# ssh X11 forwarding

## ptitzef

Hi everybody,

I have troubles while trying to export DISPLAY in a ssh tunnel... :Crying or Very sad: 

local 

ssh -X user@computer

I get the error : 

Gtk-WARNING **: cannot open display

ps -eaf | grep X gives :

/usr/X11R6/bin/X -nolisten tcp -auth /var/run/xauth/A:0-kpNWic vt7

I think the problem come from -nolisten but I don't know where I configure it  :Exclamation: 

So if anyone have an idea it should be grate.

Thanks

----------

## shadow255

 *ptitzef wrote:*   

> Hi everybody,
> 
> I have troubles while trying to export DISPLAY in a ssh tunnel...
> 
> local 
> ...

 

The X server's -nolisten option is not your problem.  Are you tunneling to a computer that you set up and can configure?  If so, then on the remote computer you need to ensure that X11 forwarding is configured as allowed.  If it is already configured that way, you could have issues with configuration of pam.  Look at this thread for help if /etc/ssh/sshd_config is set to permit X11 forwarding already.

On the other hand, if you're not the admin of the remote computer it's quite possible that X11 forwarding is deliberately not permitted.

----------

## ptitzef

/etc/ssh/ssh_config :

# Host *

#   ForwardAgent no

   ForwardX11 yes

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

#   EscapeChar ~

/etc/security/pam_env.conf.

REMOTEHOST      DEFAULT= OVERRIDE=@{PAM_RHOST}

DISPLAY         DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

This is my configuration on both computers : i'm root on both...

but problem persist... :Shocked: 

SERVER Side (ssh session)

If I export DISPLAY and I start an application I have the following message

Gtk-WARNING **: cannot open display: 192.168.0.2:0 

log in /var/log/ssh is

Mar 18 18:11:20 [sshd] Accepted keyboard-interactive/pam for root from 192.168.0.2 port 32768 ssh2

CLIENT SIDE (X)

I start another X seesion with cmd startx -- :1 to see STDOUT and I have :

X log on STDOUT 

AUDIT: Fri Mar 18 18:28:56 2005: 8561 X: client 3 rejected from IP 192.168.0.1

So it's a X server problem  :Exclamation: 

----------

## shadow255

 *ptitzef wrote:*   

> /etc/ssh/ssh_config :

 

How about /etc/ssh/sshd_config?  There is a difference, and it's important.  Please note that this is the file I asked about in my original reply!

 *ptitzef wrote:*   

> 
> 
> # Host *
> 
> #   ForwardAgent no
> ...

 

This only tells ssh that X11 forwarding is a default when you make client connections to a remote host.  It does not configure the host to permit X11 forwarding.

----------

## mr_ed

Are you running 

```
xhost +<IP ADDRESS>
```

 on the client machine before running ssh?

----------

## shadow255

 *mr_ed wrote:*   

> Are you running 
> 
> ```
> xhost +<IP ADDRESS>
> ```
> ...

 

Absolutely not necessary.  The original poster did not reply back, but I suspect that it was a question of modifying the correct configuration file.

----------

## mr_ed

I was just reading here

http://www.gentoo.org/doc/en/gentoo-security.xml

and it says in a big red warning box "Do not ever use the xhost + feature!"

Oops.   :Embarassed: 

----------

## zeek

 *mr_ed wrote:*   

> I was just reading here
> 
> http://www.gentoo.org/doc/en/gentoo-security.xml
> 
> and it says in a big red warning box "Do not ever use the xhost + feature!"
> ...

 

Nothing wrong with xhost+, just be sure to let your cow-orkers know that you're doing this so they can pop up random windows on your desktop.  I've had a ton of fun with people using xhost+!

----------

## mr_ed

lol  I'm sure you have.   :Smile: 

Nobody here except for me knows anything about UNIX.  Well... there's our sysadmin who logs into our Linux server as root -- but only locally or through VNC.

