Step 6.3 X11 Forwarding

Problem: Most every UNIX/Linux user will use X11, i.e. X-Windows, across a network for GUI-based applications. X11 is noted for its poor security and is a common target for attackers .

Action 6 3 1 Utilize the OpenSSH X11 Forwarding Feature to Run X Windows Applications Through a Secure Channel

OpenSSH provides X11 forwarding, which will automatically encrypt all X11 traffic, thereby reducing some of the security concerns with X. OpenSSH also improves the behind-the-scenes X-Windows authentication by encrypting the authentication process.

Another handy feature of X11 forwarding is that OpenSSH will automatically set the DISPLAY variable for you so that X applications are automatically displayed back to your local system.

There are a couple of SSH configuration options that are required in order for the remote OpenSSH server to enable X11 forwarding. Make sure these options are set in sshd_config :

X11Forwarding yes X11UseLocalhost no

Once authentication has successfully taken place, the DISPLAY environment variable should be automatically set on the client, as shown below, to a display number that is higher than normal:

$ echo $DISPLAY localhost:10.0

Tech-Tip  

To help better understand the X11 forwarding feature of OpenSSH, it is helpful to keep in mind that X-Windows uses a "reverse" client/server design. In the example presented here, the X-Windows "server" is located on the SSH "client" whereas the X-Windows "client" is the SSH "server".

Once again, note that the SSH client never had to set the DISPLAY variable manually after it connected to the OpenSSH server. Without OpenSSH, we would have had to do this before running xclock, otherwise we would get " Error: Can't open display " or a similar error message.

Action 6 3 2 Utilize the X11 forwarding feature in PuTTY to run X Windows applications through a secure channel

Running X11 applications over a public or unsecured network can be dangerous since the X11 connection is not encrypted and therefore sensitive information could potentially be compromised. Additionally, running X11 applications through firewalls usually involves opening up multiple ports which firewall administrators typically do not like to open . To avoid these problems, X11 applications can be tunneled through SSH and onto a Windows computer:

Note  

In order for the following to work, an X11 server, such as Cygwin's Xfree86 or Hummingbird's Exceed must be running on the Windows machine. The remote OpenSSH server must also be configured to allow X11 Forwarding “ this can be accomplished by setting the X11Forwarding option in sshd_config to "Yes".

Категории