====== X Windows security ======

The X window system poses a serious security risk if it is not properly secured. If your X11 server (the screen, keyboard and mouse of any Unix system) is insecure, it will allow any other program on the internet to copy your screen's contents, capture your keystrokes, and sometimes forge keystrokes as if you typed them yourself.

**Never use the command "xhost +"; this completely disables your display security!**

Network access is blocked from outside our building to our X displays - X11 applications running offsite cannot send the display //directly// to a desktop at Tate Lab. In order to run such programs, it's neccessary to //tunnel// the X11 traffic through a secure shell session.

===== Using X windows with ssh =====

    * Log in to a system which has ssh (with support for tunnelling) installed, and if required, set the ''DISPLAY'' environment variable to open windows on your screen -- if working from a graphical environment it should be set for you.
    * Use ssh to log in to the remote system.
    * Now open X windows as usual (it may be easiest to test with a small, quick program such as xclock). Don't set the ''DISPLAY'' variable at the remote system; ssh will have set it for you. 

If you have problems, start by checking the value of ''DISPLAY'' at the remote system (using "''printenv DISPLAY''" or similar). Some servers don't switch on X11 tunnelling by default, in which case you have to use the "''-Y''" flag when connecting to them (eg "''ssh -Y hostname''").

   * If you don't have ssh installed on your system, check out our [[:computing:software:ssh|Secure Shell page]] for information on where to get it.