Headless X11 Forwarding

Posted by Elliot Segler on Tue 12 April 2016 Updated on Tue 12 April 2016

Install the right packages

Default packages that ship, especially for cloud headless instances or servers isn't going to include a desktop.

There's a reason for that though, you don't want desktop software on servers- it's bad mkaaay?

On the instance you need to run the X session from (the one you are forwarding to) you'll need to install the following packages (from the EPEL repo). The catch is that the EPEL repos currently don't have any packages in the X Windows System package group.

This is OK though, because we only need two packages to make it work. xorg-x11-xauth and xorg-x11-server-utils. Go ahead and install those (or their equivalent packages on your instance)

Enable XForwarding in your SSH server config

You'll need to make sure that you have an X11Forwarding yes stanza enabled in you /etc/ssh/sshd_config file. This file is processed in order, so you can put this at the bottom of the file or alternatively, find the existing line and change it.

At this point I should also mention, when you are using XForwarding I would highly recommend learning the difference between trusted and untrusted forwarding. You can read about that here

If you make changes to your SSH config, back it up first and make sure you restart your SSH daemon afterwards as well.

Connect to your host

Now you should be able to connect to your host and muck around with the X environment...

I'd recommend only enabling XForwarding for the connections you want it on. That's as easy as adding -X to your normal SSH command (or whatever the option is in putty)

Doing this means we should now be getting a DISPLAY environment variable when we are logged in.

[[email protected]] ~ % ssh -X ec2-user@demo-ec2-box       
Last login: Tue Apr 12 02:16:47 2016 from XXX.XXX.XXX.XXX

[[email protected] ~]$ echo $DISPLAY


If you are feeling particularly excited, install something like xclock and the run something like ssh -X [email protected] xclocks.

If you are running xming or an X client, you should get window popup with a clock in it that is running over your SSH session.

Connecting to another host via a jump box

This is also easy.

All you need to do is tunnel the XForwarding SSH session, over an SSH session to your jumpbox.

For example, I can connect to my jumpbox and create a tunnel like below

[[email protected]] ~ % ssh -L8022:myprivatehost:22 [email protected]

This will connect me to the jumpbox and create a TCP tunnel on my laptop listening on port 8022 that connects to the SSH port of my private host.

In the next SSH session, we connect the XForwarding session to the private instance. It's important to keep the other SSH window/session open otherwise the tunnel will close.

[[email protected]] ~ % ssh -X -p 8022 [email protected]

Here we start a new SSH session, with XForwarding enabled, and connect it to localhost on port 8022 - our TCP tunnel.

Again, we can do stuff like muck around with xeyes and it should still work as long as the tunnel is open

[[email protected]] ~ % ssh -X -p 8022 [email protected] xeyes

tags: linux, x11, sysadmin