now support the SSH connection. I am sure other X application may be able to do the same in their latest new version. Check the application web site you are using or the Resources belowfor for more details).

If you are using X-Win32 and you want to use SSH with Port Forwarding, you can use this reference to set it up.

Remote X over SSH

X server and SSH client for Windows(r)

Putty (SSH client)
X server
X server

• start xs.exe
• start Putty
• activate X11 forwarding in Putty
• activate SSH 2 protokoll
• configure SSH port, normally 22
• connect to server [email protected]
• enter password

On UNIX, BSD or Linux you can use any X server and SSH client you want.

$ ssh -CX [email protected]
[email protected]'s password: 

Then check the variable $DISPLAY.

$ echo $DISPLAY
localhost:10.0

---

Starting the window manager

This will start the amiwm window manager in the background and display it on your X server window (xs.exe).

$ amiwm &

You can find amiwm here.

Recommended Links

Softpanorama Recommended

Top articles

Sites

X over SSH - A Tutorial by Van Emery - May, 2003

How to tunnel X over ssh

http://www.tldp.org/HOWTO/XDMCP-HOWTO/ssh.html

X over ssh and vnc | Peter's Blog

Problems forwarding X over SSH - O'Reilly Linux DevCenter Blog

Digg - Tutorial- Forwarding GNOME over SSH

X11 forwarding

Remote X over SSH

Etc

• Run X over SSH under Windows

• http://www.vanemery.com/Linux/XoverSSH/X-over-SSH2.html -- huge tutorial 91K
  http://www.linuxgazette.com/issue52/tag/19.html
  http://www.mandrakeuser.org/docs/xwin/xnet.html
  http://www.itc.virginia.edu/research/totalview/

  http://www.marcelgagne.com/ -- excellent chapter on X11

  http://www.math.uwaterloo.ca/mfcf/faq/customize.html#xwin/tutorial.faq

  http://www.strath.ac.uk/CC/Courses/oldXC/xc.html -- X tutirual

  http://www.csci.csusb.edu/dick/samples/remote.html

  http://www.hungry.com/~jamie/xexport.html

  All righty,
  I have a question. I have been trying to find a replacement for VNC. So I decided to utilize the OpenSSH that came with the install of Slack 9. I have it working and I am able to ssh into my test server with my laptop. I can type "gedit, mozilla, nautilus, etc" and they all load fine.

  Here is the question:
  Can the desktop of the remote machine be displayed like it is in VNC with OpenSSH?

  If so could someone please help me with the settings for ssh_config and sshd_config as well as what needs to be set in hosts.allow for it to work correctly. Thanks.NoryungiYes, it is possible to re-direct (through ssh) an X11 display to another machine, running an X11 client. I don't do this myself (ssh is fine for what I need to do), but here is a tutorial which may be useful for you:

  [url]http://www.hackinglinuxexposed.com/articles/20030228.html[/url]
  [url]http://www.hackinglinuxexposed.com/articles/20030309.html[/url]
  [url]http://www.hackinglinuxexposed.com/articles/20030316.html[/url]l

  abr@Those tutorials were very informative. However, they did not cover "forwarding" of an Xsession. After playing around with the forwarding of local and remote ports I was still unable to view the desktop of the remote machine using OpenSSH. Any more input would be greatly appreciated. Thanks.NoryungiHere is exporting X11 display:
  [url]http://www.slackware.com/book/index.php?source=x1659.html[/url]

Other types of forwarding

Random Bits- HOWTO- Tunneling HTTP over SSH with DD-WRT, DynDNS ...

Troubleshooting

SSH FAQ Section 7- Troubleshooting Secure Shell

SSH Configuration and Troubleshooting in Debian

Advanced Network Configuration and Troubleshooting (2.205.2)

Remote X Apps mini-HOWTO

Secure Shell FAQ Section 7- Troubleshooting Secure Shell

Trying to tunnel X over SSH - LinuxQuestions.org

Remote Access Troubleshooting

Troubleshooting

Additional reading via Safari (free trial available)

O'Reilly - Safari Books Online - 0596006403 - Linux Cookbook

From Linux in a Windows World by Roderick W. Smith

X Tunneling with SSH

Networking X Using the Secure Shell

Invoking Remote Programs

Understanding SSH

I Need to Run an X Application Remotely

The Secure Shell

Remote Login (SSH)

Starting SSH in OS X

Activating SSH

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019