Step 6.3 X11 Forwarding
Problem: Most every UNIX/Linux user will use X11, i.e. X-Windows, across a network for GUI-based applications. X11 is noted for its poor security and is a common target for attackers .
Action 6 3 1 Utilize the OpenSSH X11 Forwarding Feature to Run X Windows Applications Through a Secure Channel
OpenSSH provides X11 forwarding, which will automatically encrypt all X11 traffic, thereby reducing some of the security concerns with X. OpenSSH also improves the behind-the-scenes X-Windows authentication by encrypting the authentication process.
Another handy feature of X11 forwarding is that OpenSSH will automatically set the DISPLAY variable for you so that X applications are automatically displayed back to your local system.
There are a couple of SSH configuration options that are required in order for the remote OpenSSH server to enable X11 forwarding. Make sure these options are set in sshd_config :
X11Forwarding yes X11UseLocalhost no
- To enable X11 forwarding for the SSH client, the “X parameter should be supplied at the command line to the SSH executable:
$ ssh -X -l sshuser server.example.com sshuser@server.example.com's password: ********* Last login: Fri Dec 20 15:45:12 2002 from client.example.com Sun Microsystems Inc. SunOS 5.8 Generic February 2000
Once authentication has successfully taken place, the DISPLAY environment variable should be automatically set on the client, as shown below, to a display number that is higher than normal:
$ echo $DISPLAY localhost:10.0
- Just as with normal X-Windows functionality, once you verify that the DISPLAY variable is set, you can launch an X application and the output of the application should appear on your local display:
$ xclock & [1] 7324 $
Tech-Tip |
To help better understand the X11 forwarding feature of OpenSSH, it is helpful to keep in mind that X-Windows uses a "reverse" client/server design. In the example presented here, the X-Windows "server" is located on the SSH "client" whereas the X-Windows "client" is the SSH "server". |
Once again, note that the SSH client never had to set the DISPLAY variable manually after it connected to the OpenSSH server. Without OpenSSH, we would have had to do this before running xclock, otherwise we would get " Error: Can't open display " or a similar error message.
Action 6 3 2 Utilize the X11 forwarding feature in PuTTY to run X Windows applications through a secure channel
Running X11 applications over a public or unsecured network can be dangerous since the X11 connection is not encrypted and therefore sensitive information could potentially be compromised. Additionally, running X11 applications through firewalls usually involves opening up multiple ports which firewall administrators typically do not like to open . To avoid these problems, X11 applications can be tunneled through SSH and onto a Windows computer:
Note |
In order for the following to work, an X11 server, such as Cygwin's Xfree86 or Hummingbird's Exceed must be running on the Windows machine. The remote OpenSSH server must also be configured to allow X11 Forwarding “ this can be accomplished by setting the X11Forwarding option in sshd_config to "Yes". |
- Double-click on the icon that was created for PuTTY or select it from the Start Menu .
- In the Session category, enter the hostname or IP address of the machine to which you will connect and run X11 applications.
- Make sure SSH is selected below the Protocol field by clicking on the SSH radio button.
- On the left hand window of the PuTTY configuration screen, select the Connection->SSH->Tunnels category.
- In the section labeled X11 forwarding , check the box marked Enable X11 forwarding and make sure the X display location box contains localhost:0 , as shown below. The number after the colon in the X display location box, in this case 0, is known as the "X display number" and by default should be set to 0. However, if your local X11 server is not running on display number 0, set the appropriate display number in the X display location box.
- Next, click on the Open button to open the connection to the remote machine. Enter your authentication information as prompted.
- After you have authenticated successfully to the remote machine you should see a shell prompt. The DISPLAY environment variable should now be set to the localhost using the display number previously specified by the X11DisplayOffset variable in the remote machine's sshd_config file. Verify your DISPLAY environment variable, as shown below:
[sshuser@server.example.com]$ echo $DISPLAY localhost:10.0
- Run a small X11 application, such as xclock , to verify that X11 Forwarding is working correctly, as shown below.
[sshuser@server.example.com]$ xclock &