Gold University of Minnesota M. Skip to main content.University of Minnesota. Home page.
IT Labs Home | One Stop | Directories | Search U of M  
 
 

What's inside.
Account Management

E-mail

Hardware and Media

Network and Wireless

Offsite Access

Printing

Processes

Security and Passwords

Software and Tools

Systems Staff

Web Development

 

Help Home

IT Labs Home

 
 
 
 
 
 
  Home > Offsite Access > Graphical Access

Graphical Access

SSH allows you to connect to UNIX machines via a command line. If you are connecting from an OS that does not use an X11 window manager, you will need to install an X server to run graphical applications. For example, if you want to connect to your UNIX account from your Windows machine and run XEmacs, you will receive an error unless you properly:

  1. Configure the UNIX host computer
  2. Configure the SSH client software
  3. Install an X server application for Windows

For security reasons XDMCP connections are blocked from the Internet. Many hosts have XDMCP disabled for the same security reasons. (XDMCP is the default way X11 communicates)

UNIX Host Computer Configuration

The UNIX side of SSH requires that the server be running sshd. This enables the X11 client to securely access the machine and enable X11 forwarding. View the man page for sshd_config for more information.

SSH Client Configuration

If you are coming from a UNIX box and are running SSH already, you don’t need to worry about X11 forwarding as it is already configured for you. Please review the X Security Considerations section to ensure proper configuration. Primarily pertaining to Windows, the following versions of SSH each have a different way of enabling X11 forwarding. Check out our page on SSH Connection Tools for a partial list of available SSH clients.

OpenSSH

  1. Edit /etc/ssh/ssh_config and make sure that “ForwardX11” is set to “yes.”

Putty

  1. If you already have a session saved, load it now. In the category menu click Tunnels which is under the SSH heading.
  2. Under X11 Forwarding, check the box labeled “Allow X11 Forwarding.”
  3. In the category menu click on Session. Under Host Name enter the name of the UNIX computer you would like to connect to.
  4. Set the Protocol to SSH. Under Saved Sessions type a name for this connection and click save. From now on you may double-click the name of this session and it will automatically begin connecting.
  5. Make sure you save your session settings so you can reload them easily.

Terra Term

  1. Run ttssh.exe.
  2. Cancel the new connection.
  3. On the Setup menu, select SSH Forwarding.
  4. Under X Forwarding, check the box labeled Display remote X application on local X server.
  5. Select OK.
  6. On the Setup menu, select Save setup, accept the default file name and select Save.

Secure CRT

  1. Run Secure CRT, select File > Quick Connect. Select SSH1 or SSH2 as your Protocol. Most hosts will accept SSH1. If SSH1 doesn’t work, try SSH2. Enter the host name of the Unix machine you want to run applications from. Click the “Advanced” button.
  2. Under the “General” tab of “Advanced SSH Options” you will want to check “Use Compression” if your are connecting from an off campus location (modem, DSL, Cable Modem, ISDN, etc.) This shouldn’t be an issue if you’re on the campus network, but it won’t hurt performance either.
  3. Under the “Port Forwarding” tab of the “Advanced SSH Options” check “Use Single SSH connection” and “Forward X11 Packets.” Click “OK.”
  4. If you want to save these settings for future use, you should check “Save Session.” If you’re using SSH2 you should select “Standard” as your SSH Server type. Click Connect and login.

For All SSH Clients

Once you are logged in, you can type 'echo $DISPLAY' to verify that X11 connections are being forwarded over SSH. It should return something like: unix-hostname:10.0

Setting up X11 on Windows

To use X window based applications on a Windows machine, you will need an X server for Windows. Two free options are Xming (which we have found to work with Windows Vista), and Cygwin. Xming is available for download from SourceForge.net and the Cygwin setup.exe can be found at Cygwin.com

Another X server option for Windows is X-Win32 which is available for purchase from Starnet Communications.

