Don’t call me DOM

14 September 2005

Setting up a secure remote X session with gdm

Filed under:

After the video card in my desktop computer fried last week for some reasons unknown to me, I moved to use my laptop as the basis of my daily work environment for a few days. And now that my desktop is back in service, I’m thinking to move to a laptop-only mode. But this move is pending some hardware complements (e.g. a port replicator), and I decided that I should start using my laptop system right now rather than later; I’d rather not plug all my existing devices in the laptop since I would have to unplug them too frequently, so I’ve decided to transform at least temporarily my desktop in a simple X Terminal.

I toyed with the idea of using a solution based on VNC, which allows one to share a unique X Session on two or more computers, especially as Gnome includes a server (vino) easily configurable; but my tests with various clients (xtightvncserver, xvncserver, svncviewer) were quite inconclusive, the resulting experience being always very sluggish (limited by CPU, I think, which on a 1.60 GHz computer would be disappointing), and sometimes buggy (e.g. key press being repeated too many times). I probably should investigate further whether this is to be expected or due to some failure on my part…

Meanwhile, I decided to took the traditional X-over-the-network approach ; the default and well-deployed solution is to use XDMCP, which is really easy to set up when using Gnome login manager (gdm); the only problem is that XDMCP is really insecure (transmitting passwords on the clear), and although this would be mainly to run on my local wired network, I don’t want to rely on security through obscurity.

Unfortunately, it appears one cannot run XDMCP through ssh, since it relies on UDP traffic which apparently ssh can’t tunnel. So securing XDMCP is not directly easy.

I then found about sdm which basically does what I want: it acts as a graphical login manager, which instead of running a traditional X-session starts an ssh connection to your target host and launch your traditional X session manager there.

The only problem with that solution is that I don’t want to rely on another login manager but gdm, since it’s well integrated with Gnome; so instead, I quickly reimplemented the equivalent solution for GDM, which proved to be quite easy: I only had to add (in Debian) the two following files to get a new session type available from the GDM session menu under the name “SSH”.

The most important file is a simple shell script that will act as the X session manager: it asks graphically which host to connect to, asks the passphrase, connects through ssh and invokes the local x-session-manager. I placed it under /usr/local/bin/ssh-session:


#!/bin/bash

TARGETHOST=`zenity --title "Host to connect to" --entry --text "Enter the name of the host you want to log in to"`
#@@@ should probably get a user name too; I don't need it so didn't set it up that way
#@@@ should it do an ssh-add so the user doesn't have to enter its passphrase again?
SSH_ASKPASS=/etc/alternative/ssh-askpass /usr/bin/ssh -A -X -T -n "$TARGETHOST" /usr/bin/x-session-manager

(Ideally, the zenity call should include a list of servers, either taken from .ssh/known_hosts, or from a zeroconf lists of local servers that provide an ssh connection; too bad Zeroconf is still so little implemented on linux, but hopefully Avahi should fix that in the near future)

The other file is the one responsible to linking that session manager from GDM; it’s a simple .desktop file, which I placed at
/etc/dm/Sessions/ssh.desktop:


[Desktop Entry]
Encoding=UTF-8
Name=SSH
Comment=This session logs you into a remote host using ssh
Exec=/usr/local/bin/ssh-session
Type=Application

(Given that it relies on the existing Debian conventions, this should also work to start a remote KDE session through kdm.)

So now I can connect from my desktop directly into my laptop system, and the resulting experience is impressively good with a 100Mbs ethernet connection (on the 11 Mbs wireless connection, the result is much less pleasing) ; it doesn’t seem to take much CPU at all on the laptop either.

Update (17 Jan 2006): As part of the Bug 322155 and with lots of helpful comments from Brian Cameron, I have produced a patch to make such a session a built-in in GDM, patch that has been committed to the CVS server.

