Using the PuTTY plink command and OpenSSH
Launching X applications from Windows with Kerberos credentials
The SSH protocol provides a very rich set of capabilities for securing network traffic for various kinds of connections aside from the familiar terminal login. For Windows desktop users, SSH is available using PuTTY, an open-source terminal emulation program which can use SSH to establish a secure terminal session. The PuTTY tool suite also includes the command line utilities plink and pscp.
plink allows access to most of the command-line features of the Unix ssh client, including X11 forwarding. X11 forwarding allows X Windows sessions to be relayed through a display proxy on the application host or through a secure SSH channel to a local, desktop X server. A number of X servers are available for Windows: commercial products like Hummingbird Xceed, Starnet X-Win32, and WRQ Reflection X, as well as the open source Cygwin/X.
These allow you to display existing X applications running on a Linux or Unix server on the Windows desktop. Using Unix-enabled OpenSSH on the remote server, its X11 forwarding capabilities, and the SSPI-aware PuTTY tools, it is possible to create a secure connection between the Windows desktop and the server and at the same time, automatically authenticate the X application session using the Kerberos credentials provided by Active Directory when the user first logs onto their workstation.
The PuTTY plink program uses the user's Kerberos credentials acquired from Active Directory when they first log on to their network to authenticate to the Kerberos-aware OpenSSH server. When the secure channel is established, the X session traffic is forwarded through automatically.
A typical application where this would be useful might be a retail or other transaction-oriented workstation running on Windows but using a centralized Unix or Linux server to provide the actual X application.
Once Quest OpenSSH has been installed, it is necessary to modify the default configuration. The sshd_config file (found in /etc/opt/vintela/rc/ssh), needs to have the line
included. (The default file ships with a commented line "#X11Forwarding no", indicating that X11Forwarding is disabled by default). The sshd daemon should then be restarted by typing:
# /etc/init.d/vintela-sshd restart
The SSH daemon will now be running with X11 forwarding turned on. See the manual page for sshd_config for more details.
You must have an X server for Windows installed and running. Information regarding installation of Cygwin/X can be found at http://x.cygwin.com.
It is not necessary to create a connection configuration in the X Server; it is only necessary to start the X server in "multiwindow" mode, which causes the X Server to run in the background. An X application session is initiated by the remote X client. That is, on the unix system that is running the X application.
In the Cygwin/X environment, the display server is started
by creating a copy of the
startxwin batch script found in the \usr\X11R6\bin
the Cygwin install directory (e.g., C:\Cygwin).
The startxwin script
first starts the X server and then launches a local Xterm window.
To suppress the local Xterm window, simply comment out
REM statements) the line in startxwin that reads
If desired, you can copy your new startxwin file to the Windows Startup folder so the X server will always launch when you log in. Procedures for commercial X servers vary, but the essential step is simply to start the X server in its passive mode, rather than launching a specific, active connection.
Having established the server and client side prerequisites, the next step in this process is simply to invoke an X application on the unix server via plink. The path to the X application may need to be given explicitly. In this example, we'll use the kmahjongg game found in the KDE distribution for Linux as an example of an arbitrary X application. In the SuSE 9.2 distribution, the path to this program is: /opt/kde3/bin/kmahjongg
Open a command window on the Windows desktop, and enter the following:
C:\>plink -X -ssh targetmachine /opt/kde3/bin/kmahjongg
The options used with plink are explained as follows:
- use X11 forwarding
- use SSH protocol
See the PuTTY documentation on Resource Central for further details about plink options.
Instead of using plink, you may also use the PuTTY graphical
interface. With this, you can create a PuTTY
session and reference
the named session (for example
mysession) that you save with
instead of needing a hostname.
C:\>plink -load mysession /opt/kde3/bin/kmahjongg
A simple way to make a clickable desktop icon for remote X applications
is to create a shortcut to the plink.exe application,
edit its properties. and extend its
Target field to contain the plink command as above.
Also set the
Minimized option from the
on the Properties panel (this will allow your X application to launch
without displaying a Windows command window first). When you click on
the shortcut, the plink command will be invoked with these options,
and your X application will launch after a few seconds.
— David Eyes, 2005