How to set up secure access to your X display

There are several ways to have X11 applications running on remote machines to display on your local desktop. These methods are described below in order from most secure to least secure. The methods described in this HOWTO are:

Any or all of these methods can be used simultaneously. In fact, we recommend using the most secure method (SSH tunnelling) by default, and using the less secure methods for particular applications only if display performance is a problem.

A note on terminology: In X land, the X "client" is the application, and the X "server" is the software managing your local display, even though in context of running applications remotely, we tend to call our local machine a "client" and the remote machine a "server". This document will use this accepted terminology because it is precise (the X server is providing access to the local display as a service, the remote machine is providing a platform to run applications as a service), but additional descriptive info will be provided throughout to minimize confusion.

In this document, the remote machine is assumed to be a UNIX/Linux-based system.

SSH tunnelling (most secure).

This method works by tunnelling all X traffic through your SSH connection. As far as the X server (your display) is concerned, X traffic will appear on the local side of the SSH connection, looking like it is coming from the local (desktop) machine, even though the X traffic originated from an X application running on the remote machine. Moreover, this traffic will be encrypted, thereby protecting private info you might potentially send through the X interface (by typing passwords, for example). This has the further benefit of working through firewalls that are set up to allow only "trusted" ports through (ssh, for example). Windows systems running X display software may encounter a significant performance penalty when using the SSH tunnelling/encryption method. However, the penalty is minimal when your display machine is a Linux/UNIX system. If you encounter major performance degradation, consider the XAuth method below.

Do the following to set up SSH tunnelling:

Direct display using XAuth (partially secure)

The XAuth method of access control ensures that X applications have authorization before allowing them to connect to an X server. Authorization credentials take the form of a display-specific "magic cookie" that the X application must present to the X server. If the cookie matches with the one that the server has, then it will allow access to that application. By using this access method, X traffic can be sent without tunneling, directly to the X display. Though X traffic is not encrypted, this is an acceptable solution if your network itself is reasonably secure (i.e. the switched network within BIAC), and if your "cookie" files are protected (not readable by anyone else).

Do the following to set up XAuth:

  1. Set up a display key on the remote machine

  2. Set up your display to recognize the new key

Direct display without access control (not secure, not recommended)

This method bypasses the authorization mechanisms provided by the X server. This method is not documented because it is highly insecure.