15 Responses to “Setting up a secure remote X session with gdm”

  1. Danigo Ludovic Says:

    Nice solution. Migth even be worth proposing for inclusion in gdm with some polish.
    Go ahead ! ;)

  2. dom Says:

    I’ve added a bug to mention this to GDM Bugzilla:
    http://bugzilla.gnome.org/show_bug.cgi?id=322155

    If they get interested, good; in the worse case, it may help other people finding this solution…

  3. Piotr Sniady Says:

    Three small remarks:

    1. Don’t forget to make the file /usr/local/bin/ssh-session executable ( chmod a+x /usr/local/bin/ssh-session )

    2. Maybe it is a typo: in my distribution (Ubuntu) “/etc/alternative/ssh-askpass” should be replaced by “/etc/alternatives/ssh-askpass”

    3. Great help, congratulations. Do you know how to make the same work for a remote KDE session?

  4. Jagdish Says:

    I am using RHEL 4. in which the path /etc/dm/Sessions does not exist. I don’t have any idea abt. the debian. So kindly help me how can i do this.

  5. James Ponza Says:

    In Ubuntu (I’m using 7.04), we put ssh.desktop in the following location:
    /usr/share/xsessions

    thanks for the howto!

  6. Anonymous Says:

    And for Red Hat Enterprise Linux AS release 4 you’d create:
    /usr/share/xsessions/ssh-session
    and
    /etc/X11/gdm/Sessions/ssh-session

    I just tried this – I can’t believe it – it’s so amazing, just like sitting in front of the computer!! (I’m on a gigabit network, but still – I’ve always found VNC to totally get in the way of it feeling like you’re really on the computer – but this is amazing – so I’ve just set it up as a session on our SunRay2 Server – now I can use my desktop that’s in a completely different room from the tiny noiseless SunRay thin client :)

  7. James Ponza Says:

    Oh and if you had problems finding your sessions directory then you might also like to know that your ssh-askpass is located in:

    /usr/libexec/openssh/ssh-askpass

    in RHEL4 :)

    This is such a useful page and such a simple technique that maybe we should cook up one script each for the default RHEL4/5, debian and ubuntu… then everyone can share the love ;)

  8. Wahoo Says:

    Thank you for sharing!

  9. John Says:

    How does this work on Mac OS X 10.5 “Leopard”.. ? 10.4 this worked excellent, but it seems apple has broken the fullscreen X support :(

  10. John Curtis Says:

    A success for my Fedora 8, Gnome. I tried KDE too, which used ksmserver.

    I don’t explicitly use ssh-askpass in my script, but fedora 8 somehow gives me the dialog for ssh passphrase out of the ssh command! Strange, but works. Maybe this is the magic of the -n option ? I am going back to my studying of MCSE, which is the whole reason I am looking at these issues. By the way, I learned how to setup ssh public key authentication.

    My 2 files follow,

    [john@demo1 ~]$ cat /etc/X11/gdm/Sessions/gdm-ssh-session
    #!/bin/bash
    TARGETHOST=`zenity –title “Host to connect to” –entry –text “Enter the name of the host you want to log in to”`
    /usr/bin/ssh -A -X -T -n “$TARGETHOST” /usr/bin/gnome-session
    [john@demo1 ~]$ cat /usr/share/xsessions/gdm-ssh.desktop
    [Desktop Entry]
    Encoding=UTF-8
    Name=GDM-SSH
    Comment=This session logs you into GDM-SSH
    Exec=/etc/X11/gdm/Sessions/gdm-ssh-session
    TryExec=gnome-session
    Icon=
    Type=Application
    [john@demo1 ~]$

  11. John Curtis Says:

    Sorry, ignore fedora 8. I used Fedora 7.

  12. doez Says:

    thank’s

  13. Javor Says:

    I’m trying to do that in order to access my desktop from internet. But this includes traversing a firewall.

    Has anyone tried that?
    And has anyone experience on how fast is it running X over internet?

    When I have managed how to do it I will publish it here :)

    Thanks

  14. dasher Says:

    Some handy tips :)

    If you want to have a remote connection without it taking over your existing desktop – “x-session-manager” in ssh-session with “/usr/bin/gdmflexiserver –xnest” and you’ll have a window that contains the desktop of the remote machine.

  15. mercutio22 Says:

    I logged from my netbook into my desktop but the screen is upside down and text is mirrored!!

    Since you submitted this method to gnome in 2005 and bug is closed, how come I still don’t see this feature in Debian Sqieeze, Gnome 2.30.2?

Picture of Dominique Hazael-MassieuxDominique Hazaël-Massieux (dom@w3.org) is part of the World Wide Web Consortium (W3C) Staff; his interests cover a number of Web technologies, as well as the usage of open source software in a distributed work environment.