Forwarding X11 over SSH if the server configuration doesn't allow it
Clash Royale CLAN TAG#URR8PPP
up vote
8
down vote
favorite
Consider a situation where I'm logging in over SSH from machine A to machine B, I have an X session on machine A, and I want to run an X program on B.
ssh -X B makes this work transparently. But what if the server configuration lacks X11Forwarding yes, I don't have root permissions on the server, and the server administrator is indifferent?
It's obviously possible to forward the X11 connection, since I can transfer whatever I want over the SSH channel. In fact, if the local X server allows TCP connections, it's as easy as ssh -R 6010:localhost:6000 (to be adjusted for the display numbers). What about the common case where the local X server only allows socket connections? How do I do X forwarding conveniently and securely, with a minimum of installation requirements (especially on B)?
ssh xorg xforwarding
edited Apr 13 '17 at 12:36
Community♦
1
asked May 6 '11 at 22:52
Gilles
511k12010141543
add a comment |Â
up vote
8
down vote
favorite
Consider a situation where I'm logging in over SSH from machine A to machine B, I have an X session on machine A, and I want to run an X program on B.
ssh -X B makes this work transparently. But what if the server configuration lacks X11Forwarding yes, I don't have root permissions on the server, and the server administrator is indifferent?
It's obviously possible to forward the X11 connection, since I can transfer whatever I want over the SSH channel. In fact, if the local X server allows TCP connections, it's as easy as ssh -R 6010:localhost:6000 (to be adjusted for the display numbers). What about the common case where the local X server only allows socket connections? How do I do X forwarding conveniently and securely, with a minimum of installation requirements (especially on B)?
ssh xorg xforwarding
edited Apr 13 '17 at 12:36
Community♦
1
asked May 6 '11 at 22:52
Gilles
511k12010141543
add a comment |Â
up vote
8
down vote
favorite
up vote
8
down vote
favorite
Consider a situation where I'm logging in over SSH from machine A to machine B, I have an X session on machine A, and I want to run an X program on B.
ssh -X B makes this work transparently. But what if the server configuration lacks X11Forwarding yes, I don't have root permissions on the server, and the server administrator is indifferent?
It's obviously possible to forward the X11 connection, since I can transfer whatever I want over the SSH channel. In fact, if the local X server allows TCP connections, it's as easy as ssh -R 6010:localhost:6000 (to be adjusted for the display numbers). What about the common case where the local X server only allows socket connections? How do I do X forwarding conveniently and securely, with a minimum of installation requirements (especially on B)?
ssh xorg xforwarding
edited Apr 13 '17 at 12:36
Community♦
1
asked May 6 '11 at 22:52
Gilles
511k12010141543
Consider a situation where I'm logging in over SSH from machine A to machine B, I have an X session on machine A, and I want to run an X program on B.
ssh -X B makes this work transparently. But what if the server configuration lacks X11Forwarding yes, I don't have root permissions on the server, and the server administrator is indifferent?
It's obviously possible to forward the X11 connection, since I can transfer whatever I want over the SSH channel. In fact, if the local X server allows TCP connections, it's as easy as ssh -R 6010:localhost:6000 (to be adjusted for the display numbers). What about the common case where the local X server only allows socket connections? How do I do X forwarding conveniently and securely, with a minimum of installation requirements (especially on B)?
ssh xorg xforwarding
ssh xorg xforwarding
edited Apr 13 '17 at 12:36
Community♦
1
asked May 6 '11 at 22:52
Gilles
511k12010141543
edited Apr 13 '17 at 12:36
Community♦
1
asked May 6 '11 at 22:52
Gilles
511k12010141543
edited Apr 13 '17 at 12:36
Community♦
1
edited Apr 13 '17 at 12:36
Community♦
1
edited Apr 13 '17 at 12:36
Community♦
1
1
asked May 6 '11 at 22:52
Gilles
511k12010141543
asked May 6 '11 at 22:52
Gilles
511k12010141543
asked May 6 '11 at 22:52
Gilles
511k12010141543
511k12010141543
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
accepted
Spin up an additional X server using Xephyr. This is for security — it prevents the remote system from compromising yours.
