Tunneling X over SSH

You like running remote X sessions, but you know that they are completely insecure, so you want to run X over SSH.

Enable X forwarding on the SSH server, in /etc/ssh/sshd_config. Then use the -X flag when you start your SSH session.

Put this line in /etc/ssh/sshd_config on the SSH server:

X11Forwarding yes

Then connect to the server with the -X flag:

$ ssh -X saturn.test.net

Run this command to test that X forwarding is working:

$ echo $DISPLAY
localhost:10.0

If it weren’t, it would return a blank line. Now you can run any X program installed on the server as though it were local. Try this for a simple test:

$ xeyes

Or run glxgears, or any X program that is installed on the server.

Using SSH for remote X sessions is both simpler and more secure than running a plain-vanilla X session without SSH, which is not secure at all. However, it still carries some risks. Use this to connect only to trusted hosts, because a snoopy admin can easily capture your keystrokes or logins, or even connect to your local desktop and snoop even more. Make sure your local ~/.Xauthority file is mode 600, to prevent unprivileged users on the remote host from also joining in the snooping.

Be sure that these entries are in your local /etc/ssh/ssh_config file and any ~/ ssh/ssh_config files on your system:

Host *
ForwardX11 no
ForwardAgent no

It’s important to ensure that X forwarding is turned off, except when you absolutely need it.

Depending on your physical distance from the remote server and the speed of your network connection, you may notice some lag in your keystrokes or mouse movements, as the X protocol is a bit of a network hog.