I'm in a Windows shop.   :Crying or Very sad: 

And as I've demonstrated, there's still more to learn.   :Wink: 

----------

## toralf

@pitzef:

remove 'nolisten tcp' from Xservers:

```
/etc/ssh/ssh_config
```

BTW:

```
nhh221 ~ # grep X11 /etc/ssh/ssh_config

#   ForwardX11 no

```

----------

## outspoken

here is my setup, and i'm able to use X through my ssh connection.

```

vi  /etc/security/pam_env.conf

```

 *Quote:*   

> 
> 
> Everything in here should be commented out
> 
> 

 

```

vi /etc/ssh/sshd_config

```

 *Quote:*   

> 
> 
> X11Forwarding yes
> 
> Everything else in there is personal preference
> ...

 

```

ssh -X user@server:port

```

and that is all I have configured on a brand new installation of Gentoo 2005.0 to get my X forwarding working through ssh.

----------

## lbrtuk

I don't see how nolisten tcp would make any difference here. When you use ssh to tunnel X, it usurps the xserver's network layer. The ssh client acts as a standard X client to your local server, not using tcp, but unix domain sockets, much like any other local app you're running on your local desktop. It's functionally equivalent to running

```
$ gaim
```

on your local machine. (Using gaim as an example of course)

I have nolisten tcp set and I run remote apps over ssh just fine.

----------

## outspoken

i just wanted to post on the fact that everyone in this thread with an avatar is one of a robot. that is creepy cool.  :Razz: 

----------

## pcardout

This was a great thread.  I am chiming in here because I didn't see it come to a conclusion, exactly.  

I personally found the best advice came from "outspoken".   For me ALL I had to do was to 

ssh into the remote machine whose X applications I want to see at my local client.

Then, on that remote machine:

```

vi /etc/ssh/sshd_config  

```

and add the line

```

X11Forwarding yes

```

Then

```

ssh -X joe@joesremotemachine.joebiz.com

```

You probably need to restart sshd on remote machine.  

Anyway --

You're done!  No messing with export or $DISPLAY, or xhost or PAM.

----------

## Vlad

Just wanted to chime in my two cents here.

I found this post while trying to figure out how to run X applications on my Gentoo box remotely.  I read through all the posts here and was frustrated when I couldn't figure out what I was doing wrong; I kept receiving:

```

vlad@gnode13 ~ $ xterm

xterm Xt error: Can't open display:

xterm:  DISPLAY is not set

```

And was baffled as earlier posts said the DISPLAY variable did not have to be set.

Well, silly me.  After doing a little investigation (namely ssh -v -X user@host), I found this tidbit of information:

```

debug1: Requesting X11 forwarding with authentication spoofing.

debug1: Remote: X11 forwarding disabled; not compatible with UseLogin=yes.

Last login: Thu Aug 11 18:33:54 2005 from 192.168.1.11 on pts/0

vlad@gnode13 ~ $ logout

```

AHA!  After commenting out (effectively setting UseLogin=no) in my /etc/ssh/sshd_config file, and restarting sshd, I was able to use X forwarding just fine.

So, if you see this error

```

xterm Xt error: Can't open display:

xterm:  DISPLAY is not set

```

Be sure UseLogin=no is set in your sshd_config file!

I hope this post helps someone else in the future :)

----------

## dritan

I just came across this thread and I think this should be in the wiki if it's not already there!

thanks to you guys I can now remotely fix my dad's computer! but I have a small problem however...when i run gdmsetup on the remote machine I get this:

```
(gdmsetup:14127): Gdk-WARNING **: Connection to display localhost:10.0 appears to be untrusted. Pointer and keyboard grabs and inter-client communication may not work as expected.
```

 And a blank grey windows pops up with nothing in it...so how do I make my connection secure enough for gdm or any gtk+ apps to trust?

----------

## Hu

First, please do not resurrect such old threads just because they appear to have a similar subject line.

Second, the error tells you what you need.  The forwarded connection is untrusted.  See man ssh about the -Y option and man ssh_config about the ForwardX11Trusted option.  Let us know if you have problems after enabling trusted forwarding.

----------

## dritan

Sorry I thought it was better than opening a new thread and being pointed back to this one =) and thanks!! adding -Y does fix the problem!!! My bad on not reading the man pages first!!

----------