Use SSH to forward a remote socket to the Xephyr socket. SSH supports forwarding Unix sockets, too.
Set the environment variables on the remote server correctly.
answered Sep 8 at 5:16
Demi
30337
add a comment |Â
up vote
5
down vote
Is the protocol X11 speaks when talking to a tcp port any different when talking to a socket?
Perhaps you could combine your own suggested use of ssh -R 6010:localhost:6000 to bring the X11 data in over port forwarding, then bridge the local gab between the tcp port and the X11 socket listener with nc like:
nc -l -p 6000 > /tmp/.X11-unix/X0
answered May 7 '11 at 10:02
Caleb
49.3k9146185
Yes, that's the idea. But I was hoping for an answer saying “put this in your.ssh/configclient-side and that in your.profileserver-side, and then just runssh Bâ€Â.
– Gilles
May 7 '11 at 10:13
1
There is an easy "put this in your config" answer, the problem is you rule that out in your question qualifications because the option you need goes in the sshd_config side of things on B. You're trying to work around a block put in place to make it hard to inadvertently open up a security issue.
– Caleb
May 7 '11 at 10:21
3
I'm targeting the (in my experience very common) case where the admin doesn't care and just left the default settings in place. X11 forwarding isn't banned by policy, it's just inconvenience by sysadmin indifference. Anyway X11 forwarding allows the server to attack the client, so banning it server-side doesn't make much sense.
– Gilles
May 7 '11 at 10:56
@Gilles I agree the default doesn't really protect against anything useful. So should we lobby to get the default changed upstream?
– Caleb
May 7 '11 at 11:04
For me,/tmp/.X11-unix/X0is a unix domain socket, not a FIFO, so any redirection attempt ends withENXIO: No such device.
– Samveen
Jun 5 '15 at 5:17
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Spin up an additional X server using Xephyr. This is for security — it prevents the remote system from compromising yours.
Use SSH to forward a remote socket to the Xephyr socket. SSH supports forwarding Unix sockets, too.
Set the environment variables on the remote server correctly.
answered Sep 8 at 5:16
Demi
30337
add a comment |Â
up vote
1
down vote
accepted
Spin up an additional X server using Xephyr. This is for security — it prevents the remote system from compromising yours.
Use SSH to forward a remote socket to the Xephyr socket. SSH supports forwarding Unix sockets, too.
Set the environment variables on the remote server correctly.
answered Sep 8 at 5:16
Demi
30337
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Spin up an additional X server using Xephyr. This is for security — it prevents the remote system from compromising yours.
Use SSH to forward a remote socket to the Xephyr socket. SSH supports forwarding Unix sockets, too.
Set the environment variables on the remote server correctly.
answered Sep 8 at 5:16
Demi
30337
Spin up an additional X server using Xephyr. This is for security — it prevents the remote system from compromising yours.
Use SSH to forward a remote socket to the Xephyr socket. SSH supports forwarding Unix sockets, too.
Set the environment variables on the remote server correctly.
answered Sep 8 at 5:16
Demi
30337
answered Sep 8 at 5:16
Demi
30337
answered Sep 8 at 5:16
Demi
30337
answered Sep 8 at 5:16
Demi
30337
30337
add a comment |Â
add a comment |Â
up vote
5
down vote
Is the protocol X11 speaks when talking to a tcp port any different when talking to a socket?
Perhaps you could combine your own suggested use of ssh -R 6010:localhost:6000 to bring the X11 data in over port forwarding, then bridge the local gab between the tcp port and the X11 socket listener with nc like:
nc -l -p 6000 > /tmp/.X11-unix/X0
answered May 7 '11 at 10:02
Caleb
49.3k9146185
Yes, that's the idea. But I was hoping for an answer saying “put this in your.ssh/configclient-side and that in your.profileserver-side, and then just runssh Bâ€Â.
– Gilles
May 7 '11 at 10:13
1
There is an easy "put this in your config" answer, the problem is you rule that out in your question qualifications because the option you need goes in the sshd_config side of things on B. You're trying to work around a block put in place to make it hard to inadvertently open up a security issue.
