Thursday, March 3, 2011

SSH, X11, and You

SSH Encrypted Network Connections


Recently I read an article where the author went through great pains to launch an application on a remote system and display it locally, over an encrypted session.


Doing this is actually far, far easier to do than ggarron makes it out to be. It's no more difficult than a single option in SSH. But first, what is SSH to you?


Right off the bat, please, don't fear the command line. If you're new to UNIX style systems, like Linux, the command line can seem daunting. It just sits there waiting for you to type something. Don't let it bother you, as long as you're not root you can't do much harm.


The logo of OpenSSH
Secure Shell is a command line application that allows you to replace telnet, ftp and xhost with a secure link to a remote system with serious protection of the data you transfer.


SSH uses passwords, or can be configured to use Public Key encryption, like GunPG or PGP do. Passwords can work into a system the first time, Public Key authentication has to be set up ahead of time.


For a good SSH primer, if you don't have a "Unix Power Utilities" volume sitting around, this article on WikiHow.com seems quite straight forward. There are lots of results if you use Google to look for "ssh howto", and I've noticed that the Ubuntu forums tend to cater well to "first time users". The OpenSSH.com Frequently Asked Questions list gets rather technical. 



First, Secure FTP.

$ sftp random
The authenticity of host 'random (10.1.2.3)' can't be established.
RSA key fingerprint is 2d:00:7c:cd:0e:00:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'random,10.1.2.3' (RSA) to the list of known hosts.
curt@random's password:
Connected to random.
sftp> pwd
Remote working directory: /home/curt
sftp> 

As you can see, the authentication may be by simple password, but the authentication is far more intensive than just what a password might seem to imply. The use of RSA encryption keys between the hosts is established, and now anything you do is encrypted. Secure FTP works just like regular command line FTP, and typing 'help' will give you plenty of commands to fiddle with.


Second, Secure Copy


$ scp random:I_Want_It_To_Be_Just_A_Lake.pdf .
curt@random's password:
I_Want_It_To_Be_Just_A_Lake.pdf      100%  108KB 108.5KB/s   00:00

scp, as above, works with most of the same options as cp, but make sure to check the man page before you try anything complex. There are differences in how symlinks are handled, for example.

Third, Secure Shell.

$ ssh random
curt@random's password:
Linux random 2.6.38-rc6-curt0.1 #1 SMP Wed Feb 23 16:32:32 EST 2011 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Sat Feb 26 18:06:41 2011
He draweth out the thread of his verbosity finer than the staple of his
argument.
                -- William Shakespeare, "Love's Labour's Lost"
~
random$

Logging into a remote machine over a secure, encrypted session, ssh takes the place of the ancient and venerable telnet. But ssh has an additional function that can make all the difference.

From the page 'man ssh':

ssh -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

What does that mean to you and me? That by logging into a remote machine using 'ssh -Y random', any X program you launch will automatically be forwarded to your local X server.

So, let's do this.

$ glxgears
2770 frames in 5.0 seconds = 553.924 FPS
2792 frames in 5.0 seconds = 558.242 FPS
2789 frames in 5.0 seconds = 557.759 FPS
2789 frames in 5.0 seconds = 557.627 FPS
2788 frames in 5.0 seconds = 557.461 FPS
2788 frames in 5.0 seconds = 557.428 FPS
2788 frames in 5.0 seconds = 557.413 FPS
2087 frames in 5.0 seconds = 417.258 FPS
2630 frames in 5.0 seconds = 525.911 FPS
XIO:  fatal IO error 11 (Resource temporarily unavailable) on X server "10.1.2.3:10.0"
      after 42 requests (42 known processed) with 0 events remaining.
~
random$ 

Now because there is no difference between a remote program and a local program opening their windows on your screen other than the response time of your network connection, they don't look any different. They don't function any differently either, copy and paste work just fine, you just have to keep in mind that any file operations will be performed on the system where the process is running!

So when you launch that remote session of K3B, you are not only working with the files on that remote system, you're also using that remote system's CD/DVD drive. Yes, I made that mistake once. I put a blank CD in my local machine and wondered why the K3B session on the remote machine didn't see it. I didn't wonder long, but for just a moment I thought something was broken. Yes, indeed, there was a short circuit between keyboard and chair.

And Now: Quick Launch of Remote Processes with One Command!

This was shown to me by Gus3 over at LXer.com, I'd always logged in first then typed the command on the remote system. But no, it's much easier than even that:

 $ ssh -Y curt@random "glxgears"

...which launches the program 'glxgears' on the remote machine, the "client", and displays it on your local machine, the "server", in the parlance of X.

Running that command, sure enough, launched 'glxgears' and displayed it locally, and when I closed the application the command line returned to my local machine. Very convenient for running those one-off commands, but it does NOT work as a background process because of the need to enter a password or passphrase.

ssh can be configured for password-less login, but if you're going to do that you can look up how to do it yourself.

