Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto: Remote X (X11 Forwarding) with SSH (not VNC, etc!)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
YsndHalf
n00b
n00b


Joined: 14 May 2003
Posts: 53
Location: Barcelona

PostPosted: Fri Mar 11, 2005 6:55 pm    Post subject: Howto: Remote X (X11 Forwarding) with SSH (not VNC, etc!) Reply with quote

Hi people,

After battling with my Gentoo boxes, testing and testing, and peeking at many many of these forums, I finally achieved forwarding X11 from my linux box to a remote box via SSH.
I'd like to share my small experience with you, I hope this helps other noobs as me ;-)

Objective: To do a SSH from a computer to your Linux box and be able to execute X11 things (xterm, Konqueror, Kate, whatever).
Example situation: You are at work on a Linux computer (or a Windows one with an adequate X Server such as X-Win32, etc. I suppose that this would also work), and you want to connect to your home computer (a Gentoo Linux 8) ) and, furthermore, execute graphical things.
Clarification: This is NOT an explanation for connecting via VNC, etc. This is not a remote desktop, it "only" makes possible executing X11 apps remotely.
Convention: The computer running the apps on its CPU (the one offering X11 graphs to the remote one) will be called "Gentoo Server", and the remote computer used to connect to the Gentoo Server will be called "Remote Workstation".

ON THE GENTOO SERVER:
These are the files that you should take into account for this to work:

/etc/ssh/sshd_config: These are the only things that must be active on this file (the rest must be commented); at least this is how it works on mine:
Code:
      Protocol          2   (OK, optional, but this will offer much more security)
      UsePAM           yes
      X11Forwarding   yes
      UseDNS           yes  (I'm not sure if this affects to the X11 forwarding)
      Subsystem     sftp  /usr/lib/misc/sftp-server

By the way, I discovered that with the "PasswordAuthentication no" option active, you can SSH to the Gentoo Server from a Linux but not from a Windows :?

/etc/security/pam_enf.conf: This is the only thing that must be active here, nothing else about 'remotehost' or 'display'!
Code:
XAUTHORITY DEFAULT= OVERRIDE=@{XAUTHORITY}


/usr/X11R6/bin/startx: You don't have to comment out anything like "nolisten tcp", etc! I think that I read somewhere that the "nolisten tcp" option adds more security, while the X11 forwarding keeps working since it listens to sockets (which is more secure). If I understood right... :oops:
Therefore, for example, I have (among others):
Code:
defaultserverargs="-nolisten tcp -br"


/usr/kde/3.3/share/config/kdm/Xservers: This is the only uncommented line in my server:
Code:
:0 local@tty1 /usr/X11R6/bin/X -nolisten tcp


Note: If you change parameters in the sshd_config file you'll have to restart the sshd service before it works, of course! And similar for X, etc.


ON THE REMOTE WORKSTATION:

I recommend you the following command line:

Code:
ssh -2 -X -C user@server.address.com


"-2" forces protocol 2 which is more secure, "-X" forces the X11 forwarding, and "-C" enables compression which may be useful specially when using X Forwarding.
All of these options can be set by default in /etc/ssh/ssh_config (note the difference with the server! This is "ssh_config", while the relevant file in the server is "sshd_config").

A note about security: I read somewhere that there's a security problem with this. There's a file in the Remote Workstation, ".Xauthority" in your home directory. You must be sure that this file has the correct permissions, this is, "-rw-------" (i.e. only YOU can read and write it). Else, if you connect to an untrusted server with X11 forwarding enabled, it seems that they can peek at your keystrokes, etc.

Good luck!
Jordi 8)
_________________
Did you know that we typically make use of only 5% of the power of our personal computers?
Check http://setiathome.berkeley.edu or http://www.seti.cat to use 100%!
Back to top
View user's profile Send private message
solomonHk
Apprentice
Apprentice


Joined: 28 Mar 2004
Posts: 226
Location: int main(void) { };

PostPosted: Fri Mar 11, 2005 7:15 pm    Post subject: Reply with quote

Good Example!

I have tried explaining this a couple of times last week. Now I have a How-To to send people too!


Good Job.


Also, if anyone is wondering. PuTTy does have an option for X11 Forwarding, go to The connections area in configuration. Then go to SSH,... and it is under Tunnels.
Back to top
View user's profile Send private message
leosgb
Apprentice
Apprentice


Joined: 07 Mar 2006
Posts: 272
Location: Rio de Janeiro, Brazil

PostPosted: Thu Mar 23, 2006 11:46 pm    Post subject: No success... Reply with quote

Hi,

I read your how to here and checked all my files against yours. I have the same settings. nothing changed. I even restarted sshd and reconnected to it. I also tried "ssh -X -Y username@remoteserver" and it didnt work. I tried with a "export DISPLAY=laptop_IP:0.0" on the server side after issuing a "xhost +" on the laptop. I run gentoo on both systems and this is one of my last steps to have my server run exactly as I want it to run.

I need the Xforwarding to work. I also read:
http://gentoo-wiki.com/HOWTO_X-forwarding

And no help with that :(

username@remoteserver ~ $ export DISPLAY=192.168.1.109:0.0
username@remoteserver ~ $ xterm &
[1] 23657
username@remoteserver ~ $ xterm Xt error: Can't open display: 192.168.1.109:0.0

[1]+ Exit 1 xterm

I am trying it from my gnome session. I have gnome installed on both systems too. I would appreciate any help. Can anyone help me?
Back to top
View user's profile Send private message
Octavious
n00b
n00b


Joined: 01 Aug 2005
Posts: 19

PostPosted: Fri Mar 24, 2006 1:37 pm    Post subject: Reply with quote

hey!
setting your DISPLAY variable manually is NOT a good idea, because it completely bypasses SSH!
When a xclient wants to connect to a server, it will check the DISPLAY environment variable and try to connect. When it is set manually, it will bypass the SSH tunnel.

when checking your DISPLAY variable on the remote machine, it should be something to the effective of "localhost:10.0".

assuming everything is configured, your SSH client will set up the correct DISPLAY environmental variable.

Octavious
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum