How To Route Graphics Output through SSH

When you run a graphics or visualization application on one of the NERSC platforms, you would like the output to appear on your desktop machine. This is easily done, but you must tell the application how to accomplish the routing. There are (at least) two ways to accomplish such a specification.

Insecure Method

This is a two-stage process that involves telling your workstation's X11 server to permit the NERSC machine to send Xlib commands to it, and to tell the NERSC machine to route Xlib commands (application output) to your remote desktop. This approach is viewed as being insecure because you are permitting Xlib commands from the network to be executed on your workstation without first requiring an authentication step. That you restrict the source of Xlib commands to a particular host limits the exposure, but the absence of the authentication step is really the problem.

If you want to use the insecure method, you need to perform the following two-stage process:

  1. On your workstation, in a shell on your workstation, tell your X-server to permit inbound connections from the NERSC resource. E.g.:
    	% xhost escher.nersc.gov
    
  2. At NERSC, set the $DISPLAY environment variable prior to running the application. E.g.:
    	% setenv DISPLAY myworkstation.com:0
    	% idl    // the name of the application
    
Set the $DISPLAY environment variable on the NERSC platform prior to running the application so that it points to your workstation. You'll need to permit

Secure method.

With the secure method, all Xlib commands are routed through ssh. This way, there is no explicit unauthenticated Xlib command stream being executed by your workstation, so it is more secure. Also, the Xlib commands themselves are encrypted by the ssh channel. The secure method is also less complex to set up as it involves only a single action on your part - to provide one additional argument when launching ssh on your workstation.

To use the secure method, use the -X argument when launching ssh on your workstation. The -X argument tells ssh to route all Xlib commands through the ssh back to your workstation. E.g.:

	% ssh -X escher.nersc.gov

Then, once the shell is opened on escher, any command you run from that shell that generates Xlib output will automagically be sent back to your workstation.

For more reading, check your local ssh manual pages.