X11 forwarding is a special case of remote tunneling.
SSH Tectia Server supports X11 forwarding on Unix platforms. SSH Tectia Client and ConnectSecure support X11 forwarding on both Unix and Windows platforms.
By default, SSH Tectia Server allows X11 forwarding for all users. To enable
X11 forwarding only for the specified users, include an entry similar
to the following in your ssh-server-config.xml
file:
<services> <rule group="admins"> <tunnel-x11 action="allow" /> ... </rule> <rule> <tunnel-x11 action="deny" /> </rule> </services>
On Unix, you can define what type of X11 listener address will be
used in X11 forwarding. The address type is configured with the
settings
element by adding attribute
x11-listen-address
that takes the following values:
localhost
(default) - sets the DISPLAY
environment variable to 127.0.0.1:<screen>
, where
<screen>
is the tunneled screen number, typically
10.0. This means that the x11 listener is bound to a loopback address;
this setting should be sufficient for most use cases.
any
- sets the DISPLAY environment variable to
<address:screen>
, where <address>
is the interface to which the SSH session is bound (typically the first
network interface) and the <screen>
is the tunneled
screen number, typically 10.0. This setting will bind the X11 listener to
the 0.0.0.0 (wildcard) interface thereby allowing connections to the proxy
from other hosts. Use this setting on HPUX systems, if you need to tunnel
older X11 applications (such as hpterm).
When x11-listen-address=any
, the SO_REUSEADDR
socket option will be left non-set in order to prevent the possibility of
session hijacking on some operating systems by other users binding to the
same port with a more specific address.
For example:
<params> <settings x11-listen-address="any" /> </params>