External access to X Windows

For security reasons, the PPE linux systems do not permit direct external access. Users are expected to login in first to the Departmental login server, login.physics.gla.ac.uk, and thence to connect to their intended PPE system, or cluster name (e.g ppelx.physics.gla.ac.uk).

The recommended - and only supported - method of using X Windows in this situation is to establish the ssh sessions with what is called "trusted X11 forwarding". On login.physics this would be requested explicitly by using the -Y option on the ssh command, but for convenience it has actually been made the default on that system.

External access from MS Windows to PPE X Windows

Please review the principles of X Window tunnelling as set out in RemoteXWindows first.

Two suggestions are given here, first a step by step approach to make the connection, and then method to wrap it up into a recipe. The examples are worded as for ppelx.physics.gla.ac.uk but can be adapted to other PPE hosts. In each case it's assumed that the user name is the same on both systems, but the steps are easily adapted if a different user name is needed.

Step by step

1. Follow the procedure indicated in RemoteXWindows, using putty to establish a call to login.physics.gla.ac.uk with X forwarding enabled.

1. Make an onward call to your intended destination,

   ssh -Y ppelx.physics.gla.ac.uk

At each step (unless you are using ssh keys) you will be prompted for your password for that system. If you use different passwords on each system (and this is recommended good practice), keep a clear head as to which is which.

Recipe

You can configure a putty recipe which will drive the whole procedure described above. Call the configuration login+ppelx, or whatever you please.

Start by configuring the session as for login.physics along the lines set out on the RemoteXWindows page. Additionally, in the "PuTTY Configuration" menu, go to the "SSH Category", and note the field which is marked:

  Data to send to the server
  Remote command

Into this field, enter the command

  ssh -Y ppelx.physics.gla.ac.uk

Then return to the "Session" category, and save the completed configuration.

You should now be able to use the saved configuration for establishing the complete path via login.physics to ppelx.physics with X forwarding enabled. Unless you are using ssh keys, you will be prompted for each password in turn as the procedure steps are carried out.

Troubleshooting

Basically the same as with RemoteXWindows. On both login.physics and the PPE linux host, your $DISPLAY enviroment should resemble localhost:13.0 "for some value of 13". Execute xlogo or xclock at the remote host as simple tests of the mechanism.

Optimisation

X Windows passes relatively large numbers of relatively small packets, which can result in poor responsiveness. However, there may be some steps which one can take to minimise overheads. As you will recall from the above discussion, there are actually two legs involved in external access, and each of them can be treated on their own merits.

Cipher algorithm

Prefer a relatively lightweight cipher algorithm, e.g Blowfish

Compression

Compression is useless on short hops or on high bandwidth links, as it will only introduce additional latency without bringing any benefit. Evidently it's inadvisable to apply it to the hop from login.physics to the PPE destination host.

If the external link is likely to be bandwidth-constrained, however, it may be beneficial to enable the ssh compression option for that part of the connection. In putty, compression is enabled by a checkbox on the "SSH Category" configuration menu.

-- AndrewPickford - 13 Feb 2009