How to setup X11 forwarding using ssh and putty

Including how to use ssh to allow GUI apps to run on a "double hop" server

 

This document assumes you want to ssh from your PC onto a server then onto a second server where the X program resides. When this X program is run from the shell the connection to the X11 display will be automatically forwarded to the remote side through the encrypted channel, and the connection to the real X server will be made from the local computer.

 

Firstly we need to setup up putty to use X11 forwarding. Create a new session to the first server. Click on the X11 tab and ensure the details are the same as shown below so that X11 forwarding is enabled and we are displaying X on localhost:0.

 

putty1

 

We then need to add a source and destination port for our localhost connection as shown below and then click Add.

 

putty3

 

This will add an entry into forwarded ports as follows

 

putty2

 

When we connect to localhost:0 we connect ot port 5900 on the localhost (the last digit of 5900 referes to the 0 in localhost:0). This then forwards us to port 5900 on the server that this putty session is setup to connect to.

Login into the server vith this putty session and from the command line use ssh to create an X11 forwarding tunnel to the last server that has the X11 program on. To do this type

ssh username@server-L 5900:localhost:5901

(Change username and server to match your environment)

This will create a tunnel from source port 5900 which was the destination port of out PC connection to port 5901 on the server.

At the command line on the destination server start a vncserver session. (assuming vncserver is installed, if not install it). This server session should start on port :1 as long as another vncserver process is not running. The last digit in 5901 corresponds to vncserver port :1.

Now on your PC start up VNC client and connect to localhost:0. This should open up a session on the destination server. From the command line in the VNC session type xclock this should display a clock application. If so it is all configured correctly and the required X application can be run.

 

Running GUI applications on other servers from the VNC session

Imagine the VNC session is running on vncserver1 and we would like to run GUI apps on a server directly accessible from vncserver1 called server1.

From the xterm running in the VNC session type

xhost +

access control disabled, clients can connect from any host

Then ssh -X to the server you would like to run the GUI application on, in this case server1.

ssh -X user1@server1

If server1 is linux you can use the command sux to su to root whilst automatically transfering your X credentials as follows

sudo sux -

Or just

sux -

depending how the linux server has been configured.

To su to root on AIX without losing your X credentials type

su

without the hyphen

That's it, type

xclock

to check all is working correctly.

Double hop

If you only have access to a server via another server then the example above can be extended to allow the display of GUI apps from this double hop server.

i.e. imagine the VNC session is running on vncserver1 and we would like to run some GUI apps on server2 that is only accessible via server1.

Continuing where we left off above on server1 type

xhost +

Then ssh to the server2 as follows

ssh -X user1@server2

Again su to root if needed using sux or su (see above).

And type

xclock

to test