X Login via XDMCP over an SSH tunnel

Nov 19, '04 09:39:00AM

Contributed by: cynikal

If you ever wanted to log into a Unix system via X11 as if you were sitting in front of it with a monitor connected to it, you aren't out of luck. Unfortunately X11, the protocol used for this, wasn't designed to be the most secure of environments. But that's where SSH tunneling comes in.

Many people know you can tunnel insecure traffic over a secure SSH connection, and some people even know you can do this with X-Windows traffic as well. But in case anyone out there doesn't know, you can actually create an entire X11 session, with everything from login to using your favorite window manager, securely over SSH as well.

Here's the procedure I use to start an X Login session remotely to a system over an SSH tunnel:

  1. Make sure X11 forwarding is enabled on the remote system's sshd configuration -- see note #1.

  2. Run ssh -X remote.host -- you would run this in Terminal.app; the -X enables X11 forwarding.

  3. Once logged in, at the remote host's prompt, type Xnest :1 -geometry 1280x810 -query localhost -- this will start an empty nested X window on the default display $DISPLAY the size of -geometry and fill it with an xdmcp query of localhost.
Notes:
  1. If X11 forwarding is being done properly, once you're logged into the remote system, typing echo $DISPLAY should show the workstation's X-server's X11 display environment variable (which goes over the SSH tunnel). If this doesn't show up, then X11 forwarding isn't working properly.

  2. The 1280x810 dimensions are appropriate to (almost) fill up a 15" PowerBook's screen. Adjust as necessary if you don't have the same resolution screen.

  3. If the login window fonts are screwy (e.g., the login box is cut off by the logo) or if your login session is reset (you're kicked back to the login window), you may not have the appropriate fonts set up on your (workstation's) X server. To fix this, run this before running Xnest:
    xset +fp tcp/ip.of.the.srv:7100
    This assumes that the X font server is running on port 7100, and that the remote system has a reachable IP address (aka no NAT from the server and you (from you to server is OK, though)). This is necessary on some workstation's X servers to connect to the system and download any fonts that it doesn't have that it needs to render/login properly.

  4. For the really clever, you can just run one ssh command by passing the entire Xnest command along to be executed when you log in. But you may need to specify the absolute path to Xnest if it's not in the system's default search $PATH.
Lastly, I want to thank the people in a previous hint who helped me discover Xnest on OS X and its plethora of options. When I realized Xnest was on other Unix's, that's when I knew I could really "go to town" with it over ssh tunnels.

Comments (12)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20041117115414383