Tunneling X11

From ScorecWiki

Jump to: navigation, search

To run remote X11 (graphical) applications under Unix, you need two things:

  • an X11 server on your local computer.
  • a mean for the application to send the graphical information to your local computer.


X11 server

X11 servers are usually pre-installed on Unix computers (such as Solaris, Linux, etc...). If you see any graphic, you have an X11 server.

Apple provide an X11 application with their OS X. Starting with version 10.4, it is on the installation media but usually not installed by default. X11 is available as a free download for previous versions.

A free X11 server for Windows is available through the Cygwin software distribution, which creates a Unix-like work environment for Windows.

X11 client-server communication

All that is needed is that the client be able to exchange UDP packets with the X11 server. If the two are on a local network without firewalls, then all that is needed is to set a DISPLAY environment variable before starting the graphical application. For example, if the X11 runs on the computer whose IP address is, the following would work:

export DISPLAY=

If the situation is more complicated and the above does not work, the SSH protocol can tunnel (aka forward) X11 connections at a slight computational cost. As most SSH client do not tunnel X11 by default, either a command line switch (-X) must be used or a configuration file must be changed.

Command line switch

A command line switch will enable X11 forwarding for the duration of a single SSH session. The command line to use depends on the specific SSH client in use. OpenSSH uses -X. For example:

ssh -X user@jumpgate.scorec.rpi.edu

Configuration file

X11 forwarding can be enabled permanently by making a change to the default configuration file. Two files are used to configure the openssh client:

  • Per-user configuration file $HOME/.ssh/ssh_config
  • System-wide configuration /etc/ssh/ssh_config or /etc/ssh_config

In both cases, the format of the file is the same. To enable X11 forwarding, the file should look like the following:

Host *
 ForwardX11 yes
 Compression yes

While enabling the compression is not mandatory, it is recommended due to the bandwidth requirements of X11.

Trusted vs Untrusted forwarding

The X11 security model makes a distinction between trusted and untrusted clients. Without going into much details, untrusted clients cannot interact with windows and resources owned by trusted clients.

Starting with version 3.8, OpenSSH understands X11 security and does untrusted forwarding by default. While more secure, most applications assume they are running as trusted clients and will either not work or unexpectedly crash when run in the untrusted mode. It is therefore recommended at this time to configure openssh to do trusted X11 forwarding. This is done in one of two ways:

  • Use the -Y command line switch instead of -X; or
  • Add the following directive to the ssh_config file:
    ForwardX11Trusted yes
Personal tools