# tunneling X over SSH

## tba

heres what ive done so far:

enable XDMCP on both coputers (i dont know why but delta told me to)

build 1st option "packet" into kernel under networking (dont know why but XDMCP howto said i needed UCP and irc said UCP is in packet)

edited ssh_config and sshd_config to allow Xforewarding

heres the problem:

i logon as my user in ssh and try to run xterm and it tells me:  _X11TransSocketINETConnect:  cant get address for localhost

xterm Xt error:  cant open display:  localhost: 10.0

and it cuts off right there.  same thing as root and user.  anyone know why?

----------

## ElCondor

once you use "export" you are not tunneling X anymore! 

be sure client and server have both X11 forwarding enabled!

* ElCondor pasa *

----------

## Ferdy

You will have to allow the host with the xhost program as follows:

```

[bash]$ xhost +hostname

```

Just my 2 cents

----------

## ElCondor

again: with X11-tunneling via ssh there is no need to "export DISPLAY" or "xhost +hostname" anymore! that's what the tunnel is for! just be sure you have ssh configured correctly:

```
/etc/ssh/sshd_config (where you are logging in to):

X11Forwarding yes

X11DisplayOffset 10
```

and 

```
/etc/ssh/ssh_config (from where you are coming):

Host *

  ForwardX11 yes

```

replace the asterix with the IP or hostname, or leave it (which will typically do fine)

There should be no need to tune anything else to get X11-forwarding working, once ssh itself works properly.

Hint: to work on a remote machine just 

```
ssh user@remote.host.com /path/to/xterm
```

 any program startet in this xterm will use the existing tunnel without doing any further configuration.

* ElCondor pasa *

----------

## tba

el condor pasa,

i didnt uncomment "X11DisplayOffset 10" line originally, but trying to run an xterm gives me the same error (eventually i plan on being able to start KDM remotely).

errr, forgive my ignorance, but i have a feeling there are a bunch of other lines i need to uncomment.  late last night when i wrote the origianl post i failed to notice that jsut about every line in sshd_config and ssh_config is commented....

```

#Port 22

#Protocol 2,1

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 600

#PermitRootLogin yes

#StrictModes yes

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used

#RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt yes

X11Forwarding yes

X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#Compression yes

#MaxStartups 10

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

Subsystem       sftp    /usr/lib/misc/sftp-server

```

the same goes for ssh_config.  having never worked with ssh (or anything like it beyond a telnet client) i dont know what to do.

p.s.  i would also rather be a sparrow then a snail!

----------

## delta407

Okay, using X apps remotely and using kdm (or similar) remotely are different games. Display managers use XDMCP, which can be displayed by X -query [host-with-xdmcp]. I believe the ssh X forwarding simply forwards X packets, in which case you can you X apps but not display managers by using export DISPLAY="localhost:0.0", I believe.

I haven't done Linux->Linux tunneling, so I'm not totally sure of this, but this is what I have gathered while running X apps on Windows.

----------

## ElCondor

Okay, here the complete configs without comments:

Server, where I log in to:

```
FOGELNEST root # grep -v ^# /etc/ssh/sshd_config 

Protocol 2

X11Forwarding yes

X11DisplayOffset 10

Subsystem   sftp   /usr/lib/misc/sftp-server
```

Client, where I come from:

```
PHIEPS root # grep -v ^# /etc/ssh/ssh_config

Host *

  ForwardX11 yes
```

(I stripped the empty newlines). There is nothing else configured. I did the grep like shown above to be sure to get everything, not that I keep some necessary information due to thinking without looking anyway  :Wink: 

If you want to login on a remote X you will have to turn on XDMCP on that server, thats something completely different!

Edit: Since delta was faster with typing, here some addition: XDMCP is not secure! Its nearly as secure as letting someone sit at your desk, just screwdriver-attachs are impossible  :Wink:  but every X based traffic is not encrypted, so using XDMCP is nice when you have a trusted network and a diskless client for example. In such a network there is also no need to use ssh at all, telnet and "export DISPLAY/xhost+" will do fine here as well.

What you could try is using a virtual X session like VNC to log in via xdm and then send the output via ssh to a remote client - never tried this, but something like this should be possible. VNC is not the thing to use, but I forgot the name of the program I really needed to name here , sorry. 

