Home / server / Questions / 53080
Accepted
lexsys
Asked: 2009-08-12 21:37:44 +0800 CST

How to enable SSH X11 forwarding through additional server?

  • 772

I have hosts A,B and C. From host A I can access through ssh only B. From B I can access C. I want to be able to run X11 programs on C and forward display to A.

I tried this:

A$ ssh -X B
B$ ssh -X C
C$ xclock
Error: Can't open display:

But it doesn't work.

linux ssh x11

8 Answers

  1. Best Answer

    There are several ways to do this, the one I prefer is to forward the ssh port:

    First, connect to machine B and forward [localPort] to C:22 through B

    A$ ssh -L [localPort]:C:22 B

    Next, connect to C from A through this newly-created tunnel using [localPort], forwarding X11

    A$ ssh -X -p [localPort] localhost

    Now we can run X11 programs on C and have them display on A

    C$ xclock

    [localPort] can be any port that you are not already listening to on A, I often use 2222 for simplicity.

    • 33

  2. This can easily be accomplished using port forwarding:

    A$ ssh -NL 2022:C:22 B &
A$ ssh -X -p 2022 localhost
C$ xclock

    Port localhost:2022 is forwarded to C:22 via B SSH to C via localhost:2022 Use X as normal

    • 8

  3. Have you tried with

    A$ ssh -Y B
B$ ssh -Y C
C$ xlclock

    The -Y flag "Enables trusted X11 forwarding."

    • 7

  4. For newer versions opensshd you have to disable X11UseLocalhost for this to work.

    You need to do this on Host C's /etc/ssh/sshd_config and restart sshd for this to work:

    X11Forwarding yes
X11UseLocalhost no
    • 5

  5. Assuming the problem is that the middle machine doesn't have X, but it otherwise configured to allow forwarding X11, just install xauth.

    on a yum-based system (fedora, redhat, centos):

    B$ sudo yum install xauth

    on an apt-based system (debian, ubuntu):

    B$ sudo apt-get install xauth
    • 4

  6. If you often go from A to C, you can configure B as a proxy:

    A:~/.ssh/config:

    Host C
  ForwardX11   yes
  ProxyCommand ssh -W %h:%p B

    then it's just:

    A$ ssh C xclock
    • 3

  7. You could combine -Y/-X command with the -J command line option:

    A$ ssh -Y user@C -J user@B
C$ xclock

    If you have more Hosts to hop than just do the following:

    A$ ssh -Y user@C -J user@B,user@D,...,user@Z
C$ xclock

    From man ssh:

    -J [user@]host[:port]
     Connect to the target host by first making a ssh connection to
     the jump host and then establishing a TCP forwarding to the
     ultimate destination from there.  Multiple jump hops may be
     specified separated by comma characters.  This is a shortcut to
     specify a ProxyJump configuration directive.

    It was introduced in OpenSSH version 7.3 (released in August 2016).

    • 2

  8. You can't forward X11 display if you have X11Forwarding disabled in any sshd you are using.

    man sshd_config:

    X11Forwarding
  Specifies whether X11 forwarding is permitted. The argument must be “yes”
  or “no”.  The default is “no”.

    You have to make sure X11Forwarding is enabled on destination and all intermediate sshds you are using.

    Just a small hint: you should try to use VNC, X11 display forwarding is quite bandwidth consuming.

    • 1