X11Forwarding, when enabled in an SSH server, will allow a connecting client to tunnel a graphical program executed on the server to be displayed on the client.
Related: How to run GUI application via SSH
There could be some security risk associated with forwarding X or display over SSH, but proper mitigations could minimize the risk.
Specifies whether X11 forwarding is permitted. The argument must be yes or no. The default is no.
When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the sshd(8) proxy display is configured to listen on the wildcard address (see X11UseLocalhost), though this is not the default. Additionally, the authentication spoofing and authentication data verification and substitution occur on the client side. The security risk of using X11 forwarding is that the client's X11 display server maybe exposed to attack when the SSH client requests forwarding(see the warnings for ForwardX11 in ssh_config(5)). A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a no setting.
Note that disabling X11 forwarding does not prevent users from forwarding X11 traffic, as users can always install their own forwarders.
X display forwarding could be enabled or disabled by configuring X11Forwarding directive in SSHd configuration file on the SSH server.
$ sudo vi /etc/ssh/sshd_config [sudo] password for user:
Add the line if it doesn't already exist and remove the # at the beginning of the line if exists.
$ sudo systemctl restart sshd
Comment anonymously. Login not required.