wiki / xorg / x11-forwarding
Edited () at 2020-06-10 by Michael Czigler
X11-FORWARDING [0]
________________________________________________________________________________
X11-Forwarding is a secure shell feature, which allows one to forward/tunnel
X11 connections through an existing SSH session. This is used to run X11
programs on a server while the ssh-client displays the graphical window through
the user's X11-server.
Dependencies
________________________________________________________________________________
In most cases, you will already have the required dependencies. At minimum,
ensure that you have the following installed:
+------------------------------------------------------------------------------+
| |
| $ kiss b xorg-server && kiss i xorg-server |
| $ kiss b xauth && kiss i xauth |
| |
+------------------------------------------------------------------------------+
Remote Server Configuration
________________________________________________________________________________
Configuring X11-Forwarding for a remote server is straightfoward and, once
completed, a viable alternative to most opensource VNC and RDP server options.
All that is required are a few modifications to configuration files that exist
on your remote X server:
+------------------------------------------------------------------------------+
| |
| $ echo "XauthLocation /usr/bin/xauth" >> /etc/ssh/sshd_config |
| $ echo "X11Fordwarding yes" >> /etc/ssh/sshd_config |
| |
+------------------------------------------------------------------------------+
At this point you are ready to test your server!
Client Configuration
________________________________________________________________________________
In order to connect to your remote server, you will need an SSH client that
supports X11-Forwarding, as well as an X server running on the same client. Some
popular cross-platform options include the following:
* vcxsrv (recommended, server only) [1]
* MobaXterm (both SSH client and X server, for Windows only) [2]
* Xming (server only) [3]
* X410 (server only) [4]
From the client side, connect to the server via SSH through your favorite
terminal application while passing the "-X" switch. Pay attention to any
errors that may occur on connection. More verbose output can be achieved by
passing the "-v" switch:
+------------------------------------------------------------------------------+
| |
| $ ssh -X -v user@localhost |
| |
+------------------------------------------------------------------------------+
You can now start any X program on the remote server, the output will be
forwarded to your local session:
+------------------------------------------------------------------------------+
| |
| $ xclock |
| |
+------------------------------------------------------------------------------+
This should create a new window with the xclock application on your client side
X server.
Use an "&" at the end of the command to prevent tying up the terminal in
question:
+------------------------------------------------------------------------------+
| |
| $ xclock & |
| |
+------------------------------------------------------------------------------+
Tips and Tricks
________________________________________________________________________________
* If your connection is slow, try enabling SSH compression by passing the "-C"
switch.
+----------------------------------------------------------------------------+
| |
| $ ssh -X -C user@localhost |
| |
+----------------------------------------------------------------------------+
* You can further improve your connection speed by using a cypher to connect to
the remove server. This can be passed as an argument using the "-c" switch
at the initialization of a new SSH connection. [5]
+----------------------------------------------------------------------------+
| |
| $ ssh -X -C -c aes256-ctr user@localhost |
| |
+----------------------------------------------------------------------------+
* Your remote system most likely has many cypher options already available for
you to choose from (es128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128,
aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc,
arcfour, etc.) and each will vary in performance and security. Check out
websites that benchmark the various security cyphers and choose the one that
works best for you. [6]
* Can you forward an entire desktop session? Why yes, you can! Instructions for
doing so vary per client, server configuration, and platform [7]. If you chose
vcxsrv as your client on a Windows host, then I would recommend checking out
the following youtube video:
"Linux and Windows | X11 Forwarding with SSH | VNC Alternative" by knary
References
________________________________________________________________________________
[0] https://wiki.archlinux.org/index.php/OpenSSH#X11_forwarding
[1] https://sourceforge.net/projects/vcxsrv/
[2] https://mobaxterm.mobatek.net/
[3] http://straightrunning.com/XmingNotes/
[4] https://x410.dev
[5]
[6] https://blog.famzah.net/2010/06/11/openssh-ciphers-performance-benchmark/
[7] https://blog.warbel.net/index.php/2018/02/21/using-xnest-or-putty-vcxsrv-to-start-a-full-remote-session/
________________________________________________________________________________
Dylan Araps (C) 2019-2020
Linux(R) is the registered trademark of Linus Torvalds in the U.S. and
other countries.