[NBLUG/talk] Tunneling X over ssh

Dustin Mollo dustin at sonic.net
Sat Apr 10 18:43:08 PDT 2004


On Sat, Apr 10, 2004 at 06:30:41PM -0700, sms at sonic.net wrote:
> 
> > } Do you have "Xhost" & "$DISPLAY" set on the hosts?  I've never done
> >
> > with X11 forwarding turned on do NOT set the $DISPLAY variable.
> > xhost doesn't matter.
> 
> <blink>
> 
> Does ssh put in a layer to intercept X calls?
> 
> How does X know where to display (i.e. if both boxen are
> running "X," which one displays the invocation of "xeyes"
> (or whatever))?  Surely an ssh tunnel doesn't take over
> ALL X & redirect it to the remote server?

the X protocol is network-based.  ssh simply provides a "route", if you
will, for that network traffic to flow from the client (the machine running
the X application) to the server (the desktop that has the graphics head on
it.)  people use ssh in this manner usually to get around having to open
firewall holes for the X ports and to enhance security for those X
applications.

an X application has been linked with a set of libraries that know to look
at an environment variable called DISPLAY.  in this variable is information
about where to find a X server to connect to.  when tunneling X through ssh,
this variable usually contains something along the lines of ":10.0".  this
tells the X application to connect to display 10 and screen number 0 (look
at 'man X' for more on this.)  it just so happens that ssh is listening on
this port and simply forwards the traffic back over it's existing connection
and pumps it into your local X server for display.

so no - ssh doesn't take over all X traffic - only that on the remote
machine you are logged into that has a properly set DISPLAY variable.  this
includes ssh'ing into a machine that has a graphics head and is running a X
server at the time you are running your X client app.  if you are ssh'd into
a machine that has a X server and want your client to display on that box,
then you'll have to play with xhost and/or xauth and your display variable once
you login.

> > X only needs to be running on your display.  The host running the
> > process doesn't have to have X running.
> 
> True enough; any X11-displaying program merely needs *some* X server
> to display onto.  It doesn't care if that's local or via the net.

correct.

-dustin




More information about the talk mailing list