X Window Remote Access Concepts

Version 2
Visibility: Open to anyone



    This document was written in the hope to provide useful information.


    Copyright © 2018 Dude! @ Oracle Communities. Please do not re-distribute or plagiarize.


    The document is presented under the terms of using the Oracle Web sites at:






    Remote desktop and running remote GUI applications under X Window is a complex topic with a long computer history. There are several methods available, some of which rely on different concepts along with different software and configuration requirements. Choosing the right option and finding the necessary know-how can be difficult and is often based on misconceptions. This document tries to explain available options. It does not provide instructions or reference information, but should be useful for anyone who is not familiar with the topic.



    X Window System


    The X Window System, also known as X or X11, is a cross-platform windowing system designed to operate across networks. It is standard under Linux and Unix and provides the basic software and framework to build a graphical user interface (GUI). Unlike other popular systems however, such as Microsoft Windows,  X is not a graphical desktop environment, unless optional software is installed, such as Gnome or KDE.


    X is based on client-sever architecture with interchangeable components. X server and X client do not necessarily have to run on the same computer and can even run on different operating systems. The X application, also referred to as the X client, connects to the X server and can run on a local or remote system. Screen output and user input is managed by the X server, which provides the hardware support for your mouse, keyboard and video graphics adapter.




    X can use the X Display Manager Control Protocol to connect to the X Display Manager (XDM) of another X Window system. This allows users to remotely log in to another X Window system via the network, as if they were using the local console. After successful user authentication, the remote X Window starts an X session, which is displayed on your local PC. Thus, to use this method requires X Window on both computers.


    XDMCP does not meet modern networking and security standards and may not work with your existing network infrastructure. It requires special network Firewall configurations to work with Network Address Translation (NAT), which is common for virtual or private networks. Since XDMCP uses TCP and UDP streams, it cannot be simply tunneled through Secure Shell (SSH), because SSH does not support UDP transmissions.



    X11 And X11 Forwarding


    X11 is the current version of the X Window System core protocol. It defines the framework for X client and X server communication. When the X client starts, it reads a DISPLAY environment variable to determine the location of the X server display, which can be the local host or another computer in your network, depending on what needs to be accomplished. The advantage are easy of use and close integration with your host OS desktop, but it requires a fast and reliable network connection.


    A remote system does not require X Window to start an X client. When not using X11 forwarding however, the DISPLAY variable at the remote system needs to be set to point to the X server display running on your PC, hence requiring X Window on your PC. It is also necessary to configure your network Firewall accordingly and to allow access to the X server using the xhost utility, or Xn.hosts file.


    X11 forwarding is a built-in feature of Secure Shell (SSH). It shifts the TCP listening port of the X server running on your PC to the remote system using a secure and encrypted SSH tunnel. This greatly simplifies the requirements, since X11 forwarding automatically configures the DISPLAY variable and does not require to modify your network Firewall configuration. If you can access a remote host via SSH, you can also use X11 forwarding. X server access control with X11 forwarding does not rely on xhost and is done automatically using xauth magic cookie. Older server installations do not support xauth and user switching, such as su or sudo commands. Later installations, however, usually include the pam_xauth module for PAM (Linux Pluggable Authentication Modules) that automatically forwards xauth keys for non-root users.





    Virtual Network Computing (VNC) is a cross-platform client-server screen sharing technology. It allows one or more clients to view and control the windowing system on another computer using the TCP/IP network. The VNC server captures a real-time picture of the desktop and transmits it to the VNC viewer or client, while also managing client connections and processing mouse and keyboard input. VNC is a common and often preferred method, since client connections can be disconnect or may even fail without disrupting the remote task or process in progress.


    TigerVNC server is the standard VNC server for Enterprise Linux. It incorporates a VNC and X server (Xvnc) and can be used with or without running an X Window desktop. The VNC server can operate in user and server mode. In server mode, the VNC server runs as system service and starts automatically during system start up. In user mode, a user starts the VNC server manually. Unlike vino, which is the VNC server for the Linux Gnome desktop (Remote Desktop), TigerVNC creates a virtual desktop that can only be seen and used by a connected VNC client.


    VNC security can be complex and depends on VNC server configuration and product. Remote access is usually protected by a VNC password and network Firewall only. It is recommended to configure the VNC server to accept connections only from localhost, which requires that remote desktop connections need to be tunneled using Secure Shell (SSH) and use SSH authentication.






    Using Xnest and XDMCP to display the graphical login of a remote system (60.3.




    Using Xnest to start another X server on the same machine and X11 forwarding to redirect the remote gnome-session.