X11 forwarding

     -X      Enables X11 forwarding.  This can also be specified on a per-host basis in a configuration file.

             X11 forwarding should be enabled with caution.  Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display
             through the forwarded connection.  An attacker may then be able to perform activities such as keystroke monitoring.

             For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default.  Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more
             information.

             (Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension restrictions by default, because too many programs currently crash in this mode.  Set the ForwardX11Trusted option
             to “no” to restore the upstream behaviour.  This may change in future depending on client-side improvements.)

     -x      Disables X11 forwarding.

     -Y      Enables trusted X11 forwarding.  Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

             (Debian-specific: This option does nothing in the default configuration: it is equivalent to “ForwardX11Trusted yes”, which is the default as described above.  Set the ForwardX11Trusted option
             to “no” to restore the upstream behaviour.  This may change in future depending on client-side improvements.)
 

X11 forwarding is a mechanism that allows graphical interfaces of X11 programs running on a remote system to be displayed on a local client machine.

For X11 forwarding the remote host does not need to have a full X11 system installed, however it needs at least to have xauth installed. xauth is a utility that maintains Xauthority configurations used by server and client for authentication of X11 session (source).

Warning: X11 forwarding has important security implications which should be at least acknowledged by reading relevant sections of ssh(1), sshd_config(5), and ssh_config(5) manual pages. See also this StackExchange question.

Setup

Remote

• install the xorg-xauth and xorg-xhost packages
• in /etc/ssh/sshd_config:
  • set X11Forwarding to yes
  • verify that AllowTcpForwarding and X11UseLocalhost options are set to yes, and that X11DisplayOffset is set to 10 (those are the default values if nothing has been changed, see sshd_config(5))
• then restart the sshd daemon.

Client

• install the xorg-xauth package
• enable the ForwardX11 option by either specifying the -X switch on the command line for opportunistic connections, or by setting ForwardX11 to yes in the client's configuration.

Tip: You can enable the ForwardX11Trusted option (-Y switch on the command line) if GUI is drawing badly or you receive errors; this will prevent X11 forwardings from being subjected to the X11 SECURITY extension controls. Be sure you have read the warning at the beginning of this section if you do so.

Usage

The factual accuracy of this article or section is disputed.

Reason: xhost is generally not needed (Discuss in Talk:OpenSSH#X11 forwarding)

Log on to the remote machine normally, specifying the -X switch if ForwardX11 was not enabled in the client's configuration file:

$ ssh -X [email protected]

If you receive errors trying to run graphical applications, try ForwardX11Trusted instead:

$ ssh -Y [email protected]

You can now start any X program on the remote server, the output will be forwarded to your local session:

$ xclock

If you get "Cannot open display" errors try the following command as the non root user:

$ xhost +

The above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:

$ xhost +hostname

where hostname is the name of the particular host you want to forward to. See xhost(1) for more details.

Be careful with some applications as they check for a running instance on the local machine. Firefox is an example: either close the running Firefox instance or use the following start parameter to start a remote instance on the local machine:

$ firefox --no-remote

If you get "X11 forwarding request failed on channel 0" when you connect (and the server /var/log/errors.log shows "Failed to allocate internet-domain X11 display socket"), make sure package xorg-xauth is installed. If its installation is not working, try to either:

• enable the AddressFamily any option in sshd_config on the server, or
• set the AddressFamily option in sshd_config on the server to inet.

Setting it to inet may fix problems with Ubuntu clients on IPv4.

For running X applications as other user on the SSH server you need to xauth add the authentication line taken from xauth list of the SSH logged in user.

Tip: Here are some useful links for troubleshooting X11 Forwarding issues.