How-To Docs

Using the PuTTY plink command and OpenSSH
Launching X applications from Windows with Kerberos credentials

The SSH protocol provides a very rich set of capabilities for securing network traffic for various kinds of connections aside from the familiar terminal login. For Windows desktop users, SSH is available using PuTTY, an open-source terminal emulation program which can use SSH to establish a secure terminal session. The PuTTY tool suite also includes the command line utilities plink and pscp.

plink allows access to most of the command-line features of the Unix ssh client, including X11 forwarding. X11 forwarding allows X Windows sessions to be relayed through a display proxy on the application host or through a secure SSH channel to a local, desktop X server. A number of X servers are available for Windows: commercial products like Hummingbird Xceed, Starnet X-Win32, and WRQ Reflection X, as well as the open source Cygwin/X.

These allow you to display existing X applications running on a Linux or Unix server on the Windows desktop. Using Unix-enabled OpenSSH on the remote server, its X11 forwarding capabilities, and the SSPI-aware PuTTY tools, it is possible to create a secure connection between the Windows desktop and the server and at the same time, automatically authenticate the X application session using the Kerberos credentials provided by Active Directory when the user first logs onto their workstation.

The PuTTY plink program uses the user's Kerberos credentials acquired from Active Directory when they first log on to their network to authenticate to the Kerberos-aware OpenSSH server. When the secure channel is established, the X session traffic is forwarded through automatically.

A typical application where this would be useful might be a retail or other transaction-oriented workstation running on Windows but using a centralized Unix or Linux server to provide the actual X application.

Server Configuration

Once Quest OpenSSH has been installed, it is necessary to modify the default configuration. The sshd_config file (found in /etc/opt/vintela/rc/ssh), needs to have the line

X11Forwarding yes

included. (The default file ships with a commented line "#X11Forwarding no", indicating that X11Forwarding is disabled by default). The sshd daemon should then be restarted by typing:

# /etc/init.d/vintela-sshd restart

The SSH daemon will now be running with X11 forwarding turned on. See the manual page for sshd_config for more details.

Client Example

You must have an X server for Windows installed and running. Information regarding installation of Cygwin/X can be found at

It is not necessary to create a connection configuration in the X Server; it is only necessary to start the X server in "multiwindow" mode, which causes the X Server to run in the background. An X application session is initiated by the remote X client. That is, on the unix system that is running the X application.

In the Cygwin/X environment, the display server is started by creating a copy of the startxwin batch script found in the \usr\X11R6\bin sub-directory within the Cygwin install directory (e.g., C:\Cygwin). The startxwin script first starts the X server and then launches a local Xterm window. To suppress the local Xterm window, simply comment out (using REM statements) the line in startxwin that reads

run xterm

If desired, you can copy your new startxwin file to the Windows Startup folder so the X server will always launch when you log in. Procedures for commercial X servers vary, but the essential step is simply to start the X server in its passive mode, rather than launching a specific, active connection.

Having established the server and client side prerequisites, the next step in this process is simply to invoke an X application on the unix server via plink. The path to the X application may need to be given explicitly. In this example, we'll use the kmahjongg game found in the KDE distribution for Linux as an example of an arbitrary X application. In the SuSE 9.2 distribution, the path to this program is: /opt/kde3/bin/kmahjongg

Open a command window on the Windows desktop, and enter the following:

C:\>plink -X -ssh targetmachine /opt/kde3/bin/kmahjongg

The options used with plink are explained as follows:

use X11 forwarding
use SSH protocol

See the PuTTY documentation on Resource Central for further details about plink options.

Instead of using plink, you may also use the PuTTY graphical interface. With this, you can create a PuTTY session and reference the named session (for example mysession) that you save with -load instead of needing a hostname.

C:\>plink -load mysession /opt/kde3/bin/kmahjongg

A simple way to make a clickable desktop icon for remote X applications is to create a shortcut to the plink.exe application, edit its properties. and extend its Target field to contain the plink command as above. Also set the Minimized option from the Run pull-down on the Properties panel (this will allow your X application to launch without displaying a Windows command window first). When you click on the shortcut, the plink command will be invoked with these options, and your X application will launch after a few seconds.

— David Eyes, 2005