Home > Memo > SSH X11 Forwarding






SSH X11 Forwarding:

  For Linux or other Unix-like systems, graphical interface / applications rely on the "X" (X window). Thus for a command-line user who wants to start a remote graphical application, he/she will needs a X11 server on the local machine to forward these graphical data through the X11 protocol. And display the result on the local machine.

  Since the X11 transmission is not encrypted, make it vulnerable to snoopers. To solve this problem, we can use the SSH protocol, which encrypts everything in and out, to secure our connections. In the context below, I will show how to set up a "tunnel" for transmitting X11 data over SSH (also known as SSH Tunneling). Please follow these steps:

*These are my personal experience, please let me know if something is not correct!

1.Prepare your SSH client ( Here I use PieTTY, you may also use PuTTY to do the same thing.)

2.The following option in /etc/ssh/sshd_config on your server must be enabled.
 And these extra configurations (for Xming):

 Will automatically set the DISPLAY variable to localhost:10 for you.
 (You need to Enable X11 Forwarding in your pietty/putty.)
 *The SSHD service must be restarted after any modification.

3. Prepare your X windows Server, e.g. ReflectionX / Xming / VNC Viewer / X-Deep. I will show three of them here.

In my own opinion, ReflectionX is easiest to use but it's not a freeware and needs more memory. VNC Viewer is portable, lite, but elaborate. Xming will be a good choice only if the environment is well-configured.

PROS: Easy to use, with screen shot function. CONS: Fat, not a freeware, not portable.
Leave ReflectionX along after startup, login your server with PieTTY and enter:
[Cypresslin@HPC ~] export DISPLAY=YOURIP:0
This line will tell the server to forward X11 to your machine.

For BASH shell users, if you are using your own account, you can add this line into ~/.bashrc, or by using the command: declare -x DISPLAY=YOURIP:0 to set this configuration to be one of your environment variable.
By doing so, you don't have to export it for every login.

(If you are a C-shell user, use setenv DISPLAY YOURIP:0 instead)

If you would like to have ReflectionX minimize to tray, click "View" -> "Hide Taskbar Icon on Minimize":
Now when you minimize it, it will shrink to the system tray: Minimized

Note-test result on my cluster:idt - OK / GrADS 2.0.1 - OK / Vis5D 5.1 - OK / Vis5D+ 1.3.0B - OK

Xming - (memory usage≒15 MB) Official link
PROS: Consumes lesser memory, freeware. CONS: Not portable, needs extra settings on the server.
There are two ways to use it:

If the "X11DisplayOffset" and "X11UseLocalhost" have been set in the sshd_config file:

 Switch to PuTTY mode in your PieTTY:
 PuTTY Mode
 Enter the IP address in the "Session" page, then go to > "Connection" > "SSH" > "X11".
 Tick the "Enable X11 Forwarding" option, location is:
 (Beware, do not load an existed session in the "Session" page AFTER configuring the "X11". Load it first instead, or the modification will be overridden by the configuration in the session that you loaded later.)

 To check whether it works or not, enter: echo $DISPLAY in the terminal to check the DISPLAY variable, it's good to go when you see "localhost:10.0" shows up.

 Note: please commenting out the "export DISPLAY=YOURIP:0" in your ~/.bashrc, the X11UseLocalhost setting will setup the DISPLAY variable for you automatically.

If those two variables mentioned above are not available, and you can't modify it....

 Find the shortcut of Xming in the startup menu after it has been installed, right click on the link →Properties, add "-ac" into the startup parameter box like this:
 "C:\Program Files\Xming\Xming.exe" :0 -clipboard -multiwindow -ac
 This argument will disable the Access Control restrictions, allowing everyone to connect.

WARNING: Due to security concern, only use this argument under a trusted network!

 Just like using the ReflectionX, you don't have to modify the client, but use export DISPLAY=YOURIP:0 instead (to set the environment variable, please refer to this part in ReflectionX).

The following error messages appear with the lack of the "-ac" argument in the startup parameter box:
Xlib: connection to "YOURIP:0.0" refused by server
Xlib: No protocol specified
Error: Can't open display: YOURIP:0


 Note-test result on my cluster: idt - OK / GrADS 2.0.1 - OK / Vis5D 5.1 - OK* / Vis5D+ 1.3.0B -FAILED
 *Fonts needed: Xming-fonts

VNC Viewer - (memory usage≒5 MB) Official Link
PROS: Memory-friendly, freeware, portable. CONS: Complicated to configure.

After login into the server, startup the VNC service by "vncserver" command, and you might see these:


Number "1" means the 1st display screen, it continues when starting another vncserver.
Meanwhile, you might be asked to setup the password for VNC Viewer, if not, try "vncpasswd" to do it.
Open your VNC Viewer, enter the ip address and the port number "ServerIP:5901"
(The port number is 5900+1, plus N for the Nth display screen)

This is how you connect with VNC Viewer (Without SSH tunneling)

In order to protect the connection, you have to do something like those for Xming, switch to the PuTTY mode in your PieTTY, then go to > "Connection" > "SSH" > "Tunnels".
VNC Tunnel

Specify the port that you will allow VNC Viewer to use on your computer. (In this case: 1234)

Enter the server ip and the port number in the "Destination" box. (In this case, the port number is 5901, which is not an arbitrary number as explained above. is the IP address.)

Press the "Add" button to validate these settings. They will be added into the "Forwarded ports" box:
VNC Forwarded Port

Now you can connect to your server, don't forget to start the vncserver.

After that, open the VNC Viewer, use: "" for the server address. The port number here must be the same with the one you setup in the SSH client. But why the address is The X11 data was forwarded to the local machine via your SSH client, so we tell the VNC Viewer to receive those data right on the local machine!

The interface of VNC Viewer is much more different than aforementioned two softwares:
VNC Viewer Screenshot

Reference:透過ssh通道連結家中 ubuntu主機的vnc-server

Note-test result on my cluster:idt - OK / GrADS 2.0.1 - OK / Vis5D 5.1 - OK / Vis5D+ 1.3.0B -FAILED
Note 1: When closing the VNC Viewer, those started applications won't be terminated unless vncserver was stopped.
Note 2: To terminate the vncserver, use "vncserver -kill :1", 1 is for the Nth display screen.

Note: If you are connecting through another proxy server, the X11 forwarding may not work properly. To cope with this, try to add a "-X" parameter to the ssh command when connecting to your server from the proxy server: ssh -X ACCOUNT@SERVERIP (not guaranteed to work every time).

inserted by FC2 system