[TriLUG] X sessions through SSH

Jeremy Portzer jeremyp at pobox.com
Wed Nov 6 11:51:13 EST 2002 

On Wed, 2002-11-06 at 10:48, Henryk M. Kowalski wrote:
> I'm confused about a couple of points re: secure tunneling.
> 
> Scenario 1:
> I'm running X locally.
> I start xterm locally and SSH to remote host.
> - So far the connection should be secure, i.e. everything typed in that 
> xterm window is encrypted.
> 
> What happens if I start a detached terminal FROM the _original_ SSH 
> terminal, i.e. I run 'xterm &' _on_ the remote host with the display 
> automatically showing up on my _local_ X server?

Yes, all X communication should be forwarded by SSH.  

For example, say you run "ssh -X remotehost" from a local xterm.  You
will now be typing in a shell on the remote server.
Then you run xterm& in that shell.  A new xterm will be spawned, and
show up on your desktop -- this xterm is running on the remote host, and
all its traffic is encrypted through the original ssh channel.

If you were to logout of the original ssh-connected shell, but leave the
second xterm running, you'll notice that ssh will not completely exit. 
It's waiting for the other, forwarded connections to go away before it
exits.  (It may even give you a message informing you of this, or it may
just appear to "hang".)

The important thing to remember here is NEVER set the DISPLAY variable
manually!  When you log into "remotehost" with the -X option (or turned
on by configuration, or whatever), the DISPLAY variable is set
automatically to "localhost" -- usually display number 10 or higher. 
This causes the secondary X applications to connect to this special high
display on the local computer (in this case, "remotehost").  Ssh is
"listening" on this special port, and automatically forwards the traffic
securely to your local X server.  Never put your local computer's IP
address in $DISPLAY!  If you do that, traffic will be unencrypted
because it doesn't go through the SSH tunnel.
   
> Scenario 2: (Very similar)
> I'm running a plain-vanilla X session locally and I just want this local 
> machine to be a display (terminal) for a remote session, so I leave off 
> any window manager.
> 
> I have xterm up (locally), and SSH to remote, then run 'startx' or 
> equivalent _on the remote machine_ to get my window manager.
> 
> Am I correct in assuming that all of the traffic from this point on is NOT 
> encrypted?  If so, is there a workaround?

As already replied, you don't run startx (which is for starting a
session on a local monitor), but instead run the startup script for your
desktop environment.  This SHOULD work, although I haven't done this
personally.  Check the DISPLAY variable ("echo $DISPLAY" at a shell
prompt) and make sure that apps are being displayed to localhost, which
represents the SSH tunnel.

Hope this helps,

Jeremy

More information about the TriLUG mailing list