– Caleb
May 7 '11 at 10:21
3
I'm targeting the (in my experience very common) case where the admin doesn't care and just left the default settings in place. X11 forwarding isn't banned by policy, it's just inconvenience by sysadmin indifference. Anyway X11 forwarding allows the server to attack the client, so banning it server-side doesn't make much sense.
– Gilles
May 7 '11 at 10:56
@Gilles I agree the default doesn't really protect against anything useful. So should we lobby to get the default changed upstream?
– Caleb
May 7 '11 at 11:04
For me,/tmp/.X11-unix/X0is a unix domain socket, not a FIFO, so any redirection attempt ends withENXIO: No such device.
– Samveen
Jun 5 '15 at 5:17
add a comment |Â
up vote
5
down vote
Is the protocol X11 speaks when talking to a tcp port any different when talking to a socket?
Perhaps you could combine your own suggested use of ssh -R 6010:localhost:6000 to bring the X11 data in over port forwarding, then bridge the local gab between the tcp port and the X11 socket listener with nc like:
nc -l -p 6000 > /tmp/.X11-unix/X0
answered May 7 '11 at 10:02
Caleb
49.3k9146185
Yes, that's the idea. But I was hoping for an answer saying “put this in your.ssh/configclient-side and that in your.profileserver-side, and then just runssh Bâ€Â.
– Gilles
May 7 '11 at 10:13
1
There is an easy "put this in your config" answer, the problem is you rule that out in your question qualifications because the option you need goes in the sshd_config side of things on B. You're trying to work around a block put in place to make it hard to inadvertently open up a security issue.
– Caleb
May 7 '11 at 10:21
3
I'm targeting the (in my experience very common) case where the admin doesn't care and just left the default settings in place. X11 forwarding isn't banned by policy, it's just inconvenience by sysadmin indifference. Anyway X11 forwarding allows the server to attack the client, so banning it server-side doesn't make much sense.
– Gilles
May 7 '11 at 10:56
@Gilles I agree the default doesn't really protect against anything useful. So should we lobby to get the default changed upstream?
– Caleb
May 7 '11 at 11:04
For me,/tmp/.X11-unix/X0is a unix domain socket, not a FIFO, so any redirection attempt ends withENXIO: No such device.
– Samveen
Jun 5 '15 at 5:17
add a comment |Â
up vote
5
down vote
up vote
5
down vote
Is the protocol X11 speaks when talking to a tcp port any different when talking to a socket?
Perhaps you could combine your own suggested use of ssh -R 6010:localhost:6000 to bring the X11 data in over port forwarding, then bridge the local gab between the tcp port and the X11 socket listener with nc like:
nc -l -p 6000 > /tmp/.X11-unix/X0
answered May 7 '11 at 10:02
Caleb
49.3k9146185
Is the protocol X11 speaks when talking to a tcp port any different when talking to a socket?
Perhaps you could combine your own suggested use of ssh -R 6010:localhost:6000 to bring the X11 data in over port forwarding, then bridge the local gab between the tcp port and the X11 socket listener with nc like:
nc -l -p 6000 > /tmp/.X11-unix/X0
answered May 7 '11 at 10:02
Caleb
49.3k9146185
edited May 7 '11 at 10:11
answered May 7 '11 at 10:02
Caleb
49.3k9146185
answered May 7 '11 at 10:02
Caleb
49.3k9146185
answered May 7 '11 at 10:02
Caleb
49.3k9146185
49.3k9146185
Yes, that's the idea. But I was hoping for an answer saying “put this in your.ssh/configclient-side and that in your.profileserver-side, and then just runssh Bâ€Â.
– Gilles
May 7 '11 at 10:13
1
There is an easy "put this in your config" answer, the problem is you rule that out in your question qualifications because the option you need goes in the sshd_config side of things on B. You're trying to work around a block put in place to make it hard to inadvertently open up a security issue.
