Running GUI Programs

SSH can be used to tunnel graphical applications over a network as well as text-based ones. GUIs are more complicated than text, and therefore harder to set up and more likely to require extra software.

Check Your SSH Server Settings

By default, Ubuntu's SSH server has everything you need enabled. If you have disabled features for security reasons, you might not be able to start GUI programs. To make sure, look in your /etc/ssh/sshd_config for this line:

AllowTcpForwarding No

This disables forwarding of Internet connections over SSH. You should delete this line if you want to use VNC for GUI programs (discussed below).

Next, look for this line:

X11Forwarding yes

This enables Unix-style GUI forwarding over SSH. If you don't see it, open the file in your favourite text editor and add that line.

You will need superuser privileges to save changes to /etc/ssh/sshd_config.

Single Applications

If you are logging in from a Unix-like operating system, you can forward single applications over SSH very easily, because all Unix-like systems share a common graphics layer called X11. This even works under Mac OS X, although you will need to install and start the X11 server before using SSH.

To forward single applications, connect to your system using the command-line, but add the -X option to forward X11 connections:

ssh -X joe@laptop

Once the connection is made, type the name of your GUI program on the command-line:

firefox &

Your program will start as normal, although you might find it's a little slower than it would be if it were running locally. The trailing & means that the program should run in "background mode", so you can start typing new commands in straight away, rather than waiting for your program to finish.

If you only want to run a single command, you can log in like this:

ssh -f -T -X joe@laptop firefox

That will run Firefox, then exit when it finishes. See the SSH manual page for information about -f and -T.

If you start an application and it complains that it cannot find the display, try installing the xauth package from the Main repository. Xauth is installed by default with desktop installations but not server installations.

If you suspect that programs are running slowly because of a lack of bandwith, you can turn SSH compression on with the -C option:

ssh -fTXC joe@laptop firefox

Using -fTXC here is identical to -f -T -X -C.

Nested windows

Xephyr is a program that gives you an X server within your current server. It's available in the xserver-xephyr package in the Main repository.

Two ssh forwarded desktops on dual monitors, click to enlarge

Setting up Xephyr was explained briefly in the Ubuntu forums.

Tunneling VNC connections through ssh

Virtual Network Computing ("VNC") is a cross-platform way of sharing a desktop. Once you've set your SSH server up, see VNC for more information.

Breaking out of a controlled network

Sometimes it's useful to tunnel all web traffic over SSH, without having to start Firefox on a remote computer. For example, to work around network monitoring or snooping, or to avoid badly configured routers on the Internet. If you can change the settings on your web browser, you can probably use SSH to circumvent these filters.

SOCKS is a protocol is used by some proxy servers. The SOCKS protocol allows a client (such as a web browser) to ask a server to download a file for it, rather than downloading the file directly. Most SSH clients can act as a SOCKS proxy server, securely tunnelling requests through your SSH session, making an ordinary (insecure) web request from your Ubuntu computer.

Using the command-line SSH client, you should activate SOCKS by doing:

ssh -C -D 1080 user@host

-D refers to Dynamic port forwarding, and 1080 is the standard SOCKS port. You can use a different port if you prefer, but you should choose a port in the range 1024 to 49151, inclusive.

-C enables Compression, which speeds the tunnel up when proxying mainly text-based information (like web browsing), but can slow it down when proxying binary information (like downloading files).

There is also a brief discussion in the PuTTY manual page about how to get PuTTY to act as a SOCKS proxy server.

Once you have set your SOCKS proxy up, your applications can use a SOCKS proxy on the computer you are connecting from. For example, in Firefox:

• go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...

• check "Manual proxy configuration"
• make sure "Use this proxy server for all protocols" is cleared
• clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
• enter "127.0.0.1" for "SOCKS Host", and "1080" (or whatever port you chose) for Port.

You can also set Firefox to use the DNS through that proxy, so even your DNS lookups are secure:

• Type in about:config in the Firefox address bar
• Find the key called "network.proxy.socks_remote_dns" and set it to true

The SOCKS proxy will stop working when you close your SSH session. You will need to change these settings back to normal in order for your browser to work again.

See also

• Remote Recovery

• Advanced SSH configuration and extra security