Individual Entry

ssh-ecurity — Part 5: The X11 Files

I'm a luddite and I'm an erudite command line user. Most of the time I spend on the computer is spent at the command line because I've been doing it that way for decades. I'm quite comfortable at the commmand line because of the knowledge I've gained and used almost daily for decades. My text editor of choice is EDT on OpenVMS but I do escape from time to time to TPU with EDT keypad. On linux, vi works fine for most of my needs, especially when I'm sudoing to edit system configuration files. However, there are some things which simply cannot be accomplished at the command line.

I'm not talking about the silly and often times more onerous GUI applications built around much simpler command line utilities. I'm speaking about applications which strictly and truly require graphical presentation such as photographic/image processing and manipulation programs -- ie. GIMP. Yes, I do use ImageMagick, a wonderful, free, command line image manipulation suite, but there are things that require more than I can easily accomplish from the command line. In these cases, it's typically some X11 application that I'll utilize.

Another thing I have been avoiding of late is powering up my venerable old DEC VRC21-HA monitor. It still works perfectly fine but its resolution at 1280×1024 across 21" of Trinitron tube pales in comparison with 1920x1200 across the 17" of flat-panel LCD display on my MacBookPro. The DEC VRC21-HA also consumes significant electrical power and generates considerable heat; something I try to avoid during the height of the hot and humid summer days along the New Jersey shore. Even when it's not so hot outside, I already have enough heat in the office with two HP rx2600s running. So, I have been doing most of my OpenVMS work on either the 17" MacBookPro or the 17" Toshiba Satellite running Ubuntu Linux. Both run X11 server natively; therefore, I simply need to redirect the DECW$DISPLAY to one of these two laptops and I can work as if I was using the DEC VRC21-HA connected to the system's graphics card. I can even do this when I am on-the-road. Internet access is, as I said in another blogging, ubiquitous and, when it's not, my Sprint EVDO card usually comes to the rescue.

So now, if you are an astute X11 user and network savvy too, you are thinking, "How does that work when you have a dynamically assigned IP address and or the connections from the outside are blocked to your laptop when you're on-the-road?" Well, it doesn't! At least, not in the traditional sense of logging in and issuing:

$ SET DISPLAY/CREATE/EXECUTIVE_MODE/TRANSPORT=TCPIP/NODE=aa.bb.cc.dd

or, for those linux and Mac users following along at home:

$ export DISPLAY=aa.bb.cc.dd:0.0

where the aa.bb.cc.dd represents the dynamically assigned IP address issued when on-the-road.

OK, so now you are scratching your head and thinking, "There must be some way to do X11 using ssh because, after all, this article is one in a series of blogs about ssh." Well, you're right! Surprised?

ssh implementations have a feature known as X11 Forwarding. X11 Forwarding allows the remote X11 client to run on your local X11 server sharing the same encrypted channel established by your ssh login. In fact, it's almost brainlessly simple to use. By simply telling ssh — with a command line switch or qualifier — that you want to forward X11 to your local machine, the mechanics of exporting the display is all handled by the ssh client and server. There's no need to fiddle with either of the aforementioned display commands.

In addition to simplifying the X11 client-server communications and setup, the X11 data that is sent to and fro is also encrypted. That's right, your X11 session and anything you run, enter or display is securely encrypted over the network.

So, let's take a closer look at how to work this using ssh and some examples.

The first thing to know is that this is implemented with with a switch. On linux and Mac OS X, the switches for X11 port forwarding are:




SwitchDescription
-X Enables X11 forwarding.
-Y Enables trusted X11 forwarding.
-x Disables X11 forwarding.

On OpenVMS TCPIP Services, these switch are:




SwitchDescription
+x Enables X11 forwarding.
+X Enables trusted X11 forwarding.
-x Disables X11 forwarding.

On OpenVMS, you must put double quotes around the uppcase -X option to make it pass the switch as uppercase.

Let's take a look at this in action.

ssh -X from Ubuntu Linux to OpenVMS


ubuntu$ #################################################################
ubuntu$ # use 'xhosts +' to allow X11 clients to connect to this host
ubuntu$ #################################################################
ubuntu$ xhost +
ubuntu$ #################################################################
ubuntu$ # use ssh X11 forwarding to connect to OpenVMS and run X11 apps
ubuntu$ #################################################################
ubuntu$ ssh -X username@openvms
username@openvms's password:
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.3 on node OPNVMS
Last interactive login on Wednesday, 29-JUL-2009 18:10:15.85
Last non-interactive login on Tuesday, 28-JUL-2009 16:58:24.84
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! SHOW DISPLAY to see how ssh-server has configured the display
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ SHOW DISPLAY

Device: WSA145: [user]
Node: OPENVMS.MYDOMAIN.COM
Transport: TCPIP
Server: 12
Screen: 0

OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ ! run a vitally important X11 application
OPENVMS$ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OPENVMS$ MCR DECW$PUZZLE

Below is the result of running the DECW$PUZZLE displayed on Ubuntu Linux. Of course, I had to solve it first before taking this snapshot.
DECWindows Puzzle Application

ssh -X from Ubuntu Linux to Mac OS X


ubuntu$ #################################################################
ubuntu$ # use 'xhosts +' to allow X11 clients to connect to this host
ubuntu$ #################################################################
ubuntu$ xhost +
ubuntu$ #################################################################
ubuntu$ # use ssh X11 forwarding to connect to Mac OS X and run X11 apps
ubuntu$ #################################################################
ubuntu$ ssh -X username@macosx
username@macosx's password:
Last login: Thu Jul 30 17:11:39 2009 from 192.168.2.235
macosx% #################################################################
macosx% # echo $DISPLAY to see how ssh-server has configured the display
macosx% #################################################################
macosx% echo $DISPLAY
localhost:10.0
macosx% #################################################################
macosx% # run some vitally important X11 application
macosx% #################################################################
macosx% xcalc

Mac OSX X11 xcalc Application

If you are an X11 consumer and use X11 applications on remote clients, you may find that it is so much simpler to setup your display using ssh X11 Forwarding. It's not something I tend to do often when I'm on-the-road because the bandwidth of hotel wireless networks is often times significantly less, due to other hotel guests sharing it, than running off of my Sprint EVDO card and that too is often provides inadequate bandwidth for X11 applications. However, isn't it great to know that you can, when needed, do this?


Comments?


To thwart automated comment SPAM, you must answer this question to post.

Comment moderation is enabled. Your comment(s) will not be visisble until approved.
Remember personal info?
Notify?
Hide email?
All html tags, with the exception of <b> and <i>, will be removed from your comment. You can make links by simply typing the url or email-address.
Powered by…