Remote X11 X Windows client forwarding over SSH to local X Server: The definitive guide

No more trying to remember "what did I do the last time" every time I deploy yet another real or virtual Unix/Linux system with X11 graphical gizmos! Here is how to enable X11 display forwarding over a SSH login session.

The local machine runs a SSH client and a X server. The remote machine runs a SSH server and a X client application (e.g. xeyes). From the local SSH client, we log on to the remote SSH server, and forward X11 graphics from clients running on the remote machine to the local X Windows server.

1) The remote machine needs to have xauth installed. This is accomplished with the usual package management commands. For remote systems running Linux, the package managers are invoked using "apt-get install xauth" on Debian-based systems (including ubuntu) or "yum install xauth" on Fedora/RedHat/CentOS based systems.

2) The remote machine needs to have IP forwarding enabled in the kernel. This is achieved by making sure /etc/sysctl.conf has the line "net.ipv4.ip_forward = 1". If not, add this line and execute "sysctl -p" for the kernel to re-read sysctl.conf without rebooting the remote system.

3) The remote machine needs to have the following lines in its SSH server daemon's configuration file /etc/ssh/sshd_config :

    AllowTcpForwarding yes
    X11Forwarding yes
    X11UseLocalhost no

Make sure these lines are there with the indicated parameters and not commented out. If not, edit /etc/ssh/sshd_config accordingly and restart the SSH server on the remote using "systemctl restart ssh", "/etc/init.d/sshd restart" or whatever restarts the sshd daemon on the remote system.

5) Open a terminal on the local machine and allow all remote X clients to connect to the local X server using "xhost +"

6) On the local machine running the X server, start a fresh SSH session and login to the remote system via SSH remembering to include the "-X" switch:
    ssh -X <remote-user>@<remote-host>

7) In the SSH session just established, make sure "X11 forwarding request failed on channel 0" is NOT displayed when you entered the password. Only the ssh banner, or motd, or whatever is configured to be shown when logging on to the remote system is displayed. Also, "Warning: No xauth data; using fake authentication data for X11 forwarding." should NOT be displayed since we installed xauth on the remote system. If either is displayed, something went wrong and you need to delve deeper.

That is all that should be needed. In the established ssh session to the remote system, type in "xclock" or "xeyes" or whatever command you want that needs an X11 windows server and the X Windows application should start up. If you get a "cannot open display", again something went wrong and you need to delve deeper. You should not need to export the DISPLAY environment variable containing <your local IP>:0.0 if X11 forwarding works correctly.

The xeyes X-windows application at the top of this post was captured on a Compaq CQ61 laptop running lubuntu 18 logged in over SSH to a virtual IBM S/390 mainframe also running ubuntu 18/s390x port. Here is a remote xclock X11 client displayed on the local laptop from a remote Raspberry Pi running Raspbian stretch.