A few years ago Linux systems were difficult to use and administer because everything was set up via editing files and typing commands at a prompt. While this is still a convenient method for the experienced Linux user, many people have found that the current crop of X-based tools is far better. X11 offers an extensive range of other user-friendly application programs, too. However, if you are not physically using your Linux box locally, then these tools seem out of reach. Access via a shell is then seen as the way to go--but this need not be the case. A possibility the Web-based interfaces such as that provided by webmin but there is another older, more mature and sophisticated method.

X11 is perhaps most widely seen now as a graphical system for Linux, but rendering graphical user interfaces is not X Window's primary talent. Where it shines and has some amazing facilities is as a truly network-aware environment for applications.

So, if you are using Linux remotely you don't have to miss out on your X programs.

Server, Client, Window Manager

The main components of X Window are the X Server, the Window Manager and the client programs. If we ignore the networked aspect of X11, then these components run locally. If you only use X11 like this, though, you are missing out, as any X components can run anywhere on the Internet! The client server architecture of X makes this not only possible but quite easy.

It is worth mentioning in passing that the terminology of the client-server part of X11 equation can often seem tricky to grasp. Part of the reason that this terminology may seem odd is that X11 was one of the earliest systems to be implemented as client server. Its old age ( it recently had its fifteenth birthday) means that most of the problems of X have been ironed out. Normally the part of a client-server system nearest to you will be the client. However, in X11 the part that interacts with the user is known as the X Server! The clients can run anywhere and in practice this means that they often are remote, as we will see below. This is the opposite way round to other client server systems, like the WWW, e.g. Web browsers are usually called clients and they are local in relation to you, the user. With WWW systems the server part is remote. Try and bear this in mind when reading about X11; the server is the user interface hardware, but the clients can be distributed.

The Window Manager is a special type of client that controls window placement. Like all clients, though, it can run anyplace. There are many different Window Managers available for X; see elsewhere on Linuxplanet for a run-down of the Pros and Cons of different window managers

Let's look at a very basic server setup. Most X11 systems come with the remote X facilities turned on in the default setup. You may need to edit the /etc/hosts.allow and /etc/hosts.deny files. See the article on Linux Network Security here on Linuxplanet for more on this basic Linux security mechanism.

X Windows Security

Basic security is enabled via the use of the host command. More security options are discussed below. Initially you should say

host -

to disable all client access, then turn it on selectively for each remote host name to be allowed. For instance, if you were on an X11 server mypc1.mydesktop.com, then issuing the command

xhost +freebase

would allow clients from the system 'freebase' to connect.

This will allow and disallow connections based on host names and is susceptible to IP spoofing and DNS attacks. The link itself is transmitted in plain text and can be intercepted by anyone on your local network. To bypass these security worries use ssh or some of the more advanced features of XDM (see below for details).

Configuring the Client

The client will usually know to which X Server (or display as it is usually referred to) to send your user interface. This is because most clients are launched by another X client. Under normal circumstances the clients inherit the location of the X display from the clients before them. It is sometimes necessary to manually set the display to send the to the client's user interface. Reasons for doing this include wanting to run a program on a display entirely different from the default. This can be done via environment variables or options in programs. Let's look at these concepts one by one:

X11 does try its best to be efficient with the amount of network bandwidth it uses. But there is always room for improvement. X protocol compressors like xdpc attempt to improve use of bandwidth over slow links. xdpc runs on the client and server ends. It is configured to appear to the clients as an ordinary server and to the server as an ordinary client. The compression takes place over the link by matching commonly occurring patterns. See http://ccwf.cc.utexas.edu/~zvonler/dxpc/README for more details.

XDM login or ssh?

As well as the methods mentioned above there are two other techniques for bringing up the link between client and server, XDM and ssh. They are quite different in concept so let's look at them separately.

XDM is a method of allowing a login just like the login prompt you see on your Linux box at boot up. The difference is that it can work over the network if necessary. If you have installed your Linux system so that you go straight into X you are almost certainly already using XDM to login! The XDM system picks up connection requests from X Displays and then gives them a "Login: Password:" challenge screen. If the user at the other end of the link types in the correct password then login is allowed. The login starts a new Xsession. To connect to an XDM you will need a working X Windows setup at the other end. There are some X Windows programs for MS Windows like Exceed or for the Mac like MacX. But we are interested in is Linux! To connect to a remote XDM server from a Linux machine with an X11 Server installed type in

X -query pants.internet.com

Where pants.internet.com is the domain name or IP address of the remote host that XDM is running on. After a few moments a login screen should appear. In testing this happened within 30 seconds on a 14.4k modem link. You may wish to use other options like 'timeout' or 'terminate'; see man Xserver for many more details.

XDM as a system is designed to work primarily on LANs, but as it uses Internet protocols, it will also work over long distances as well. Over public networks another networking problem becomes more of a headache: security. X windows does have some interesting security features. There is the 'xhost' system that keeps a list of domain names allowed to connect to a display. We saw an example of this above. In addition there are various authorization schemes that work with 'magic cookies' or 'tickets'. With these schemes XDM issues the magic cookies to the remote end, where the user is at login time. Each time a connection is set up, the cookie is checked to see if it is allowed. Some of these systems use public key encryption to make your 'magic cookies' more secure, but none of them encrypt the data passed; they only make setting up new connections safer. I will not examine these schemes in detail here; take a look at man Xsecurity if you think they sound interesting.

The program I most often recommend for overcoming networking security problems has to be ssh. X11 can also have its networking problems solved with ssh. In case you haven't come across it before, ssh is a system for allowing shell based communications between hosts over an authenticated and encrypted link. The authentication is similar in intent to the 'magic cookie' schemes that use public key encryption. This authentication means that it is very difficult for ssh communications to be faked. The encryption means that no one can eavesdrop on what you are saying. Encrypting all the data on the link is a big improvement on what XDM has to offer.

Like dxpc (described above) ssh works by impersonating an Xserver that is in turn acting as a proxy for the real X Server. What happens in practice, though, is quite transparent to the user. The DISPLAY variable is set automatically to the correct value to point to the proxy on the client end.

For instance to run the comical 'xeyes' program remotely you could type

ssh pants.internet.com -c 'xeyes'

X Windows maybe an old system, but it has some amazing and flexible features. In particular, its networking abilities are often breathtaking, particularly on fast networks that can handle the graphics it uses. By adding ssh, secure use over wide area networks becomes possible. By using a compressor like dxpc it is possible to use it over links with less bandwidth. Just remember: X11 is not really a system for graphics! They are just a part of a complete system for allowing use of distributed programs.

discuss this topic to forum