After ssh
without -X
to a machine, is it possible to change some settings (for example $DISPLAY
) to make it work like ssh -X
? If not, what is the reason? Thanks.
1 Answers
You can create a second connection with X11 forwarding enabled, and then you can also use the DISPLAY
environment variable from the second connection in the first.
In the 1st window:
$ ssh user@host
user@host$ ...
In the 2nd window:
$ ssh -Y user@host 'echo $DISPLAY; while sleep 3600; do :; done'
localhost:10.0
Back to the 1st window:
user@host$ export DISPLAY=localhost:10.0
user@host$ xterm
Unfortunately, ssh
does nothing to contain the X11 (or other) forwardings to the process/session it started or to the user it runs as on the remote machine (eg. by using Unix sockets with/out checking credentials, or by using namespaces), and those forwardings are simple tcp listening sockets to which anybody on the remote machine can connect; all the security of the X11 forwarding relies on the X11 authentication.
X11 Forwarding By Hand
The sshd_config(5)
manpage mentions that:
disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders.
Here is how you can do that by hand.
First of all, be sure to disable any host- or user- based access control that bypasses the x11 auth mechanism [1]:
$ xhost $(xhost | sed -n /:/s/^/-/p)
access control enabled, only authorized clients can connect
Then show the auth info for DISPLAY=:0
on the local machine:
$ xauth list :0
ohzd/unix:0 MIT-MAGIC-COOKIE-1 a86982ddce0c1e1c1a8c5e8b2846e43b
Connect to the remote machine without any X11 forwarding:
$ ssh user@hzy64
user@hzy64's password:
[motd snipped]
Open the command line via ~C
and add a remote forwarding from the port 6000+43
to the unix socket corresponding to display :0
:
hzy64$~C
ssh> -R 6043:/tmp/.X11-unix/X0
Forwarding port.
Set the $DISPLAY
envvar and add the auth info from the local to the remote machine:
hzy64$ export DISPLAY=localhost:43
hzy64$ xauth add $DISPLAY . a86982ddce0c1e1c1a8c5e8b2846e43b
xauth: file /home/user/.Xauthority does not exist
Now you're ready to go:
hzy64$ xterm
[1] because of a misguided bugfix, the user-based access control is turned on by default in Debian via /etc/X11/Xsession.d/35x11-common_xhost-local
. Worse, it's the only one available by default in XWayland where it also cannot be turned off. Any program that proxies of the X11 protocol (eg. xscope
) will have to do its own x11 auth cookie checking (the way ssh does), unless it wants to open a gaping hole to the X11 server.
-
1If you care about security,
-X
would be slightly better than-Y
, wouldn’t it? – Stephen Kitt Mar 10 '19 at 17:22 -
13many (most?) X11 programs don't work with
-X
, only with-Y
. people don't notice that because on many system (eg. debian)ForwardX11Trusted
is set toyes
by default, and the-X
and-Y
options are equivalent ;-) – Mar 10 '19 at 17:25
change $DISPLAY to
. The current question title cannot be displayed in full in search results, and changing $DISPLAY is really part of the answer, not part of the question. – Dmitry Grigoryev Sep 13 '19 at 06:48