SSH Notes

[Harold L Hunt II]

X11 tunnelling via SSH has always been somewhat of a mystery to me and 
to most other Cygwin/XFree86 users.  I knew that the instructions that I 
provided in the Cygwin/XFree86 User's Guide worked, but I did not know 
what most other methods of starting ssh and Cygwin/XFree86 did not work. 
  I have now found out what is going on, and I actually think that we 
may want to make a patch to openssh for Cygwin to make the system more 
fool-proof.  Below are my notes on what I found.

Notes on X11 Tunnelling
=======================

1) The key to X11 tunnelling via openssh is to have the ``DISPLAY'' 
environment variable defined in your Cygwin bash shell BEFORE you ssh 
into your remote host.  That is, you must run the following command 
before you run ssh:

export DISPLAY=127.0.0.1:0.0

2) You do not have to have your X Server (Cygwin/XFree86) running when 
you open your ssh session to your remote machine, but you have to have 
the DISPLAY variable set to a valid value.  Remember, you would open an 
ssh session with X11 forwarding like so:

ssh -X -C foo_user@foo_machine

3) The .Xauthority file is created on your remote host.  I always 
thought that the .Xauthority file was created on your Cygwin host, but I 
was wrong.  Thus, there are no problems with the .Xauthority file being 
stored in the wrong place in your Cygwin file system, as we have 
sometimes thought.

4) The instructions in the Cygwin/XFree86 User's Guide for ssh 
tunnelling work because you launch ssh from within an xterm, which has 
the DISPLAY variable set correctly already.

5) When ssh launches with the ``-X'' paramter (for X11 tunnelling) on 
Cygwin, it looks for the DISPLAY environment variable.  If DISPLAY is 
not defined, ssh assumes that you do not really want X11 tunnelling and 
it fails to set the DISPLAY environment variable on the remote host 
(which is the key step).

6) You cannot set the DISPLAY environment variable by hand on the remote 
host after connecting with ssh when the DISPLAY variable was not set on 
the Cygwin host when you launched.  You might have seen 
DISPLAY=localhost:10.0 in one of your previous sessions on your remote 
host and thought that you could just set the DISPLAY variable to that 
again, but you can't.  It appears that ssh just disables the X11 
tunnelling (silent failure, the worst kind) when the DISPLAY variable is 
not defined on your Cygwin host.


What to Fix
===========

ssh should assume ``DISPLAY=127.0.0.1:0.0'' when the DISPLAY variable is 
not set on the Cygwin host.  I am not sure why this is not currently the 
case.  I can only guess that the lack of this assumption is either do to 
1) a whiny security geek on the openssh project, or 2) that the assumed 
usage scenario for openssh is more like a Linux/X machine where you have 
probably got your X Server running when you connect to your remote 
machine with ssh, thus DISPLAY would already be set.

At the very least, we should patch the Cygwin release of openssh to 
assume that DISPLAY=127.0.0.1:0.0 when DISPLAY is not defined in the 
environment.  That would make X11 tunnelling much much easier for 95% of 
our users and I either can't see or I don't care about any 
pseduo-security hole that this might open up.  (Hey, if SSH Secure Shell 
makes this assumption, then we can too.)


Stupid Pet Tricks
+++++++++++++++++

NOTE: I can hardly advocate using either of the following commercial 
products.  But, users continually express interest in how to 
interoperate with these products, so I wanted to show that it is 
possible and I wanted to document how it is done.


Using SSH Secure Shell with Cygwin/XFree86
==========================================

NOTE: You do not, I repeat, NOT, need to run the xhost command on your 
Cygwin host.  In fact, that may break things.

1) Edit->Settings->Profile Settings->Tunnelling, check the ``Tunnel X11 
connections'' check box.

2) Edit->Settings->Profile Settings->Connection, select ``zlib'' from 
the Compression drop-down list box.  [optional, but recommended for slow 
network connections]

3) File->Save Settings

4) Open a connection to your remote host

5) Launch Cygwin/XFree86 using startxwin.bat, or your favorite method. 
[You can actuall do this step at any of the steps up until now.]

6) Launch your X Client from your SSH Secure Shell, for example, ``xterm''.

7) Observe that your X Client has shown up in Cygwin/XFree86.


Using Cygwin's OpenSSH with XWin-32
===================================

1) Launch XWin-32

2) Open XWin-32's X-Config program (usually done by right-clicking on 
the blue X icon in the system tray and choosing X-Config from the pop-up 
menu)

3) Navigate to the Security tab

4) Check the ``Use XAuth'' check box

5) Click the ``Add'' button and in the ``Add X Host'' window type 
``127.0.0.1'', then press ``OK'' on both dialog boxes.

6) Reset XWin-32 (usually done by right-clicking on the blue X icon in 
the system tray and choosing Reset from the pop-up menu)

7) Open a Cygwin bash shell by clicking or double-clicking your Cygwin icon.

8) In your Cygwin bash shell, run:

export DISPLAY=127.0.0.1:0.0

9) In your Cygwin bash shell, open an ssh session to your remote host 
with X11 tunnelling enabled (and I recommend the -C for compression on 
slow network links):

ssh -X -C foo_user@foo_machine

10) Launch your X Client from your ssh session in your Cygwin bash 
shell, for example, ``xterm''.

11) Observer that your X Client has shown up in XWin-32.



Neat, eh?


Eventually some of this information will find its way to the 
Cygwin/XFree86 User's Guide.  Until then, just post a link to the 
mailing list archive of this message whenever a user has questions about 
ssh and X11 tunnelling.


I hope this helps someone out there,

Harold