In this post I want to show how you can enable X11 forwarding by using PuTTY and the Xming X Server for Windows.

In order to use X11 forwarding, an X11 server needs to be installed on the client (in my case Windows here). Therefore you can use several X11 servers available for Windows, I will use here the Xming X Server which you download under https://sourceforge.net/projects/xming/.

X11 forwarding is supported by the SSH protocol that enables users to run graphical applications on a remote server and interact with them by using their local display and I/O devices.


Table Of Contents
  1. Introduction
  2. SSH Server Configuration
  3. Prerequisites
  4. Install Xming Server on Windows
  5. Testing X11 Forwarding by using the GParted tool
  6. Understanding the X11 DISPLAY environment variable and how X11 Forwarding works?
  7. X.Org Server
  8. Links



Introduction

The X Window System (X11, or simply X) is a windowing system for bitmap displays, common on Unix-like operating systems.

X provides the basic framework for a GUI environment: drawing and moving windows on the display device and interacting with a mouse and keyboard. X does not mandate the user interface – this is handled by individual programs. As such, the visual styling of X-based environments varies greatly; different programs may present radically different interfaces.

X originated as part of Project Athena at Massachusetts Institute of Technology (MIT) in 1984. The X protocol has been at version 11 (hence “X11”) since September 1987. The X.Org Foundation leads the X project, with the current reference implementation, X.Org Server, available as free and open-source software under the MIT License and similar permissive licenses.

Source: https://en.wikipedia.org/wiki/X_Window_System





SSH Server Configuration

X11 Forwarding is by default enabled on most SSH servers. Below for example is the default configuration on Linux Enterprise Server 15 under /etc/ssh/sshd_config.

X11Forwarding yes
Specifies whether X11 forwarding is permitted. The default is yes. Note that disabling X11 forwarding does not improve security in any way, as users can always install their own forwarders.

X11UseLocalhost yes
Specifies whether sshd should bind the X11 forwarding server to the loopback address or to the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. However, some older X11 clients might not function with this configuration. X11UseLocalhost can be set to no to specify that the forwarding server should be bound to the wildcard address. The argument must be yes or no. The default is yes.


The X server is listening on the loopback address for incoming request from X clients (GUI applications running on the server).




Prerequisites

When you will try to use X11 forwarding before you have configured X11 forwarding in PuTTY and running a X11 server on Windows, you will run into the following error.

Gtk-Warning: cannot open display:


Enable X11 forwarding in PuTTY by checking the Enable X11 forwarding and for the authentication protocol leave the MIT-MAGIC-COOKIE-1 protocol as already selected by default under the sessions SSH -> Auth -> X11 forwarding settings as shown below.

The X display location below is by default localhost:0 which you normally don’t have to enter here, just in case you have some issues, you can set it explicitly here.

The MIT-MAGIC-COOKIE-1 authorization protocol was developed by the Massachusetts Institute of Technology (MIT). A magic cookie is a long, randomly generated binary password. At server startup, the magic cookie is created for the server and the user who started the system. On every connection attempt, the user’s client sends the magic cookie to the server as part of the connection packet. This magic cookie is compared with the server’s magic cookie. The connection is allowed if the magic cookies match, or denied if they do not match.

Source: https://docs.oracle.com/cd/E19620-01/805-3921/security-4/index.html


When now trying again after enabled X11 forwarding in PuTTY but without a local running X11 server on your client computer, you will encounter the following additional error message.

PuTTY X11 proxy: unable to connect to forward X server: Network error: Connection refused

So we first need to install a X server on Windows as shown below.



Install Xming Server on Windows

Xming is the leading X Window System Server for Microsoft Windows. It is fully featured, small and fast, simple to install and because it is standalone native Microsoft Windows, easily made portable (not needing a machine-specific installation).

Source: https://sourceforge.net/projects/xming/


You can download the Xming server under the link above.


By default Normal PuTTY Link SSH client is checked which will also install the PuTTY client. Because I had already PuTTY installed I will not install the SSH client here.







