Previous Section  < Day Day Up >  Next Section

Recipe 17.11. Tunneling X over SSH

17.11.1 Problem

You like running remote X sessions, but you know that they are completely insecure, so you want to run X over SSH.

17.11.2 Solution

Follow the previous recipes to get SSH configured and running, then enable X forwarding on the SSH server, in /etc/ssh/sshd_config. Then use the -X flag when you start your SSH session.

Put this line in /etc/ssh/sshd_config on the SSH server:

X11Forwarding yes

Then connect to the server with the -X flag:

$ ssh -X

Run this command to test that X forwarding is working:

$ echo $DISPLAY


If it weren't, it would return a blank line. Now you can run any X program installed on the server as though it were local. Try this for a simple test:

$ xeyes

Or run glxgears, or any X program that is installed on the server.

17.11.3 Discussion

Using SSH for remote X sessions is both simpler and more secure than running a plain-vanilla X session without SSH, which is not secure at all. However, it still carries some risks. Use this to connect only to trusted hosts, because a snoopy admin can easily capture your keystrokes or logins, or even connect to your local desktop and snoop even more. Make sure your local ~/.Xauthority file is mode 600, to prevent unprivileged users on the remote host from also joining in the snooping.

Be sure that these entries are in your local /etc/ssh/ssh_config file and any ~/ ssh/ssh_config files on your system:

   Host *

   ForwardX11 no

   ForwardAgent no

It's important to ensure that X forwarding is turned off, except when you absolutely need it.

Depending on your physical distance from the remote server and the speed of your network connection, you may notice some lag in your keystrokes or mouse movements, as the X protocol is a bit of a network hog.

17.11.4 See Also

  • ssh(1)

  • SSH, The Secure Shell: The Definitive Guide

    Previous Section  < Day Day Up >  Next Section