X11 Forwarding from Linux to Windows

We are discussing here how to set up SSH's X11 Forwarding to forward Linux systems X11's display to a X server on Windows, and discuss a few challenges. Just to be clear, our objective is to run X server on the Windows host, and forward Linux systems' display to the X server on the Window host.

1. On the Windows host, install a X server, such as, vcXsrv
2. On the Linux system, install xauth package, e.g., on Debian or Ubunbu, we run

       sudo apt-get install xauth    

   On Fedora Linux, we run

       sudo dnf install xorg-x11-xauth    

3. On the Linux system, check if SSH daemon (sshd)'s X11 Forwarding feature is enabled. To do this, we open /etc/ssh/sshd_config, and look for the following line,

     X11Forwarding yes  

   If we don't find this line, we must add it. If this is line is commented out, we must uncomment it. After that we reload SSH daemon's configuration, such as,

     sudo systemctl reload sshd
   

4. On Windows host, we run

   
       ssh -Y the_username@the_linux_system    

   or

       ssh -X the_username@the_linux_system
       

Remarks

If SSH's X11 Forwarding is successfully set up, there isn't a need to set the DISPLAY variable on the Linux system; otherwise, we aren't doing X11 Forwarding, instead, we just display to a display that isn't local.

The preconditions for X11 Forwarding to work is that we need xauth program on both client and server side, i.e., in our case, xauth must be present on both the Windows system and the Linux system. In fact, vcXsrv comes with a copy of xauth. 

Another problem is about access control. In the above set up, we run as a different user from the login user on the Linux system, we will see a "couldn't connect to display" error. For instance, after we log in we can run X11 program without any problem; however, when we run the same program with sudo, we will observe the error. This is actually an access control problem, and this cannot be resolved by running a command like "xhost +" as the login user, because the command like "xhost +" is only about controlling access to the "local" display. This linked post explains very well how we should resolve this, that is, we need to use xhost to add the X11 cookie associated with the remote display set up by the login user to the new user. We repeat the steps outline in the post below,

1. After we log in with via SSH with X11 Forwarding, e.g.,

   
       ssh -X the_username@the_linux_system
       

2. On the Linux system, query the X11 cookie using xauth,

   
       xauth list $DISPLAY 
       

   The output looks the following,

   
       the_linux/unix:10  MIT-MAGIC-COOKIE-1  123456989abcdef1000011
       

3. On the Linux system, show the value of the DISPLAY variable

   
       echo $DISPLAY
       

   The output may be,

   
       the_linux:10.0
       

4. On the Linux, become the user we wish to run a GUI program, e.g., to become the root user,

   
       sudo -s
       

5. As the new user, e.g., the root, set the X11 cookie to the one we show in the above, e.g.,

   
       xauth add the_linux/unix:10  MIT-MAGIC-COOKIE-1  123456989abcdef1000011
       

   Note that after "add", we simply copy and paste the X11 cookie value that we list before.
6. As the new user, check if the DISPLAY is set and if set, it has the same value as the old user. If not, set it, e.g.,

   
       export DISPLAY=the_linux:10.0
       

   It is often that this step isn't necessary because it is often set and the value is identical to the one listed under the older user.