Your browser does not allow storing cookies. We recommend enabling them.

SSH

X11 Forwarding (Unix)

X11 forwarding is a special case of remote tunneling.

Tectia Server supports X11 forwarding on Unix platforms. Tectia Client and ConnectSecure support X11 forwarding on both Unix and Windows platforms.

X11 forwarding

Figure 8.6. X11 forwarding

By default, Tectia Server allows X11 forwarding for all users. To enable X11 forwarding only for the specified users, include an entry similar to the following in your ssh-server-config.xml file:

<services>
  <rule group="admins">
    <tunnel-x11 action="allow" />
    ...
  </rule>
  <rule>
    <tunnel-x11 action="deny" />
  </rule>
</services>

On Unix, you can define what type of X11 listener address will be used in X11 forwarding. The address type is configured with the settings element by adding attribute x11-listen-address that takes the following values:

  • localhost (default) - sets the DISPLAY environment variable to 127.0.0.1:<screen>, where <screen> is the tunneled screen number, typically 10.0. This means that the x11 listener is bound to a loopback address; this setting should be sufficient for most use cases.

  • any - sets the DISPLAY environment variable to <address:screen>, where <address> is the interface to which the SSH session is bound (typically the first network interface) and the <screen> is the tunneled screen number, typically 10.0. This setting will bind the X11 listener to the 0.0.0.0 (wildcard) interface thereby allowing connections to the proxy from other hosts. Use this setting on HPUX systems, if you need to tunnel older X11 applications (such as hpterm).

    When x11-listen-address=any, the SO_REUSEADDR socket option will be left non-set in order to prevent the possibility of session hijacking on some operating systems by other users binding to the same port with a more specific address.

For example:

<params>
  <settings
    x11-listen-address="any" />
</params>  


 

 
What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.



    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH



    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now