# Howto: Remote X (X11 Forwarding) with SSH (not VNC, etc!)

## YsndHalf

Hi people,

After battling with my Gentoo boxes, testing and testing, and peeking at many many of these forums, I finally achieved forwarding X11 from my linux box to a remote box via SSH.

I'd like to share my small experience with you, I hope this helps other noobs as me  :Wink: 

Objective: To do a SSH from a computer to your Linux box and be able to execute X11 things (xterm, Konqueror, Kate, whatever).

Example situation: You are at work on a Linux computer (or a Windows one with an adequate X Server such as X-Win32, etc. I suppose that this would also work), and you want to connect to your home computer (a Gentoo Linux  :Cool:  ) and, furthermore, execute graphical things.

Clarification: This is NOT an explanation for connecting via VNC, etc. This is not a remote desktop, it "only" makes possible executing X11 apps remotely.

Convention: The computer running the apps on its CPU (the one offering X11 graphs to the remote one) will be called "Gentoo Server", and the remote computer used to connect to the Gentoo Server will be called "Remote Workstation".

ON THE GENTOO SERVER:

These are the files that you should take into account for this to work:

/etc/ssh/sshd_config: These are the only things that must be active on this file (the rest must be commented); at least this is how it works on mine:

```
      Protocol          2   (OK, optional, but this will offer much more security)

      UsePAM           yes

      X11Forwarding   yes

      UseDNS           yes  (I'm not sure if this affects to the X11 forwarding)

      Subsystem     sftp  /usr/lib/misc/sftp-server
```

By the way, I discovered that with the "PasswordAuthentication no" option active, you can SSH to the Gentoo Server from a Linux but not from a Windows  :Confused: 

/etc/security/pam_enf.conf: This is the only thing that must be active here, nothing else about 'remotehost' or 'display'!

```
XAUTHORITY DEFAULT= OVERRIDE=@{XAUTHORITY}
```

/usr/X11R6/bin/startx: You don't have to comment out anything like "nolisten tcp", etc! I think that I read somewhere that the "nolisten tcp" option adds more security, while the X11 forwarding keeps working since it listens to sockets (which is more secure). If I understood right...  :Embarassed: 

Therefore, for example, I have (among others):

```
defaultserverargs="-nolisten tcp -br"
```

/usr/kde/3.3/share/config/kdm/Xservers: This is the only uncommented line in my server:

```
:0 local@tty1 /usr/X11R6/bin/X -nolisten tcp
```

Note: If you change parameters in the sshd_config file you'll have to restart the sshd service before it works, of course! And similar for X, etc.

ON THE REMOTE WORKSTATION:

I recommend you the following command line:

```
ssh -2 -X -C user@server.address.com
```

"-2" forces protocol 2 which is more secure, "-X" forces the X11 forwarding, and "-C" enables compression which may be useful specially when using X Forwarding.

All of these options can be set by default in /etc/ssh/ssh_config (note the difference with the server! This is "ssh_config", while the relevant file in the server is "sshd_config").

A note about security: I read somewhere that there's a security problem with this. There's a file in the Remote Workstation, ".Xauthority" in your home directory. You must be sure that this file has the correct permissions, this is, "-rw-------" (i.e. only YOU can read and write it). Else, if you connect to an untrusted server with X11 forwarding enabled, it seems that they can peek at your keystrokes, etc.

Good luck!

                    Jordi   :Cool: 

----------

## solomonHk

Good Example!

I have tried explaining this a couple of times last week.  Now I have a How-To to send people too!

Good Job.

Also,  if anyone is wondering.  PuTTy does have an option for X11 Forwarding,  go to The connections area in configuration. Then go to SSH,... and it is under Tunnels.

----------

## leosgb

Hi,

I read your how to here and checked all my files against yours. I have the same settings. nothing changed. I even restarted sshd and reconnected to it. I also tried "ssh -X -Y username@remoteserver" and it didnt work. I tried with a "export DISPLAY=laptop_IP:0.0" on the server side after issuing a "xhost +" on the laptop. I run gentoo on both systems and this is one of my last steps to have my server run exactly as I want it to run.

I need the Xforwarding to work. I also read:

http://gentoo-wiki.com/HOWTO_X-forwarding

And no help with that  :Sad: 

username@remoteserver ~ $ export DISPLAY=192.168.1.109:0.0

username@remoteserver ~ $ xterm &

[1] 23657

username@remoteserver ~ $ xterm Xt error: Can't open display: 192.168.1.109:0.0

[1]+  Exit 1                  xterm

I am trying it from my gnome session. I have gnome installed on both systems too. I would appreciate any help. Can anyone help me?

----------

## Octavious

hey!

setting your DISPLAY variable manually is NOT a good idea, because it completely bypasses SSH!

When a xclient wants to connect to a server, it will check the DISPLAY environment variable and try to connect.  When it is set manually, it will bypass the SSH tunnel.

when checking your DISPLAY variable on the remote machine, it should be something to the effective of "localhost:10.0".

assuming everything is configured, your SSH client will set up the correct DISPLAY environmental variable.

Octavious

----------