– Caleb
May 7 '11 at 10:21
3
I'm targeting the (in my experience very common) case where the admin doesn't care and just left the default settings in place. X11 forwarding isn't banned by policy, it's just inconvenience by sysadmin indifference. Anyway X11 forwarding allows the server to attack the client, so banning it server-side doesn't make much sense.
– Gilles
May 7 '11 at 10:56
@Gilles I agree the default doesn't really protect against anything useful. So should we lobby to get the default changed upstream?
– Caleb
May 7 '11 at 11:04
For me,/tmp/.X11-unix/X0is a unix domain socket, not a FIFO, so any redirection attempt ends withENXIO: No such device.
– Samveen
Jun 5 '15 at 5:17
add a comment |Â
Yes, that's the idea. But I was hoping for an answer saying “put this in your.ssh/configclient-side and that in your.profileserver-side, and then just runssh Bâ€Â.
– Gilles
May 7 '11 at 10:13
1
There is an easy "put this in your config" answer, the problem is you rule that out in your question qualifications because the option you need goes in the sshd_config side of things on B. You're trying to work around a block put in place to make it hard to inadvertently open up a security issue.
– Caleb
May 7 '11 at 10:21
3
I'm targeting the (in my experience very common) case where the admin doesn't care and just left the default settings in place. X11 forwarding isn't banned by policy, it's just inconvenience by sysadmin indifference. Anyway X11 forwarding allows the server to attack the client, so banning it server-side doesn't make much sense.
– Gilles
May 7 '11 at 10:56
@Gilles I agree the default doesn't really protect against anything useful. So should we lobby to get the default changed upstream?
– Caleb
May 7 '11 at 11:04
For me,/tmp/.X11-unix/X0is a unix domain socket, not a FIFO, so any redirection attempt ends withENXIO: No such device.
– Samveen
Jun 5 '15 at 5:17
Yes, that's the idea. But I was hoping for an answer saying “put this in your
.ssh/config client-side and that in your .profile server-side, and then just run ssh Bâ€Â.– Gilles
May 7 '11 at 10:13
Yes, that's the idea. But I was hoping for an answer saying “put this in your
.ssh/config client-side and that in your .profile server-side, and then just run ssh Bâ€Â.– Gilles
May 7 '11 at 10:13
1
1
There is an easy "put this in your config" answer, the problem is you rule that out in your question qualifications because the option you need goes in the sshd_config side of things on B. You're trying to work around a block put in place to make it hard to inadvertently open up a security issue.
– Caleb
May 7 '11 at 10:21
There is an easy "put this in your config" answer, the problem is you rule that out in your question qualifications because the option you need goes in the sshd_config side of things on B. You're trying to work around a block put in place to make it hard to inadvertently open up a security issue.
– Caleb
May 7 '11 at 10:21
3
3
I'm targeting the (in my experience very common) case where the admin doesn't care and just left the default settings in place. X11 forwarding isn't banned by policy, it's just inconvenience by sysadmin indifference. Anyway X11 forwarding allows the server to attack the client, so banning it server-side doesn't make much sense.
– Gilles
May 7 '11 at 10:56
I'm targeting the (in my experience very common) case where the admin doesn't care and just left the default settings in place. X11 forwarding isn't banned by policy, it's just inconvenience by sysadmin indifference. Anyway X11 forwarding allows the server to attack the client, so banning it server-side doesn't make much sense.
– Gilles
May 7 '11 at 10:56
@Gilles I agree the default doesn't really protect against anything useful. So should we lobby to get the default changed upstream?
– Caleb
May 7 '11 at 11:04
@Gilles I agree the default doesn't really protect against anything useful. So should we lobby to get the default changed upstream?
– Caleb
May 7 '11 at 11:04
For me,
/tmp/.X11-unix/X0 is a unix domain socket, not a FIFO, so any redirection attempt ends with ENXIO: No such device.– Samveen
Jun 5 '15 at 5:17
For me,
/tmp/.X11-unix/X0 is a unix domain socket, not a FIFO, so any redirection attempt ends with ENXIO: No such device.– Samveen
Jun 5 '15 at 5:17
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f12777%2fforwarding-x11-over-ssh-if-the-server-configuration-doesnt-allow-it%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