* ElCondor pasa *

----------

## tba

delat and el condor,

i think im beginning to understand this...  I asked a buddy and he told me i shouldnt have to worry too much about security as i am behind a router which keeps connections away from individual computers.

so ssh wont tunnel a display manager.  I made sure to enable XDMCP in kdmrc (and add the line port=177).  when i type "X -query servermachinesIP", from ssh or just from bash on client, i get "fatal error.  display is already active for display 0.  the same thing happenes when i use putty ssh client for windows.  ive tried, from ssh, exporting DISPLAY=clientsip:1 (which works fine) and xhost +clientsip, but that tells me "cant open display 10.0.0.2:1."

in case i confused you:  server=10.0.0.3 client=10.0.0.2

I've been trying to read the XDMCP howto but it seems like linux is built for Red Hat and I dont now how much applies.

http://www.tldp.org/HOWTO/XDMCP-HOWTO/procedure.html#AEN45

i built af_packet into my kernel cuz i read that XDMCP doesnt use TCP so that cant be the prob. (unless it doesnt use whatever af_packet is either)

----------

## delta407

Check your /usr/kde/3/share/config/kdm/kdmrc file to make sure XDMCP is enabled:

```
[Xdmcp]

Enable=true

KeyFile=/usr/kde/3/share/config/kdm/xdm-keys

Willing=su nobody -c /usr/X11R6/lib/X11/xdm/Xwilling

Xaccess=/usr/X11R6/lib/X11/xdm/Xaccess
```

Then, set your Xaccess file to allow connections from every host (uncomment that line, you'll see it)... then, go to the remote box, and:

```
# X -query [server]
```

Viola! Your terminal server environment should be complete.

----------

## ElCondor

 *tba wrote:*   

>  I asked a buddy and he told me i shouldnt have to worry too much about security as i am behind a router which keeps connections away from individual computers.

 

Some notes on security:

 XDMCP may pass a router - what you need is a firewall!

 a secure network implies that everything and everyone inside this network are secure - XDMCP reveals every keystroke to a simple network sniffer

 there is no secure network  :Smile: 

 use encryption whereever you send private data over a network (or save it to disk). it's nearly no (or mostly only once some) work, but it helps you save your thoughts to bother about something else - and there is always enough to bother!

I know, this is going offtopic, but since the thread started with an SSH question ..  :Wink:  Sorry for my missionary behariour!

(Concerning XDMCP configuration with kdm i cannot help you, only used xdm and gdm so far)

* ElCondor pasa *

----------

## delta407

 *elcondor wrote:*   

> there is no secure network 

 

Correct, but a standard wired network is infinitely more secure than something wireless and reasonably secure overall. If you're running wireless, definitely tunnel over SSH, but if you're wired and it's just a home network, don't bother. It'll add CPU overhead without adding any protection (since physical access isn't a real threat unless you host LAN parties or something).

Remember, the only way they can sniff keystrokes between computers on the same subnet is by connecting to a hub (a switch won't let 'em) or by hijacking either end. So, if it's a standard home LAN, don't worry about it.

----------

## tba

kdmrc looks just like yours....  i also read that i should add port=177 but i removed that as i guess it doesnt apply to gentoo

at the time i posted last i had neglected to edit my Xaccess file because I thought that it only concerend people logging in using xdm not kdm.  so i went back and uncommented the "accept all host" line, but I still get the same error.  It doesnt even think for a second.

i also tried uncommenting the chooser line below "because it said it was the nicest way of doing it" but that didnt work either.

----------

## tba

for anyone else who has the same problem as me (and i doubt anyone will  :Smile:  )  this is how i got it working: 

run "X -query" on client WITHOUT X already running.  ironically, i had trouble getting VNC working earlier this week because I assumed X could not be running on the client computer.  just when i thought i'd taught myself something the opposite proves true.

this will serve as a lesson next time i consider thinking for myself.

----------

## cyc

cant you just tunnel xdmcp like all other connections? irc even is also possible?

----------

## tba

i dont know the answer to that but one of the guys that helped me probably would.  apperently there is a difference between tunneling and exporting, but now that i got it working i dont want to screw around.

----------

## ElCondor

 *cyc wrote:*   

> cant you just tunnel xdmcp like all other connections? irc even is also possible?

 Of course, you can tunnel everything, but you will have to set up a real tunnel. What you also might try is to forward special ports via ssh, that should make this possible for XDMCP also ... I will post it later when I'm back in office

* ElCondor pasa *

----------

## mlybarger

[quote="ElCondor"]again: with X11-tunneling via ssh there is no need to "export DISPLAY" or "xhost +hostname" anymore! that's what the tunnel is for! just be sure you have ssh configured correctly:

```
/etc/ssh/sshd_config (where you are logging in to):

X11Forwarding yes

X11DisplayOffset 10
```

and 

```
/etc/ssh/ssh_config (from where you are coming):

Host *

  ForwardX11 yes

```

/quote]

i'm not quite there yet on this.  i seem to be able to tunnel x via ssh using ssh -X hostname, and it sets the display all up. i still have to type xhost <hostname> on the local box to allow connections.  i even have to do that to allow root on the local box to run x applications. is there a way to make these xhosts persistant?  should i not have to type that when going via ssh?

----------

