How to enable SSH X11 forwarding through additional server?

Question

I have hosts A,B and C. From host A I can access through ssh only B. From B I can access C. I want to be able to run X11 programs on C and forward display to A.

I tried this:

A$ ssh -X B
B$ ssh -X C
C$ xclock
Error: Can't open display:

But it doesn't work.

score 34 · Accepted Answer · answered Aug 12 '09 at 05:54

There are several ways to do this, the one I prefer is to forward the ssh port:

First, connect to machine B and forward [localPort] to C:22 through B

A$ ssh -L [localPort]:C:22 B

Next, connect to C from A through this newly-created tunnel using [localPort], forwarding X11

A$ ssh -X -p [localPort] localhost

Now we can run X11 programs on C and have them display on A

C$ xclock

[localPort] can be any port that you are not already listening to on A, I often use 2222 for simplicity.

score 8 · Answer 2 · answered Aug 12 '09 at 06:00

8

Have you tried with

A$ ssh -Y B
B$ ssh -Y C
C$ xlclock

The -Y flag "Enables trusted X11 forwarding."

answered Aug 12 '09 at 06:00

pyhimys

1,297

score 8 · Answer 3 · edited Dec 24 '15 at 20:29

8

This can easily be accomplished using port forwarding:

A$ ssh -NL 2022:C:22 B &
A$ ssh -X -p 2022 localhost
C$ xclock

Port localhost:2022 is forwarded to C:22 via B SSH to C via localhost:2022 Use X as normal

edited Dec 24 '15 at 20:29

slm

8,010

answered Aug 12 '09 at 06:10

AgentK

411

score 5 · Answer 4 · edited Sep 06 '13 at 00:17

5

For newer versions opensshd you have to disable X11UseLocalhost for this to work.

You need to do this on Host C's /etc/ssh/sshd_config and restart sshd for this to work:

X11Forwarding yes
X11UseLocalhost no

edited Sep 06 '13 at 00:17

Michael Hampton

252,907

answered Sep 05 '13 at 21:15

Brad Allison

61

Jayen · Answer 5 · 2018-04-23T02:35:09.013

4

Assuming the problem is that the middle machine doesn't have X, but it otherwise configured to allow forwarding X11, just install xauth.

on a yum-based system (fedora, redhat, centos):

B$ sudo yum install xauth

on an apt-based system (debian, ubuntu):

B$ sudo apt-get install xauth

edited Apr 23 '18 at 02:35

answered Oct 12 '12 at 00:54

Jayen

1,907

score 3 · Answer 6 · answered Apr 12 '17 at 00:46

3

If you often go from A to C, you can configure B as a proxy:

A:~/.ssh/config:

Host C
  ForwardX11   yes
  ProxyCommand ssh -W %h:%p B

then it's just:

A$ ssh C xclock

answered Apr 12 '17 at 00:46

Jayen

1,907

hamnur · Answer 7 · 2020-06-25T17:39:05.453

You could combine -Y/-X command with the -J command line option:

A$ ssh -Y user@C -J user@B
C$ xclock

If you have more Hosts to hop than just do the following:

A$ ssh -Y user@C -J user@B,user@D,...,user@Z
C$ xclock

From man ssh:

-J [user@]host[:port]
     Connect to the target host by first making a ssh connection to
     the jump host and then establishing a TCP forwarding to the
     ultimate destination from there.  Multiple jump hops may be
     specified separated by comma characters.  This is a shortcut to
     specify a ProxyJump configuration directive.

It was introduced in OpenSSH version 7.3 (released in August 2016).

asdmin · Answer 8 · 2009-08-12T07:04:48.157

You can't forward X11 display if you have X11Forwarding disabled in any sshd you are using.

man sshd_config:

X11Forwarding
  Specifies whether X11 forwarding is permitted. The argument must be “yes”
  or “no”.  The default is “no”.

You have to make sure X11Forwarding is enabled on destination and all intermediate sshds you are using.

Just a small hint: you should try to use VNC, X11 display forwarding is quite bandwidth consuming.

How to enable SSH X11 forwarding through additional server?

8 Answers8