-   Linux - Software (
-   -   Can't get XDMCP to work through SSH tunnel (

essdeeay 06-07-2008 04:02 PM

Can't get XDMCP to work through SSH tunnel
Basically, I can connect using RDP, from A-->C (using a port forward in ssh).

However, I can't connect from A-->D using XDMCP (ideally I'd like the connection between B/D secure aswell). Is there a way to achieve this?

See here for Network topology diagram:
Network topology diagram

Many thanks,

MensaWater 06-07-2008 05:02 PM

Not sure what you mean "using XDMCP". That puts a new desktop on your desktop. I don't really do that (I prefer to open specific X applications on my XP desktop rather than have to deal with a sub-desktop.).

What you can do is open the tunnel from XP to A using PuTTY X11 tunneling. (Once you get the following working you can play with doing the full XDMCP setup if you really want that desktop on top of your XP desktop.)

Once logged into A it will set your DISPLAY variable there. (Assuming you haven't overwritten it with a value from /etc/profile, /etc/bashrc, $HOME/.profile, $HOME/.bashrc etc...). You can verify it works by typing "xterm" for a quick test. This should send an xterm X window back to your XP box. (Of course you already know you need to be running an X window emulator like Exceed or Xming on XP for this to work.)

Once you're sure that is working you can type "ssh -X D" (substituting name or IP of host D for D of course). This extends the tunnel to host D. You should be able to open xterm there and have it display back on your original PC.

Note that ssh tunnels require that you don't do su (switch user) after being established - the Xauthority is set only for the initial login user on each host. I've seen many who open the tunnel then do su to root and are confused why it doesn't work. There IS a way to make that work but I'll leave that out unless you ask for it later.

essdeeay 06-07-2008 09:01 PM

Thanks for the reply jlightner, it makes a lot of sense. However, I don't have X installed on B (Gateway server) though, which I suppose is the reason why $DISPLAY isn't set?

Incidentally, after ssh'ing to D, $DISPLAY isn't set there either.


jschiwal 06-07-2008 09:23 PM

Are these two hosts on the LAN? Can you log in via xdmcp without using the tunnel. You may have non-tunneling issues to deal with first.

If you use "ssh -X" you can run an individual program. The target host doesn't need X11 to be running. It could be using init level 3. The graphical program running on the target machine will still show up on your computer. There is an additional advantage that you can run different programs on different machines and have them show up on your remote X11 server. If you run a GUI program logged into a server, typically it is a config program such as system-config-* or YaST2. Having two instances from two servers can help you compare and use the first as a model.

I believe that for xdmcp you will need to have the target running in init level 5. KDM or GDM will handle the remote logging and traffic. For example, look in the kdmrc file if you use kdm. ( At least in older versions ) there is a configuration option whether to support xdmcp.


# Whether KDM should listen to incoming XDMCP requests.
# Default is false
# The UDP port on which KDM should listen for XDMCP requests. Do not change.
# Default is 177

I've found that often after a security upgrade the kdmrc file is replaced and the new version doesn't have a [Xdmcp] section at all. Also, note that udp port 177 is used. Does an ssh tunnel encapsulate udp ports?

IMHO, Xdmcp is used behind a secured firewall when ssh tunneling is too slow. Otherwise Xdmcp has too many security issues, and tunneling the traffic will loose the speed advantage anyway.

essdeeay 06-08-2008 07:57 AM

Thanks for your reply jschiwal...


Originally Posted by jschiwal (Post 3177934)
Are these two hosts on the LAN? Can you log in via xdmcp without using the tunnel. You may have non-tunneling issues to deal with first.

C (Windows XP running Xming) and D are on the same LAN, so if I create an SSH connection fron C using PuTTY (with X11 forwarding ticked), I get a whole desktop of D. So I'm happy D is configured correctly.]

I think the problem is how to extend the SSH tunnel from B-->D.

I can create a tunnel from A-->B and include port forwarding, something like "L 50022:D:22", then create another connection st7raight from A-->D but it's dog dog dog slow... I mean it takes 1 second to accept each keypress.


jschiwal 06-10-2008 06:14 AM

Xdmcp doesn't use port 22. Also port 22 is used for ssh itself so forwarding port for xdmcp may cause problems.

MensaWater 06-10-2008 09:19 AM

The point in a tunnel is that the traffic doesn't know it is going over the tunnel. The DISPLAY is set to something like localhost:10.0 and it opens the X to that - the tunnel then sends it across port 22 unbeknownst to the originating X app that thinks it is using port in the 6000 range. XDMCP shouldn't care about port 22 any more than other X apps.

In lsof of an xterm from my Linux workstation to my XP desktop I see:
xterm 28881 jlightner 3u IPv4 73036527 TCP> (ESTABLISHED)

Notice the xterm thinks it is connecting FROM the Linux workstation (atljcl02) TO the same Linux workstation. (x11-ssh-offset is port 6010).

The actual connection to the XP deskstop was opened by my original sshd connection:
sshd 28745 jlightner 3u IPv6 73027119 TCP> (ESTABLISHED)
(nbjlightner being the XP desktop and being atljcl02 - notice ssh [port 22] is the port being used for the Linux workstation.)

Also since the above sshd was opened with a tunnel lsof displays:
sshd 28745 jlightner 8u IPv6 73027198 TCP [::1]:x11-ssh-offset (LISTEN)

It is the above LISTENing port that becomes ESTABLISHED once you open the X window.

MensaWater 06-10-2008 10:01 AM

This article may help.

It has a comment that XDMCP can't be done over ssh tunnel due to its use of UDP ports which apparently the tunnel can't handle.

All times are GMT -5. The time now is 07:30 PM.