5. Secure X Sessions via SSH |
Given an encrypted connection via SSH, one can launch X-clients back to the local desktop in the usual way, i.e., by ensuring the DISPLAY environment variable is correctly set and, if necessary, executing an xhost command on the local machine, and so starting a new connection between remote and local machine (via port 6000). However such a connections would not be secure/encrypted and are strongly discouraged as a rule. This section describes how to ensure all X-clients are displayed via "tunnelled", secure connections. (Connections which are not tunnelled via SSH can be noticeably faster for graphics-intensive applications, so one might wish to use this route on occasion.)
A separate document describes in detail how to download and install the SSH Communications client on a MS Windows machine.
The SSH Communications client can be configured to automatically enable secure tunnelling for X11 graphic connections --- that is, have the X11 connections encrypted. To do this, make sure that the "Tunnel X11 connections" box is ticked on the "Tunneling" tab of your Cosmos SSH Profile. (Details of how to set up a SSH profile for Cosmos or Eric are available at here.)
Having set up a SSH profile to automatically enable secure X11 tunnelling, X-clients may be launched back to the local desktop by starting the Exceed Xserver in passive mode before accessing Cosmos (using the).
To check that the eXceed Xserver is configured to start in passive mode, for Exceed v6.2 and below,
Start -> Programs -> Exceed -> Xconfig -> Communication
and ensure that "Startup Mode" is set to "Passive".
For Exceed v7 and above:
Start -> Programs -> Hummingbird Connectivity x.y -> Exceed -> Xconfig -> Communication
and ensure that "Startup Mode" is set to "Passive".
To start the eXceed Xserver in passive mode go to, for Exceed v6.2 and below,
Start -> Programs -> Exceed -> Exceed
and for Exceed v7 and above,
Start -> Programs -> Hummingbird Connectivity x.y -> Exceed -> Exceed
See the CygWin/XFree86 user guides for how to use this software on a MS Windows machine to access Cosmos and Eric.
The usual (unencrypted) method of launching an X11 session from a remote host back to a local one is:
local_host> telnet remote.host
Trying <ipaddress>
Connected to <remote_host>.
Escape character is '^]'.
Welcome to the UMIST General Purpose Unix Service
login: <username>
Password:
Last login: Tue Dec 10 09:50:53 from talby.csu.umist.
...
remote_host> export DISPLAY=<localhost>:0
remote_host> xterm &
remote_host>
This kind of X11 session connects, unencrypted, onto port 6000 on the
local host
[mpciish2@cosmos:~]$ netstat | grep powell
cosmos.umist.ac.uk.telnet powell.csu.umist.ac.uk.36404 6610 0 10136 0 ESTABLISHED
cosmos.umist.ac.uk.42630 powell.csu.umist.ac.uk.6000 11424 0 8760 0 ESTABLISHED
One can instead have ssh handle the X11 session for you via port-forwarding. To achieve this you must either start your SSH connections with the either the +x or +X options, e.g., ssh mpciish2@cosmos.umist.ac.uk +X (see the SSH man page for details) or ensure your client default configuration is set up for this, for example (SSH Communications, /etc/ssh2/ssh2_config),
Tunneling
ForwardX11 yes
or (OpenSSH, /etc/ssh/ssh_config),
Host *
ForwardX11 yes
Then connect as usual, but do not manually set the DISPLAY
environment variable --- echoing the value should now show something slightly
different from usual, for example cosmos:10.0.
After starting a new X11 session (e.g., launching Emacs back from
Cosmos to your local screen) we can confirm that Emacs is running through
the ssh connection on port 22 (not the usual X11 port, 6000):
cosmos> echo $DISPLAY
cosmos:10.0
cosmos> emacs &
cosmos> netstat | grep talby
cosmos.umist.ac.uk.22 talby.csu.umist.ac.uk.36236 63360 0 10136 0 ESTABLISHED
cosmos>
Of course one can start an unecrypted X11 session after initially connecting via ssh by manually setting DISPLAY should one wish!
| ...previous | up (conts) | next... |