在SSH会话中如何实现 X11 Forwarding

云中有一台Linux主机，只允许SSH登录。有时我需要在SSH会话时执行一些有图形界面的程序，如何才可以将显示投射到客户端呢?

传统的方法有：

• 通过VNC，如TigerVNC，但需要额外安装包和配置
• 通过云平台的控制台，并非所有公有云都提供
• 通过SSH X Forwarding

本文讲述最后一种方法。

1. 首先在VirtualBox中启动一个Linux VM到图形界面，因为我们需要使用它的X Server。
2. 确认服务器端（云主机）中已允许X11 Forwarding

[root@mbshost1 .ssh]# grep X11 /etc/ssh/sshd_config
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#       X11Forwarding no

修改后需重启sshd服务，在Linux 6上：

service sshd restart

3. 确认xauth程序已安装

[root@mbshost1 ~]# which xauth
/bin/xauth

如果没有安装，则安装以下包，这些包在Linux安装光盘中都可以找到：

rpm -UvH libICE-1.0.6-1.el6.x86_64.rpm
rpm -UvH libSM-1.2.1-2.el6.x86_64.rpm
rpm -UvH libXt-1.1.4-6.1.el6.x86_64.rpm
rpm -UvH libXmu-1.1.1-2.el6.x86_64.rpm
rpm -UvH xorg-x11-xauth-1.0.9-1.el6.x86_64.rpm 

4. 客户端连接时指定-X选项，可以附加-v选项以调试

[timesten@localhost .ssh]$ ssh  -v -X [email protected] -p 22
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to mbshost1-timestenscaleout18-uiqb7xbl.srv.ravcloud.com [129.213.143.133] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/timesten/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/timesten/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/timesten/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/timesten/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/timesten/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/timesten/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/timesten/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/timesten/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to mbshost1-timestenscaleout18-uiqb7xbl.srv.ravcloud.com:22 as 'oracle'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC:  compression: none
debug1: kex: client->server cipher: [email protected] MAC:  compression: none
debug1: kex: [email protected] need=64 dh_need=64
debug1: kex: [email protected] need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Cvt7VNgtloIM8NRrJMcNmEffJCF1JTVmb9PwZ3udQ8k
debug1: Host 'mbshost1-timestenscaleout18-uiqb7xbl.srv.ravcloud.com' is known and matches the ECDSA host key.
debug1: Found key in /home/timesten/.ssh/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1004)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:1004)

debug1: Next authentication method: publickey
debug1: Trying private key: /home/timesten/.ssh/id_rsa
debug1: Authentication succeeded (publickey).
Authenticated to mbshost1-timestenscaleout18-uiqb7xbl.srv.ravcloud.com ([129.213.143.133]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: exec
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env XMODIFIERS = @im=none
debug1: Sending env LANG = en_US.UTF-8
Last login: Sun Dec  9 18:54:57 2018 from 202.45.129.203
/usr/bin/xauth:  file /home/oracle/.Xauthority does not exist

5. 确认X11 Forwarding生效
   运行带图形界面的程序如jconsole，因为网络延迟，看到界面会有点慢：

[oracle@mbshost1 ~]$ jconsole
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 47165
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: client_input_channel_open: ctype x11 rchan 4 win 65536 max 16384
debug1: client_request_x11: request from ::1 47166
debug1: channel 2: new [x11]
debug1: confirm x11
debug1: channel 1: FORCE input drain
debug1: channel 2: FORCE input drain

界面出来了：

参考

1. How to forward X over SSH to run graphics applications remotely?