X11 over the network

From Wikislax

Jump to: navigation, search


X can be executed over the network. The software presenting an X window on a terminal is called an X server, which is contrary to what we are used to, as the X server is not on the server but actually on the client ! Over the Internet, you will always encapsulate X11 in SSH (X11 forwarding, to configure in /etc/ssh/sshd_config) as the X protocols are not secure. However, X needs a significant bandwidth so it is not likely that you will use it over your ADSL connection as it will be too slow.

Xdm, Kdm, Gdm

The base daemon is Xdm, that affords getting a graphical login directly under X. It can be local on the computer console, but also from an X terminal or X emulated terminal accessing from the network.

The KDE and Gnome desktop environments Kdm and Gdm come with Xdm variants that have a different look and feel. It is possible to run one or several of the three, provided that they will not compete for management of the same terminals.

However it makes sense to use only one. Kdm is a good choice as it affords choosing the Session Window Manager (Kde, Xfce4, ...) from the connection dialog box.


For KDE to manage X terminals over the network, update /etc/kde/kdm/kdmrc specifying Enable=true for [Xdmcp].

In /etc/kde/kdm/Xaccess, uncomment line #* # any host can get a login window to authorize connection from any incoming IP address (or to restrict usage to your local network).

Another trick using KDM : to be able to connect as root, update /etc/kde/kdm/kdmrc, specifying AllowRootLogin=true for [X-*-Core].


In /etc/X11/xdm/xdm-config, comment out the last line to authorize X terminal access from the network. Else port 177 wont be listened, as can be verified using nmap -sU localhost, that lists the listening UDP ports. If checking with tcpdump, udp port xdmcp unreachable will be seen on the wire.

In /etc/X11/xdm/Xaccess, uncomment line #* # any host can get a login window to authorize connection from any incoming IP address (or to restrict usage to your local network). In /etc/X11/xdm/Xservers, comment out the line with :0 to avoid getting an X login screen on the console.

To automatically launch xdm during Slackware init, add the following lines to /etc/rc.d/rc.local :

# Xdm
if [ -x /usr/X11/bin/xdm ]; then

For more information on using remote X applications, check this mini-HOWTO.

X11 firewalling

At the firewall level, the X terminal must be able to contact the host using UDP 177 and the host must be able to callback the X terminal using TCP 6000:6063. Open the corresponding ports, but to avoid login information to be sent over the wire, restrict usage to the local network :

# SSH-tunnelled X-Window output appears as input on interface lo
iptables -A INPUT -p udp -j ACCEPT --dport 177 -s
iptables -A INPUT -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s
iptables -A INPUT -i lo -p tcp -j ACCEPT --dport 6000:6063 -m state --state NEW -s

For access from the Internet, il will be better to encapsulate X11 within an SSH session, using the X11 forwarding option. Due to encryption, this is however much slower. In this case, instead of KDE, prefer a less network-intensive window manager such as xfce4.

X11 server

The X terminal can be a Windows PC equipped with an X emulator such as WinAxe or X-Win32. These are try-before-you-buy and limit the duration of the session to 30 minutes or 1 hour until you purchase a (n expensive) licence. Note : Specifiy in the configuration that you will be using XDMCP. Note : it is also possible to emulate X from another Linux machine, using /usr/X11/sbin/X -query host.

Windows firewall

On Windows, use the firewall with «Allow exceptions» and create an entry in the firewall for the X11 protocol (port 6000), specifying in the scope the server IP address or the local network (not the Internet).

X11 configuration Main Page Compiling the Kernel
Personal tools