[TriLUG] X sessions through SSH

Henryk M. Kowalski kowalski at easternrad.com
Wed Nov 6 12:13:38 EST 2002


On 6 Nov 2002, Jeremy Portzer wrote:

> On Wed, 2002-11-06 at 10:48, Henryk M. Kowalski wrote:
> > I'm confused about a couple of points re: secure tunneling.
> > 
> > Scenario 1:
> > I'm running X locally.
> > I start xterm locally and SSH to remote host.
> > - So far the connection should be secure, i.e. everything typed in that 
> > xterm window is encrypted.
> > 
> > What happens if I start a detached terminal FROM the _original_ SSH 
> > terminal, i.e. I run 'xterm &' _on_ the remote host with the display 
> > automatically showing up on my _local_ X server?
> 
> Yes, all X communication should be forwarded by SSH.  
> 
> For example, say you run "ssh -X remotehost" from a local xterm.  You
> will now be typing in a shell on the remote server.
> Then you run xterm& in that shell.  A new xterm will be spawned, and
> show up on your desktop -- this xterm is running on the remote host, and
> all its traffic is encrypted through the original ssh channel.
> 
> If you were to logout of the original ssh-connected shell, but leave the
> second xterm running, you'll notice that ssh will not completely exit. 
> It's waiting for the other, forwarded connections to go away before it
> exits.  (It may even give you a message informing you of this, or it may
> just appear to "hang".)
> 
> The important thing to remember here is NEVER set the DISPLAY variable
> manually!  When you log into "remotehost" with the -X option (or turned
> on by configuration, or whatever), the DISPLAY variable is set
> automatically to "localhost" -- usually display number 10 or higher. 
> This causes the secondary X applications to connect to this special high
> display on the local computer (in this case, "remotehost").  Ssh is
> "listening" on this special port, and automatically forwards the traffic
> securely to your local X server.  Never put your local computer's IP
> address in $DISPLAY!  If you do that, traffic will be unencrypted
> because it doesn't go through the SSH tunnel.

Thanks. That clears up the last of the 'dark spots'.  :)

>    
> > Scenario 2: (Very similar)
> > I'm running a plain-vanilla X session locally and I just want this local 
> > machine to be a display (terminal) for a remote session, so I leave off 
> > any window manager.
> > 
> > I have xterm up (locally), and SSH to remote, then run 'startx' or 
> > equivalent _on the remote machine_ to get my window manager.
> > 
> > Am I correct in assuming that all of the traffic from this point on is NOT 
> > encrypted?  If so, is there a workaround?
> 
> As already replied, you don't run startx (which is for starting a
> session on a local monitor), but instead run the startup script for your
> desktop environment.  This SHOULD work, although I haven't done this
> personally.  Check the DISPLAY variable ("echo $DISPLAY" at a shell
> prompt) and make sure that apps are being displayed to localhost, which
> represents the SSH tunnel.
> 

It does and... it does! ;)
Running wmaker (for example) on remote sends (nice windowmanager session) 
back to local.

$>echo $DISPLAY (from within the new wm session)
returns: 'localhost:10.0'

Which, according to the above discussion means that the session IS 
encrypted.  Excellent.

Thanks again, Jeremy and Chris.

--Henry





More information about the TriLUG mailing list