How to enable or disable X11Forwarding in SSH server
X11Forwarding if enabled in an SSH server will allow a connecting client to tunnel a graphical program executed on the server to be displayed on the client.
Related: How to run GUI application via SSH
There could be some security risk associated with forwarding X or display over SSH but with proper mitigations the risk could be minimised.
X11Forwarding
Specifies whether X11 forwarding is permitted. The argument must be yes or no. The default is no.
When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the sshd(8) proxy display is configured to listen on the wildcard address (see X11UseLocalhost), though this is not the default. Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server maybe exposed to attack when the SSH client requests forwarding(see the warnings for ForwardX11 in ssh_config(5)). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a no setting.
Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders.
X display forwarding could be enabled or disabled by configuring X11Forwarding directive in SSHd configuration file on the SSH server.
Steps to deny or allow X11 forwarding in SSH server:
- Launch your preferred terminal application.
- Open sshd configuration file using favourite text editor.
$ sudo vi /etc/ssh/sshd_config [sudo] password for user:
- Search for X11Forwarding directive and set the option to no to disallow X forwarding and yes to allow.
X11Forwarding no
Add the line if it doesn't already exist and remove the # at the beginning of the line if exists.
- Reload or restart SSH server service for the changes to take effect.
$ sudo systemctl restart sshd
Cloud architect by profession but always consider himself as a developer, entrepreneur and an opensource enthusiast.
Comment anonymously. Login not required.
