I'm actually using X11 over tcp(as described in the first post in excruciating detail). It is the same thing as "ssh with x11 forwarding" minus the ssh. I found some software (xterm) runs great, no perceptible delay at all. Some software (Chrome) is kinda usable. Some software (Firefox, alacritty) is 100% unusable. But I settled on xterm and chrome so this is my solution for now.


Seriously? I may as well set up a socks5 proxy with a reverse ssh tunnel,access my clients network like this, and do away with using the laptop altogether, until they fire my arse rightfully so for blatant disregard of their security policy.

Have you actually tried running modern openssh version as a non root user? If it does work I'm very interested how is non root sshd performing privilege separation on login. The config option I mention in my answer below doesn't exist anymore and it's default is set to run with privilege separation only. Making sshd bomb on first login attempt when run as a normal user.

But, hey, I accept I might be wrong. If that is the case I'm open to be told otherwise by someone who has actually done it (and successfully logged on through modern sshd running as a non root/normal user).

I'm not setting up any accounts on remote systems. This and the initial confusion about x11 forwarding makes me think you too haven't read more than the subject of my first post.

Have you tried it?

OpenSSH version 7.5 deprecated UsePrivilegeSeparation option that has to be set to "no" to be able to run sshd as a non root user. See this:
https://www.openssh.com/txt/release-7.5

Unless there is some change that happened since then I'm not aware of since then it has not been possible to run openssh server as a non root user. Of course I can be wrong about this, the only way to check this is to set it up and see if sshd still bombs when someone logs in when running as normal user like version 7.5 did after they deprecated this option or not.

First, this is not true, about port openings. No one said anything about firewalling the desktop. The laptop can have incoming connections 100% firewalled and X11 over tcp will work because when you run a program on a laptop and display it's output on a desktop using x11 over the net it is the laptop that connects to the desktop. No ssh required at all.

I never said I reject a hardware solution, but no one has shown one that actually works with 4K 60Hz over eDP with EDID emulation that support 4 machines (I have 2 now, I'll have one more soon). If you have such solution that doesn't cost >$2k please do share the make, model and firmware version of the kvm switch in question. If you're using dp to hdmi adapters these too have to be described in great detail (make, model, preferably a picture of the pcb), because there are lots of adapters on the market that share the same make/model, but have completely different innards and one works with a hdmi kvm switch, others don't.

I have asked on this and other forums for a tested "hardware solution". So far I only heard "ideas" (I have lots of these too) and descriptions of grief from people that actually tried to implement them and failed.

in summary, I'm not opposed to a hardware idea, I don't believe one exists yet

There are elements of simple X11 via tcp that are preferable to kvm. Namely having windows from multiple machines on the same screen at the same time, but the simplicity of hardware kvm would override this. Had it been available.

Out of curiosity, what kind of "openssh based solution" did you have in mind? I've clearly demonstrated modern unmodified versions of openssh deamon can't be run by a non root user.

So I have to assume your solution contains one of:
- running an ancient or patched version of openssh possibly listening only on 127.0.0.1
- doing a reverse port forward from the laptop to the desktop so I can ssh to a port on the desktop and have it forwarded to the laptop, from the point of view of a patched sshd coming from 127.0.0.1

Let's briefly disregard how this "solution" would look like to a security scan running on a laptop (hint. like a root kit), but let's ask a question is it worth it?

I can simply run xterm like this on the laptop:
DISPLAY=desktop:0 xterm
And I'm getting response that appears same or faster than ssh. But I have to live with some Unicode glyphs being cut because xterm is not great with Unicode.

Or I can: make my own patched version of openssh/run an ancient one, risking the relationship with a client by breaking their security policy, just to be able to run alacritty over ssh that doesn't mess these Unicode glyphs. I choose option A.





Yes me too, and I've used all of these too, I've explained few times why none of them is applicable in this scenario. However, let me repeat I'm very interested in learning about a hardware solution that works with eDP 4k 60hz with EDID emulation and costs less than $2k (that someone actually uses, not a baseless marketing claim).

Follow the instructions shown above in post #13 part 2 and you can launch OpenSSH-server as a non-root user.

Obviously, it cannot do privilege separation so all aspects of the daemon run under the account which launched the initial SSH daemon process. Using the instructions above, it'll look like this while idling, using -D option for the sake of convenience here and listening on port 2222:

Then when you have connected but not yet authenticated,

Then once you have logged in it will look like this:

That's with OpenSSH_8.9p1 Ubuntu-3ubuntu0.3, OpenSSL 3.0.2 15 Mar 2022 but it will work with more recent versions too.

https://www.ebay.com/sch/i.html?_fro...ba2ce943cf7a6a

One could look up the Triplite Item# TRL-B005-DPUA4 just as one example.

There are display port/USB KVM boxes for sale all OVER the place, if you care to look.

Watch yourself, some are IP switches meant to be accessed remotely. Those are perfect for my use in a server room, but not optimal for your desktop use. They also usually cost a lot more $$$.

Are you actually using one though (the Triplite Item# TRL-B005-DPUA4) or another (for example one from ebay/aliexpress) displayport unit with 4K 60Hz? If not, I said so 3 times already,but let me rephrase, there is a lot of trash on the market that pretends to work with displayport, but lacks essential features such as EDID emulation, or is extremely finnicky (barely works at all). Some of these switches are actually hdmi units with internal displayport to hdmi adapters. In these units it seems its a lottery if you'll be a lucky one it works for (usually for people that use resolutions towards the lower side) or not. If they cost around $100 I would buy 6 hoping one works, but when they all cost quite a lot (4 port versions) and every single one has many people that say its essentially trash... who would waste time on it unless you know for sure it works.

This particular unit specs don't even mention which version of displayport it supports and if it has EDID emulation or not.

Just look at the 1 star reviews on amazon for the device you mentioned: https://www.amazon.com/product-revie...r&pageNumber=1

Then have a look at 5 star ones and see the only people with 5 star reviews that give actual details of their setup use 2K or lower resolutions.

The fact "There is plenty of them online" means nothing if none of them work properly. As for IP/KVM, good luck sending 4K @60Hz over IP without significant quality degradation (perhaps over 10G).

Thanks. I might actually need that. Not for the purpose I started this thread, but other stuff. So it will be useful to me :-)