This post was written by Sivasamy Subramaniam, AWS Database Consultant.

In this post, I discuss enabling X11 forwarding from Red Hat Enterprise Linux (RHEL), Amazon Linux, SUSE Linux, Ubuntu servers running on Amazon EC2. This is helpful for system and database administrators, and application teams that want to perform software installations on Amazon EC2 using GUI method. This blog provides detailed steps around SSH and x11 tools, various network and operating system (OS) level settings, and best practices to achieve the X11 forwarding on Amazon EC2 when installing databases like Oracle using GUI.

There are several techniques to connect Amazon EC2 instances to manage OS level configurations. You typically use SSH clients (such as putty or SSH client) to establish the connection from the Windows or Mac-based laptop or bastion hosts or jump servers to connect with Amazon EC2 instances running OS. During the application installation or configuration, the application might require you to install software such as an Oracle database or a third-party database using GUI methods. This article talks about steps that must be done in order to forward the X11 screen to your highly secure Windows OS-based based bastion host.

 

Prerequisites

To complete this walkthrough the following is required:

 

  • Ensure that you have a bastion host running on Amazon EC2 with Windows OS. This OS must have access to the EC2 machines running Linux such as RHEL, Amazon Linux, SUSE Linux, and Ubuntu servers. If not, please configure a bastion host using Windows operating system with needed SSH access via port 22 to EC2 instance running Linux-based operating systems.
  • I recommend having Windows-based hosts in the same Availability Zone or Region as the EC2 Linux hosts that you plan to connect and forward X11 to. This is to avoid any high latency in X11 forwarding during your application installations.
  • Install tools such as putty and Xming in the Windows based bastion host that you want to SSH to Linux EC2 host and X11 forwarding.
  • Install Quartz if you want to redirect X11 to macOS. Quartz is package used in Mac for display management. To start using X11 forwarding to your Mac, use the -X switch. In other words, the SSH command looks like this “SSH -X -i “<ssh private key file name>” <user_name>@<ip-address>”. You must log out and log in back after installation of Quartz work properly.
  • In order to securely configure or install putty, refer to the section Configuring ssh-agent on Windows in the blog post Securely Connect to Linux Instances Running in a Private Amazon VPC.
  • I don’t recommend doing the X11 forwarding to the laptop because it’s not secure, and you must resolve latency issues if user is located in different Region than the EC2 instance hosted Region.
  • You may need sudo permission to run X11 forwarding commands as a root user in order to complete the setup.

 

Solution

Connect to your EC2 instance using SSH client, and perform following setup as needed.

Step 1: Verify or install required X11 packages.

To find out OS information and release, install required X11 packages and xclock or xterm. Installing xclock or xterm packages are optional as this is installed in this post to test the X11 forwarding.

  • List OS information and release with following command:

sudo cat /etc/os-release

  • List and install X11 packages with following command based on your operating system release and version:

Amazon Linux:

sudo yum list installed '*X11*'

sudo yum install xclock xterm

sudo yum install xorg-x11-xauth.x86_64 -y

sudo yum list installed '*X11*'

Red Hat Enterprise Linux:

sudo yum list installed '*X11*'

sudo yum install xterm

sudo yum install xorg-x11-xauth

sudo yum list installed '*X11*'

Note: The xorg-x11-apps package has been provided in the CodeReady Linux Builder Repository for RHEL8. So, I skipped installing this package, which has xclock and I used only xterm to test the X11 forwarding.

SUSE:

sudo zypper install xclock

sudo zypper install xauth

Ubuntu:

sudo apt list installed '*X11*'

sudo apt install x11-apps

sudo apt list installed '*X11*'

 

Step 2: Verify and configure X11 forwarding

  • On the Linux server, edit sshd_config file, set X11Forwarding parameter to yes, and restart the sshd service:

sudo  cat /etc/ssh/sshd_config |grep -i X11Forwarding

  • Enable “X11Forwarding yes” if this is set to “no”  and restart sshd service.

sudo  vi /etc/ssh/sshd_config

sudo  cat /etc/ssh/sshd_config |grep -i X11Forwarding

  • X11Forwarding yes

x110 forwarding yes and no

  • To Restart sshd:

sudo service sshd status

 

Step 3: Configure putty and Xming to perform X11 forwarding connect and verify X11 forwarding

Log in to your Windows bastion host. Then, open a fresh PuTTY session, and use a private key or password-based authentication per your organization setup. Then, test the xclock or xterm command to see x11 forwarding in action.

  • Click the xming utility you installed on Windows bastion host and have it running.

click on xming icon

  • Select Session from the Category pane on left. Set Host Name as your private IP, port 22 and Connection Type as SSH. Please note that you use the Private IP of EC2 instance later when you connect inside from the VPC/network.

putty config host ip

  • Go to Connection, and click Then, set Auto-login username as ec2-user, ubuntu, or whichever user you are allowed to logging in as.
  • Go to Connection, select SSH, and then click Then, click on Browse to select the private key generated earlier If you are using key based authentication.
  • Go to Connection, select SSH, and then click on Then, select enable X11 forwarding.
  • Set X display location as localhost:0.0

putty config with x11 forwarding

  • Go back to Session and click on Save after creating a session name in Saved session.

 Now that you set up PuTTY, xming and configuring the x11 settings, you can click on load button and then Open button. This opens up a new SSH terminal with x11 forwarding enabled. Now, I move on to the testing X11 forwarding.

  • Test the X11 from the use you logged in:

Example:

xauth list

export DISPLAY=localhost:10.0

xclock or xterm

X11 forwarding on Mac

  • It is simple to start using X11 forwarding to your Mac, use the -X switch.

Example:

“SSH -X -i "<ssh private key file name>" <user_name>@<ip-address>

xclock or xterm

 

You see that xclock or xterm window opened similar to the one following. This means your x11 forwarding setup working as expected, and you can start using GUI-based application installation or configuration by running the installer or configuration tools.

xclock to demonstrate this is correct

Step 4: Configure the EC2 Linux session to forward X11 if you are switching to different user after login to run GUI-based installation / commands

In this example: ec2-user is the user logged in with SSH and then switched to oracle user.

  • From the Logged User to identify the xauth details:

xauth list

env|grep DISPLAY

xauth list | grep unix`echo $DISPLAY | cut -c10-12` > /tmp/xauth

ll /tmp/xauth ; cat /tmp/xauth

  • Switch to the user where you want to run GUI-based installation or tools:

sudo su - oracle

xauth add `cat /tmp/xauth`

xauth list

env|grep DISPLAY

export DISPLAY=localhost:10.0

xclock

You see xclock or xterm window opened similar to the one following. This means your x11 forwarding setup working as expected even after switched to different user. You can start using GUI-based  application installation or configuration by running the installer or configuration tools.

another xclock to show the forwarding worked  

Conclusion

In this blog, I demonstrated how to configure Amazon EC2 instances running on various Linux-based operating systems to forward X11 to the Windows bastion host. This is helpful to any application installation that requires GUI-based installation methods. This is also helpful to any bastion hosts that provide highly secure and low latency environments to perform SSH related operations including GUI-based installations as this do not require any additional network configuration other than opening the port 22 for standard SSH authentication. Please try this walkthrough for yourself, and leave any comments following!