X11Forwarding, when enabled in an SSH server, will allow a connecting client to run a graphical program on the server and forward the display to the client's machine.
It's a handy feature, but some administrators might choose to disable it due to the associated security risk. Proper mitigations could minimize the risk, so it depends on the cost-benefit analysis to whether or not to enable forwarding X or display over SSH.
Specifies whether X11 forwarding is permitted. The argument must be yes or no. The default is no.
When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the sshd(8) proxy display is configured to listen on the wildcard address (see X11UseLocalhost), though this is not the default. Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server maybe exposed to attack when the SSH client requests forwarding(see the warnings for ForwardX11 in ssh_config(5)). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a no setting.
Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders.
X display forwarding could be enabled or disabled by configuring X11Forwarding directive in SSHd configuration file on the SSH server.
Steps to deny or allow X11 forwarding in SSH server:
- Launch your preferred terminal application.
- Open sshd configuration file using favourite text editor.
$ sudo vi /etc/ssh/sshd_config [sudo] password for user:
- Search for X11Forwarding directive and set the option to no to disallow X forwarding and yes to allow.
Add the line if it doesn't already exist and remove # at the beginning of the line if it exists.
- Reload or restart SSH server service for the changes to take effect.
$ sudo systemctl restart sshd
Comment anonymously. Login not required.