ssh (Secure SHell login) is a client program that allows a user to log onto a remote machine and execute commands on it. In other words, ssh provides a secure way of allowing for encrypted communication between two untrusted hosts over an insecure network. See the man page for the nitty-gritty details. Along with scp (Secure CoPy), it is one of my most used programs — especially when working away from the office.
One of the huge advantages of ssh is that it allows for encrypted X11 connections to be forwarded over the channel (once secured) if the host computer has its ssh daemon (sshd) setup correctly, and the ssh configuration file is setup correctly on the client. In layman terms, this means is that I can execute a program on a remote host (even if it halfway around the world) and have it launch a graphical window on the client, or local computer. The only drawback to this is that because all of the data is encrypted, you need a fast internet connection, as data encryption chews up bandwidth like no tomorrow. However, in a pinch, it works great, especially if you are on a local area network. Although I will not discuss it here, you can even launch X applications on a windows machine if cygwin is installed — perfect for working at home on the family computer when the wife will not allow you to boot over to "poopy" Linux. :(
To setup X11 forwarding, edit /etc/ssh/ssh_config with your favorite editor using sudo, since the file can only be read/written by root.
~>
sudo nano
/etc/ssh/ssh_config
Hit enter and type in the root
password. Scroll
down to the very
bottom of the file and look for the line:
ForwardX11Trusted
yes
Just under it,
add the following:ForwardX11
yes
Save and exit (^o, ^x). Now
X11 forwarding
is setup on the client. If your local computer is running sshd (to
allow others such as
yourself to login to it), you might as well verify that X11 forwarding
is enabled in /etc/ssh/sshd_config. Pop
open the file with your editor using sudo:
~>
sudo nano
/etc/ssh/sshd_config
Perform a search to verify
that the option
has
been set (use ^w),
which is standard for Fedora Core these days. Lines starting
with
"#"
have been commented
out, and are the default values for sshd.
Notice that in
F8, the configuration file overrides the defaults to allow for X11
forwarding. Specifically, you should see the following:
#X11Forwarding
no
X11Forwarding yes
While in /etc/ssh/sshd_config,
also do a search for "PermitRootLogin".
Notice that the default value is set to "yes". This is a huge
security hole, because it allows remote users to attempt to login to
your computer directly as root
from a remote location (I have no idea why Fedora allows
this). Script kiddies abound nowadays, so we might as well
deny
them an easy
access point when they decide to attack your computer. (I'll
discuss other methods of hardening the system a bit by using rkhunter and blockhosts
in
the HOWTOs.) Add
the following line just under the "PermitRootLogin"
option:
X11Forwarding yes
PermitRootLogin
no
Save and
exit. Finally, restart sshd.
~>
sudo service sshd
restart
You should see the daemon
successfully
stop and
restart:
Stopping
sshd:
[ OK
]
Starting sshd: [ OK ]
If you get a "Permission denied" message, it is because you are using a faulty selinux-targeted-policy, which can be fixed by updating to the latest policy file:Starting sshd: [ OK ]
~> sudo yum -y update selinux-policy-targeted
Once updated, try to restart the daemon once again.
It should now work properly. For additional information,
see the Fedora 8 Common Bugs page regarding sshd.That's it! X11 forwarding is now setup, and a fairly large security hole has just been plugged.