X11Forwarding if enabled in an
SSH server will allow a connecting client to tunnel a graphical program executed on the server to be displayed on the client.
There could be some security risk associated with forwarding
X or display over
SSH but with proper mitigations the risk could be minimised.
Specifies whether X11 forwarding is permitted. The argument must be yes or no. The default is no.
When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the sshd(8) proxy display is configured to listen on the wildcard address (see X11UseLocalhost), though this is not the default. Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server maybe exposed to attack when the SSH client requests forwarding(see the warnings for ForwardX11 in ssh_config(5)). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a no setting.
Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders.
X display forwarding could be enabled or disabled by configuring
X11Forwarding directive in
SSHd configuration file on the
sshdconfiguration file using favourite text editor.
$ sudo vi /etc/ssh/sshd_config [sudo] password for user:
X11Forwardingdirective and set the option to
Add the line if it doesn't already exist and remove the
# at the beginning of the line if exists.
SSHserver service for the changes to take effect.
$ sudo systemctl restart sshd
Comment anonymously. Login not required.