X11 Forwarding over SSH: run remote graphical app and display locally

In the modern networked environment, we often wish to run an application on a remote host while we are comfortably logged in on our local computer.

Assuming both machines are Linux-based, and the application runs on the graphical X desktop, the following approaches come to mind:

  • VNC
  • X11 forwarding over SSH

This article focuses only on X11 forwarding. X11 forwarding over SSH enables you to run a remote X app and display it locally, with traffic between the 2 hosts encrypted by SSH.

For X11 forwarding over SSH to work, both the SSH client and SSH server must be properly configured.

X11 forwarding must be enabled on The SSH server side. This is the machine where the application resides. To enable the feature, make sure the X11 configuration file /etc/ssh/sshd_config on the server contains this line:


X11Forwarding yes

If you edit the said file, you need to restart the sshd daemon for the change to take effect.

On Debian or Ubuntu systems, you restart the SSH daemon like this:


$ sudo service ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.
$

On the ssh client side, you need to run SSH command with the proper parameters. For instance, suppose you want to run the xclock application on the remote SSH server and have it displayed back on the local client.


$ ssh -fX peter@192.168.1.112 xclock
peter@192.168.1.112's password:
$

The -X parameter allows an one-off X11 forwarding session.

The -f parameter instructs the SSH client to go to the background just before xclock is run.

If you want to permanently enable X11 forwarding for an user, insert this line in the user's own ~/.ssh/config file on the local host.


ForwardX11 yes

With X11 forwarding permanently enabled for the client, you can leave out the -X parameter:


$ ssh -f peter@192.168.1.112 xclock
peter@192.168.1.112's password:
$

If X11 forwarding is not enabled on the SSH server, any attempt to tunnel X11 will fail with the following error message:


$ ssh -X peter@192.168.1.112 xclock
peter@192.168.1.112's password:
X11 forwarding request failed on channel 0
Error: Can't open display:
$
If X11 forwarding is properly enabled on the server side, you will see a nice looking clock displayed on your local screen.