We are discussing here how to set up SSH's X11 Forwarding to forward Linux systems X11's display to a X server on Windows, and discuss a few challenges. Just to be clear, our objective is to run X server on the Windows host, and forward Linux systems' display to the X server on the Window host.
- On the Windows host, install a X server, such as, vcXsrv
- On the Linux system, install xauth package, e.g., on Debian or Ubunbu, we run
On Fedora Linux, we runsudo apt-get install xauth
sudo dnf install xorg-x11-xauth
- On the Linux system, check if SSH daemon (sshd)'s X11 Forwarding feature is enabled. To do this, we open /etc/ssh/sshd_config, and look for the following line,
If we don't find this line, we must add it. If this is line is commented out, we must uncomment it. After that we reload SSH daemon's configuration, such as,X11Forwarding yes
sudo systemctl reload sshd
- On Windows host, we run
orssh -Y the_username@the_linux_system
ssh -X the_username@the_linux_system
Remarks
If SSH's X11 Forwarding is successfully set up, there isn't a need to set the DISPLAY variable on the Linux system; otherwise, we aren't doing X11 Forwarding, instead, we just display to a display that isn't local.
The preconditions for X11 Forwarding to work is that we need xauth program on both client and server side, i.e., in our case, xauth must be present on both the Windows system and the Linux system. In fact, vcXsrv comes with a copy of xauth.
Another problem is about access control. In the above set up, we run as a different user from the login user on the Linux system, we will see a "couldn't connect to display" error. For instance, after we log in we can run X11 program without any problem; however, when we run the same program with sudo, we will observe the error. This is actually an access control problem, and this cannot be resolved by running a command like "xhost +" as the login user, because the command like "xhost +" is only about controlling access to the "local" display. This linked post explains very well how we should resolve this, that is, we need to use xhost to add the X11 cookie associated with the remote display set up by the login user to the new user. We repeat the steps outline in the post below,
- After we log in with via SSH with X11 Forwarding, e.g.,
ssh -X the_username@the_linux_system
-
On the Linux system, query the X11 cookie using xauth,
The output looks the following,xauth list $DISPLAY
the_linux/unix:10 MIT-MAGIC-COOKIE-1 123456989abcdef1000011
-
On the Linux system, show the value of the DISPLAY variable
The output may be,echo $DISPLAY
the_linux:10.0
-
On the Linux, become the user we wish to run a GUI program, e.g., to become the root user,
sudo -s
- As the new user, e.g., the root, set the X11 cookie to the one we show in the above, e.g.,
Note that after "add", we simply copy and paste the X11 cookie value that we list before.xauth add the_linux/unix:10 MIT-MAGIC-COOKIE-1 123456989abcdef1000011
-
As the new user, check if the DISPLAY is set and if set, it has the same value as the old user. If not, set it, e.g.,
It is often that this step isn't necessary because it is often set and the value is identical to the one listed under the older user.export DISPLAY=the_linux:10.0