Red Hat Enterprise Linux 5 Administration Unleashed

364CHAPTER 17Securing Remote Logins with OpenSSHAfter you enter the correct passphrase, it will be remembered for that session or terminalwindow.X11 ForwardingX11 forwarding means that graphical programs can be executed on a remote system anddisplayed on the local client system. Even though the interface appears on the client, it isrunning on the remote server. For example, if you want to enable Kdump on a remotesystem, you can log in to it remotely using ssh, execute the system-config-kdumpcommand on the remote system, and the graphical program appears on your localcomputer. Configure the Kdump settings for the remote system, save the settings, andyou are done without having to physically move to the remote system to get a graphicaldesktop. X11 forwarding must be enabled on both the client and server system for it towork.By default, X11 forwarding is not enabled on the client. If the server supports X11forwarding, the user can enable it with the -Y command-line option:ssh -Y TIPWhen you execute a graphical program from a remote login session, the program isdisplayed on the client, but while the graphical program is being used, the sessioncannot be used to run other commands. To prevent this, add an ampersand character(&) after the command such as system-config-kdump&.To always enable X11 forwarding on the client system, a user can create the file$HOME/.ssh/config with permissions 0600 and add the following line:ForwardX11 yesAn administrator can enable X11 forwarding on a client system for all users on thesystem by modifying the /etc/ssh/ssh_config file and changing the default value ofForwardX11 from no to yes. After modifying this global client configuration file, theservice must be restarted for the changes to take effect with the service sshd restartcommand. Settings in this global file apply to all users unless the values are overridden inthe $HOME/.ssh/config user file.NOTEThe OpenSSH client tools check the file permission for the $HOME/.ssh/config file ifit exists. If the file has write permissions for the group or other category, the programwill exit instead of connecting to the server. It is recommended that the file have thepermissions 0600, which can be modified with the chmod command.