Is there a way that I can enable X11 forwarding via ssh's tunneling when I ssh into a shell that is chroot'ed? I have been messing around with chroot as a sort of "poor man's" virtual machine. I am able to access X based programs running in the chroot'ed environment across computers. I can do this now, but I can only do it using the unsecured "xhost +" method of sending naked X packets across computers.

I can accomplish the unsecured way only by starting a new X server from with root permissions with a command like "X :2". My distro nullifies the effects of an "xhost +" when X is started in the normal way (most likely to avoid unwanted security concerns). Once this risky X server is started, I can set the DISPLAY environmental variable to "IP_NUMBER:2" allowing graphic enabled programs to appear on in that X server.

To avoid having to run two X servers on my main computer, I would like to just send X over the secure ssh tunnel. Also I would like the proper security. When I ssh into I computer using "ssh -X ..." or "ssh -Y ..." $DISPLAY is set to "localhost:10.0" or a similar value. This makes the program think that it is being displayed on the local computer when it is acutely going through the tunnel.

Looking through the ssh man page, I found that using the command "ssh -v -y -Y ssh user@server" to start ssh gives me more information pertaining to what is happening with the tunnel.

I can of course tunnel before issuing the chroot when DISPLAY is set to "localhost:10.0". But once I use the chroot command, I can not tunnel to the X server, even when DISPLAY is set to "localhost:10.0". An attempt to to so results in the following error

Looking into the log generated by ssh in debug mode I noticed that it makes an attempt to use the files id_rsa, id_dsa and id_ecdsa from the ~/.ssh directory for the private keys. I however don't have those files in my ~/.ssh directory. At this point, I am sort of guessing, but I am thinking, if I can get the properly generated files in my ~/.ssh directory, I can use those for the authentication. If my idea is correct, I could simply copy those files from the greater environment into the chroot'ed environment.

What do you think, Am I on the right track? Thanks in advance for any advice.

I am trying to think is this for fun?
Two machines are on same network, or going over WAN?
Why not use VPN (if second machine is remote) and VNC? Big advantage of VNC will be you can disconnect and re-connect, and pickup where you left off.

I'm using chroot to be lazy and not setting up a virtual machine.

Both computers are in the same room. They are on a small LAN that is not connected directly to the Internet. The computer usualy connected to keyboard and moniter I call MAIN. MAIN is occasionally connected via WiFi to the internet (the routing table knows that IPs 192.168.13.XX are local and others are routed over WiFi).

Because of the local-ness of the setup I'm not all that worried about security. Part of it is that I would have to figure out how my distro is blocking the effectiveness of "xhost +". When I started using Linux in the late 90s "xhost +" was the way to access two computers in the same room. But in the early 00s most distros dropped telnet servers and "did something" that stopped non root users from using "xhost +". I suppose an alternate way of security could be to accept unverified connections via eth0 but block them if they come via WiFi. At this time I'm not thinking of pursuing that avenue.


I have been starting screen (on the "remote" computer) before running my chroot script. That way if some how the connection is lost or I have to reboot MAIN, I can just ssh into the "remote" computer and "ssh -x" back into the secession.