Securing X11 Connections with SSH (Secure Shell)

  • 7021802
  • 20-Apr-2007
  • 25-Mar-2018


Reflection X version 14.x


Reflection X is difficult to secure because it is a server, and it typically needs to be available for connection by X11 client applications running remotely on a UNIX host. This means leaving the X11 protocol standard TCP port 6000 open in your Windows and/or network firewall, and possibly other ports as well (for example, when using the Multiple X Display feature in Reflection X). How can access be restricted to only authorized X11 clients? Traditionally, this has been attempted with security settings such as "Host-based security," "User-based security," and "XDM-Authorization-1." Yet all of these measures have vulnerabilities, one being that they send the X11 protocol in the clear. This means that the packets are vulnerable to unwanted and unauthorized capture by those with the right trace tools.


Using SSH (Secure Shell) not only addresses all of the traditional security concerns listed above, but also provides other advantages as well.

Security advantages:

  • TCP port 6000 and other X11-related ports no longer need to be left open on the Windows workstation, or in the network firewalls. Note: The port configured for use by the SSH server, typically TCP port 22, must be open from the Windows workstation(s) running an SSH client and Reflection X, to the host running the SSH server and X11 client applications.
  • All X11 protocol is encrypted.
  • The level of encryption can be set as needed.
  • User authentication is encrypted.
  • Multiple authentication methods are available, including Username and Password, Public Key (length and type can set as needed), Keyboard Interactive, and Kerberos.
  • Reflection X can be set to disallow all remote TCP/IP connections. This can be used to back up a misconfigured firewall or to provide primary defense in the event that no firewall exists.
  • Host-based security can also be used in conjunction with SSH.

Other advantages:

  • Compression can be used to help in low bandwidth environments.
  • Various protocols other than X11 can be sent through the encrypted SSH tunnel by using port forwarding.
  • The SSH server sets the display variable required for use with X11 protocol. This can be helpful when used in environments that include one or more firewalls and/or NAT, and when using SSH connections not established from Reflection X.

The list of advantages is long, however, one disadvantage is that SSH does not support UDP packet forwarding, which means that you can't create the full UNIX desktop with XDMCP (X Display Manager Control Protocol). There is, however, a workaround for this SSH limitation that is outlined in KB 7021257.

Using Reflection X with SSH

To use Reflection X with SSH, both the SSH client and server must be configured to allow X11 protocol forwarding through the SSH tunnel. While this setting is enabled by default in the Reflection SSH client when using Reflection X, the setting on most SSH servers is disabled by default and will need to be enabled. Information about how to modify an SSH server to enable this setting is available in KB 7021841.

For those who work primarily in remote emulation sessions, such as with Reflection for UNIX and OpenVMS, it is important to note that you can use the SSH tunnel created with either of these applications for tunneling any X11 protocol back to Reflection X. In these cases, X11 protocol tunneling is not enabled by default, but is easily enabled through the user interface.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 2196.