Xming Installation and Configuration

  1. Download Xming from sourceforge
  2. Install Xming by running the setup.exe file and selecting “Next” to all of the installer prompts.
  3. After the package is installed, run Xming by double clicking on the icon created by the installation program.
  4. Select your desired display settings and click “Next”.
  5. On the following screen select “Start no clients” and click “Next”.
  6. On the third screen do not change anything, just click “Next”.
  7. On the final screen you may want to save your configuration.
  8. After you click “Finish,” you can launch Xming normally and then launch your SSH client.
  9. Open your SSH client and verify that X11 forwarding is properly configured as outlined above under SSH Client Configuration.
  10. Now you can open a connection to the remote machine and run X11 applications from it.

Cygwin Installation and Configuration

  1. Click on the “Install or update now!” link on Cygwin’s home page to download the Cygwin setup.exe file.
  2. Run the setup.exe file. Keep pushing “Next” until you come to the download site selection.
  3. Choose a mirror that looks like it’s in the same country as yours and push “Next”. If the site is password-protected or disabled, you’ll have to go through the process again until you find a mirror that works.
  4. After the initial file downloads, you should be at the “Select Packages” screen. Scroll down and click on “X11” to expand its package list.
  5. Find “xorg-X11-base” and click “Skip” on that line to set that package and its dependencies to be installed. Click “Next” to complete the download and installation then click “Finish”.
  6. Right click on “My Computer” and select “Properties”. Go to the “Advanced” tab and click “Environment Variables”.
  7. Highlight “Path” in the System variables section and click “Edit”. Add “;C:\cygwin\bin;C:\cygwin\usr\X11R6\bin” (without the quotes) to the end of the Variable value. Be sure not to delete any of the entries currently listed and remember that both semicolons are important. Click “OK” on all three open windows.
  8. Click Start → Run and enter “xwin.exe -multiwindow -clipboard” (without the quotes). Click “OK”.
  9. A black X should appear in the system tray indicating Cygwin has started. Now you can start your SSH client program normally, assuming it is properly configured for X11 Forwarding as outlined above under SSH Client Configuration.

X-Win32 Configuration

  1. Run X-config for X-Win32. You do not need to set up any sessions.
  2. Under the Window tab, select Multiple.
  3. Under security, add “localhost” to the X-Host list. Check “Access Control” and “Use XAuth.”
  4. Click OK to save this configuration and exit the X-Config utility.
  5. Now run X-Win32. The blue X should appear in you system tray.

X Security Considerations

Xhost +

With improperly configured X software, anyone anywhere in the world can do anything they like to the display. This includes taking a snapshot of the screen or grabbing all keystrokes on the keyboard.

Nature of the problem: United States Computer Emergency Readiness Team: Vulnerability Note VU#704969

X, when run with access permissions disabled (e.g., in “xhost +” mode) will happily provide access to Xevent queues to anyone who requests it. Since X events include keystrokes, window resizing and (re)drawing, mouse movements, etc. (pretty much any user interaction that comes to mind), it’s *TRIVIAL* to do things like take screen snapshots, move or resize windows, grab keystrokes, etc. We have positive evidence from other Universities that keystrokes *are* being captured.

eXceed and Xwin-32’s default permissions are wide open, and others are fairly easy to configure that way. As the world of Windows is somewhat different from Unix with respect to X, it is highly likely that many users don’t realize the danger an open X server poses.

What we’ve found works well is using PuTTY with X11 Forwarding enabled to connect to the remote system and then firing up X-Win32 in a local-only mode (only accepting X connections from the localhost).

Purdue’s page on tunneling X over SSH

UIC’s pages on tunneling X over SSH with Exceed:
SSH Exceed
Exceed

Some hints on how to find open Xservers in your address space nmap -sS -p6000 -oG output X.X.X.X/YY The Nessus plugin that can scan for this vulnerability is 10407 (X.nasl)

 
©2009 Regents of the University of Minnesota. All rights reserved. Contact U of M | Privacy
The University of Minnesota is an equal opportunity educator and employer.   Last modified on June 19, 2009
IT Labs Online Help