Display settings

After the installation you can adjust some settings by using the XLaunch tool as shown below.


Click through the wizard with Next.





Testing X11 Forwarding by using the GParted tool

Now it works and the applications GUI will be forwarded (proxied) to my local running Xming X server on Windows which will finally display the GUI application on my Windows computer.





Understanding the X11 DISPLAY environment variable and how X11 Forwarding works?

An X Display is generally made up of at least one screen, keyboard, and pointer device. In this context, a screen is not a physical monitor, rather a virtual canvas which can read raw graphical data. In practice a single screen can be made up of multiple monitors and other virtual displays.

The X Display is managed by the X server.


X Client Programs use the $DISPLAY environment variable, which looks like hostname:display_number.screen_number, to determine which X Display to connect to. An X Program can derive a tcp or unix socket from this value to form a connection to the display through the X Server. Once the connection is accepted, the X Server forwards the connection to the requested screen.

Source: https://goteleport.com/blog/x11-forwarding/


Below the content of the DISPLAY environment variable when a user logs in by using SSH from remote with PuTTY.

Xorg listens on port 6000+n, where n is the display number. This connection type can be disabled with the -nolisten option (see the Xserver(1) man page for details).

Source: https://www.x.org/archive/X11R6.8.0/doc/Xorg.1.html


Below the content of the DISPLAY environment variable when a user logs in locally directly to the console of the server.

On most platforms, the Local connection type is a UNIX-domain socket (also used below). On some System V platforms, the local connection types also include STREAMS pipes, named pipes, and some other mechanisms.

Source: https://www.x.org/archive/X11R6.8.0/doc/Xorg.1.html


To demonstrate the use of the TCP/IP sockets and UNIX-domain sockets by the X server, I will use below the ss (socket statistics) tool.

First I will list the DISPLAY environment variable and TCP/IP sockets for the remote SSH connection (X11 forwarding) initiated by PuTTY :

echo $DISPLAY
ss -a -n -t


In the output you can see that the X server is listening here for this remote session on TCP/IP IPv4 and IPv6 on port 6010. The display number for this remote session is 10 as seen in the output of the DISPLAY environment variable.

Note!
Xorg listens on port 6000+n, where n is the display number.

Source: https://www.x.org/archive/X11R6.8.0/doc/Xorg.1.html


Then I will list the UNIX domain sockets (IPC) for the local console connection directly on the server itself by using:

ss -x -a | grep X11


Display All TCP Sockets
# ss -t -a

Display All UDP Sockets
# ss -u -a

Display All RAW Sockets
# ss -w -a

Display All UNIX Sockets
# ss -x -a


Processes on the same host can communicate via UNIX domain sockets (IPC).




How does X11 Forwarding work in detail?

X11 Forwarding follows the same model as X11, but the X Client to X Server connection gets tunneled through an SSH Channel. In order to achieve this flow, the SSH Server proxies the remote X Client connection to the SSH Client, and the SSH Client proxies it to the user’s X Server.

The article below will dig deep and explains great about how X11 Forwarding works in detail.

Source: https://goteleport.com/blog/x11-forwarding/




X.Org Server

X.Org Server is the free and open-source implementation of the X Window System (X11) display server stewarded by the X.Org Foundation.

The X.Org Server runs on many free-software Unix-like operating systems, including being adopted for use by most Linux distributions and BSD variants. It is also the X server for the Solaris operating system. X.Org is also available in the repositories of Minix 3.

Source: https://en.wikipedia.org/wiki/X.Org_Server




Links

PuTTY
https://www.putty.org/

Xming X Server for Windows
https://sourceforge.net/projects/xming/

X Window System Protocol
https://www.x.org/releases/X11R7.7/doc/xproto/x11protocol.html

X.Org project
https://www.x.org/wiki/

X.Org Server
https://en.wikipedia.org/wiki/X.Org_Server

X.Org Foundation
https://en.wikipedia.org/wiki/X.Org_Foundation

How does X11 Forwarding work?
https://goteleport.com/blog/x11-forwarding/