An Odd X Question

Home » CentOS » An Odd X Question
CentOS 7 Comments

I’ve got a headless server running CentOS 7. I’ve got a user who wants to run some graphical software on it, and view using x forwarding. What I
don’t have clear is how to set this up. I’ve just installed xorg-x11-server-[Xorg, common]. I assume I need to run X, but I don’t see running this in runlevel 5.


mark “and why is it called xorg-x11-server, when in X terminology,
it’s the client?”*

* Which I always thought was bass-ackward, but…

7 thoughts on - An Odd X Question

  • For (ssh based) X forwarding no X server needs to run on the server. I usually install the xorg-x11-xauth (necessary) and xterm (optional)
    rpms on all my servers in case X forwarding becomes necessary.

    Then from your desktop (assuming Linux already running X) in a local xterm do something like:

    SSH -Y remote-system

    Once logged into the remote system you should now have a DISPLAY
    environment variable set which will tell any client applications how to connect back to the X server on your desktop.

    For example, just run xterm on the remote server and a xterm window will pop up on your display. This is just an example. You could run xload or any other basic X application.

    You can also run more complex applications. Many will run fine. Other applications may perform poorly (due to the X protocol chattiness: Firefox, etc). Other applications will have other issues
    (some gnome/kde/gtk applications make other assumptions about being on the same system as the window manager and try to use dbus and local system things).

    Note about -X versus -Y with ssh:

    -X enables basic X forwarding, It disables some X functionality making it “safer” to allow. -X also stops working after about 20 minutes
    (this is by design but not well documented). I only recently learned why it would stop working after pulling out the last of my hair.

    -Y allows the full X protocol which might be a security risk. Some applications will only work with -Y. With this, remote X applications can grab keyboard interactions, grab passwords, put windows on top of other windows (obscuring security messages), etc.

    For my own choice I use -Y (although I only enable it occasionally to specific systems).


  • The easiest way to think of this is that the host on which you are going to watch the output needs a running X server, the source just needs the client application. Of course this also presumes that network and permissions are all in place.

    The test that I’ve always used is to run a simple xclient on the remote host, xclock, xeyes, xterminal and see if it show up, if it does you are good to go.


  • You should think of it this way: the program that wants something drawn on the screen is a client; the program that does the drawing is the server. The client asks the server to draw stuff on the screen, and server is, well… servicing those requests, from various clients.

    So the server is always the local Xorg process that draws your display, while any remote or local program that wants things drawn on it is the client.

    The fact that one of them is remote and the other local is of course completely irrelevant for the client/server terminology, contrary to common opinion.

    This last thing is what confuses people — they usually think of the word “server” as “the remote machine”, while “client” is “the local machine”. That is the wrong way to understand the words server and client.

    HTH, :-)

  • Hello Stuart,

    Do not use that because any user logged on the server can connect to your X server display and snoop what you are doing, open windows etc.

    -Y disables all the X server authentication mechanisms
    I have been using SSH X forwarding for current work use (local betwork) for more than 15
    years and never got into this kind of problem from RH 7 to CentOS 7, AIX and Solaris.

    Maybe it is some other issue that is closing your SSH connection (maybe you should use the KeepAlive options on the SSH server/client); just guessing.

    It is a security risk as I said above any user logged on the server can connect to your display X server without you knowing.


  • You misunderstand me: I understand the terminology, and why they chose it. I
    simply disagree with their choice, and have always found it confusing, esp. to anyone coming into it since, um, the mid/late 80’s, when *everything* else in the world used the terminology the other way, from d/b to three-tiered architecture.


  • Not authentication, only SECURITY.

    Any “root” user can connect to your X11 server, whether you use -X or
    -Y, since they can read your .Xauthority file. Users who cannot read your .Xauthority file cannot connect at all. The difference between trusted and untrusted is that trusted clients can snoop keyboard events or window contents. Untrusted clients cannot do that.

    However, on Fedora, ForwardX11Trusted is “yes” by default (see ssh_config), so -X and -Y do the same thing.

  • No, they didn’t. The server is the persistent process, the one that listens for network connections from clients, typically the one that authenticates clients, and the one that performs privileged actions on behalf of clients.

    That’s what the X11 display server does.

    The display server is a persistent process. Clients (such as xterm)
    connect to it. There is not a persistent xterm “server” running that the display “client” connects to. The display server authenticates clients. It manages the interface with the graphics card and HID devices.