Fourth: But I HATE THE COMMAND LINE!

Ok. For the unabashedly pro-GUI types who don't ever want to get into the command line, there is Konqueror on Linux and WinSCP. I saw reference to Midnight Commander using ssh/sftp, but since I haven't used MC, I'm not going to get into it.

One of the reasons I stick with KDE even though I prefer KDE3 to KDE4 in terms of ... well, most anything, is because of Konqueror. Being able to put in sftp:// or fish:// or any of the other "i-o slaves" that Konqueror boasts into the URL line and having it just plain work... If I'm going to have the bloat of a GUI function just to do ftp, it's darn well going to do it with style.

If I just want something done, the command line is the fastest and most accurate user interface there is. I always have a Konsole window open with upwards of 5 tabs going at the same time, often one logged in as "root" for speedy access without having to type "sudo" first.

15 comments:

  1. Nice little overview! I'm going to send it in to work for my colleagues who might be interested in expanding their knowledge.

    BTW, PCManFM palys well with sftp:// much like Konqueror does/did. Dolphin does it, um, differently... :-/

    ReplyDelete
  2. Richard, you are too kind. Thank you, very much.

    ReplyDelete
  3. Nice post. X11 over SSH is fine for Local Area Networks. But due to the exessive bandwidth almost unusable for remote conntections over the internet.

    ReplyDelete
  4. Anonymous3/3/11 14:57

    Great post! since you mentioend multiple tabs in the last paragraph, I wanted to mention byobu for your readers. byobu makes screen great(er).

    ReplyDelete
  5. Anonymous3/3/11 15:55

    use NX if your not on the same local network, or just want more speed

    ReplyDelete
  6. Thanks for this I tried it and it works

    ReplyDelete
  7. Don't forget rsync over SSH! I'm in the process of building a backup system at the moment based on that, by using hard links can have a revision history too with minimal disk usage.

    ReplyDelete
  8. Don't enjoy this functionality too much. Ubuntu and Fedora are going to take this away soon when they drop Xorg X11 in favor of Wayland. Wayland does not support network graphics. Initially you'll be able to select another distro or even force Xorg to be installed, but eventually it will be moot as applications start dropping X11 support since Ubuntu and Fedora pretty much influence everyone. Personally, I think this is a fabulous feature and one that I use daily. I'm sad that Wayland without network support seems to be the future. Too many people seem to want Linux to be a drop in replacement for Windows.

    ReplyDelete
  9. Tad - I think you are overstating the woes of Wayland. It is highly likely that there will be an X11 shim for Wayland to allow remote X11 apps to connect to a Wayland display. There are other tricks around to provide the same functionality too - I've been using xpra successfully for a few years as a better-performing X11 display over SSH links with higher latency.

    ReplyDelete
  10. Mick,

    I just finished implementing an rsync over ssh backup solution for my linux servers here at work, and it is brilliant!

    I used to backup using tar/scp, but it was time consuming and didn't provide easy iterative backups.

    rsync over ssh with hard links provides an unbelievable increase in speed, and as you mentioned, the minimal disk usage for subsequent backups is just the icing on the cake.

    ReplyDelete
  11. Toby: I hope so, but once network graphics aren't inherently in the desktop, the functionality will suffer. VNC and such have been touted as a solution, but it's certainly not an equivalent solution. The real problem, even with the shim (with whatever inconvenient configuration it requires), is that eventually, the apps you want to run remotely probably won't support X any more.

    ReplyDelete
  12. Yes, this part is fairly easy (there even exist X11 displays for Windows from which you can do remote ssh -X). However the problem will be when the remote server has Wayland. However i feel after a few painful years someone will develop a native network protocol for Wayland too (I dont mean the bitmap transfer protocols like vnc/nx).

    ReplyDelete
  13. Tad points out a very important point that has been made many times, it's even mentioned in Ludwig von Mises' "Human Action".

    Not all progress is forward. Not all change is always considered positive.

    History has had innumerable instances where progress has reversed, knowledge lost. The Romans had concrete, not rediscovered for 1100 years. The European trading ships that reached China were puny next to the giant trading ships that Zeng He used 200 years earlier.

    And of course, Windows Vista.

    ReplyDelete
  14. Hey, I liked your post, and thanks for pointing out mine.

    I did not meant to make it appear so difficult, but that was needed (maybe exept for the xhost part) in my Slackware PC.

    X11 forwarding was disabled in my sshd config file.

    Once again, thanks for this great post.

    Post a link to it y the comments of Go2Linux.

    ReplyDelete
  15. Hi Curt, could you please contact me?

    you can find me @ggarron in twitter, or using my page.

    thanks.

    ReplyDelete