[NBLUG/talk] Tunneling X over ssh

sms at sonic.net sms at sonic.net
Sat Apr 10 19:06:06 PDT 2004


> On Sat, Apr 10, 2004 at 06:30:41PM -0700, sms at sonic.net wrote:
>>
>> > } Do you have "Xhost" & "$DISPLAY" set on the hosts?  I've never
>> done
>> >
>> > with X11 forwarding turned on do NOT set the $DISPLAY variable.
>> xhost doesn't matter.
>>
>> <blink>
>>
>> Does ssh put in a layer to intercept X calls?
>>
>> How does X know where to display (i.e. if both boxen are
>> running "X," which one displays the invocation of "xeyes"
>> (or whatever))?  Surely an ssh tunnel doesn't take over
>> ALL X & redirect it to the remote server?
>
> the X protocol is network-based.

<nod>  Yep.  This I know.

> ssh simply provides a "route", if you will,

<wince>  Will I?  Hrm... that particular word (route) has some very
specific connotations in computer networking...


> for that network traffic to flow from the client (the machine
> running the X application) to the server (the desktop that has the
> graphics head on it.)  people use ssh in this manner usually to get
> around having to open firewall holes for the X ports and to enhance
> security for those X applications.

Right.  ssh provides an encrypted "tunnel" that hides the actual data,
including even what app/service is on the tunnel & what tcp/ip protocols
(and port-numbers, if relevant) are traversing the tunnel.  Actually, I
haven't looked at everything it can (and can't) do, so I don't know if
(for example) you can send traceroutes via ssl tunnel.  You pinhole your
firewall for ssl and then you can put MANY kinds of traffic onto the one
hole (much better than many holes!  And, it's all encrypted).


> an X application has been linked with a set of libraries that know to
> look at an environment variable called DISPLAY.  in this variable is
> information about where to find a X server to connect to.  when
> tunneling X through ssh, this variable usually contains something along
> the lines of ":10.0".  this tells the X application to connect to
> display 10 and screen number 0 (look at 'man X' for more on this.)  it
> just so happens that ssh is listening on this port and simply forwards
> the traffic back over it's existing connection and pumps it into your
> local X server for display.

Erm.  "DISPLAY" can be set to several different (valid) things (:0.0,
:1.0, etc).  Does ssh listen to all of 'em?  Just the "default" value?
Or...?


> so no - ssh doesn't take over all X traffic - only that on the remote
> machine you are logged into that has a properly set DISPLAY variable.

Above, it was asserted that we do NOT set $DISPLAY.  That was what led
me to ask wildly about "taking over all services" etc.

If you set "$DISPLAY" and X talks there / ssh listens there, then I'm
relatively happy with my understanding.


> this includes ssh'ing into a machine that has a graphics head and is
> running a X server at the time you are running your X client app.  if
> you are ssh'd into a machine that has a X server and want your client to
> display on that box, then you'll have to play with xhost and/or xauth
> and your display variable once you login.

OK.  This sounds about like what I expect (except that it _appears_ to me
that you're saying you play with $DISPLAY on the X server box...?)


- Steve S.







More information about the talk mailing list