ssh tunnelling

I always thought that doing X11 tunnelling with ssh would be a hard thing to setup and understand but it turns out to be quite easy.

First of all on the machine being connected to (remotehost) change the sshd_config file to include:
X11Forwarding yes
then kill -HUP the sshd client.

Next when connecting from linux use the following syntax:
ssh -X remotehost
login as usual.

Now try a simple xterm & to see if it works. It went first time for me.

The extended entry contains the html from the page I found this. If it is still working you can reach it here. I copied the source over since this is being hosted on a .edu site and it will likely disappear once the student leaves school.

How to tunnel X over ssh

So I am sure this exists somewhere else on the web, but here is my two cents for what you need to do to get automatic X tunneling.

For instructive purposes, we will use a small scenario to explain what needs to be done. There are two machines names my_local_machine and far_away_machine. my_local_machine is the machine whose local X server that you want to display to and far_away_machine is the machine that you want to run a program on and have it displayed to my_local_machine.

Steps that you need to do:

  1. Make sure that the machine that you are connecting to, far_away_machine, has the following line in its sshd_config file. This file usually lives in either ‘/etc/’ or ‘/etc/ssh’.

    X11Forwarding yes (THIS IS THE LINE THAT YOU NEED)

    If this is not there contact the owner/sysadmin for the far_away_machine and have this line added.

    • If you are using Windows on my_local_machine:

      Get a ssh agent which supports ssh tunneling. I use a nice free open source one which is an extension to Tera Term. It is called TTSSH. So go and get Tera Term and the TTSSH extension and install them. Now turn on the X tunneling. This is done by going into the Setup->SSH Forwarding menu and make sure that the Display remote X applications in local X server is checked. Now save Setup->Save Setup your configuration, use the default name, so that the next time that you run TTSSH you don’t have to recheck that box. There is an equivalent check box for most other windows programs like FSecure, etc.
    • If you are using UNIX/Linux on my_local_machine:

      So for this to work you need to either pass a flag to ssh, notably the -X flag, or set up your systems global ssh_config file to contain:

      ForwardX11 yes

      ssh_config lives in either ‘/etc/’ or ‘/etc/ssh’ on most machines. Also this may not even be needed based on how your ssh client was compiled.

  2. Log into far_away_machine and type ‘xterm &’ or something like that and see the ssh tunneled window appear on my_local_machine‘s screen.

Frequently Asked Questions

  • Q: Does this work through a firewall?

    A: Yes, it should, or at least if ssh works through your firewall, tunneling X through it should work because ssh does a point-to-point encryption of all of your traffic thus when using X Windows over ssh, all of your data uses the same TCP connection that is used for the data that you type. Thus a firewall cannot determine the difference of X traffic and you just typing a lot.

  • Q: If I am running Windows, do I need a local X server to remotely display X traffic to?

    A: Yes, Windows does not currently ship with a local X Windows Server. I personally use Exceed because it is fast, but it is also relatively expensive. If you are looking for a cheaper solution, I know that Mircoimages sells a cheaper one for windows called MI/X for $25 with a free trial. Also, Cygwin has a free port of XFree86 for windows but cygwin might be difficult to install (I haven’t installed Cygwin for years, but I have heard it is much easier to install now).

  • Q: Do I need xauth installed on the far_away_machine?

    A: Yes, I learned this the hard way when trying to follow my own directions and failing on a very minimal system. Once xauth is installed everything works.

If you like this page send me some e-mail at wentzlaf AT

You can also find more contact info for me on my homepage

One thought on “ssh tunnelling”

  1. How did you know I’d be googling for exactly this information just 19 days later?!?

    I don’t usually care to run X on my servers — let alone tunnel it anywhere — but I need to run one setup application which insists on running over X, and I just don’t want to go up that tree.

    (email is actuall 10 letters longer — you can probably guess which 10)

Leave a Reply

Your email address will not be published. Required fields are marked *