How to X11 Forwarding using SSH

Servers

In this article, we will show how to do X11 Forwarding with SSH using two Linux machines. Our goal is to run an x11 application on a remote machine. 

Português

For this experiment, imagine that you want to use Firefox on a remote machine to access a website that is blocked on your machine.

In this case, we will use Firefox as an example of an X11 application that we will Forwarding. 

Table Of Contents
  1. Suggested scenario using VirtualBox 
  2. Configuring SSH Server to Allow X11 Forwarding 
  3. Configuring the ssh client to do X11 Forwarding
  4. Running an X11 application
  5. Opening a Game using X11 forwarding
  6. Considerations about X11 Forwarding in SSH 

The scenario below presents 2 machines and a website. On both machines, we have the client machine (MyPC) and the machine with the SSH server (External PC). 

Suggested scenario using VirtualBox 

In this scenario, we will initiate an SSH session from (MyPC) to (External PC). Once the SSH session has started, let’s run Firefox.

However, the Firefox that will be displayed on our screen is the Firefox that is running inside the machine (External PC).

This way, we will use FIrefox from (External PC)  to access a page on the Internet.

Below we present a scenario that can be easily replicated using VirtualBox. In this case, we will raise two virtual machines in VirtualBox.

On the first virtual machine (VM1), we will install the Openssh-server server so that we can access it via SSH. On this first machine, we will use two VirtualBox interfaces.

The first interface, (VM1), will use NAT mode and consequently will be able to access the Internet through the real machine (host). The second interface, from (VM1), will be in internal network mode “Internal Network” and will be used to connect to the second virtual machine (VM2).  

In the second virtual machine (VM2), we will only use one interface in “Internal Network” mode and it will be used to connect to the first virtual machine (VM1). 

Configuring SSH Server to Allow X11 Forwarding 

Initially we will enter the terminal of the machine that has the SSH server installed, the (External PC). Inside the terminal, let’s edit the SSH server configuration file. To do this, we will use the command below.  

sudo nano /etc/ssh/sshd_config 

Inside the “sshd_config” file, go to the end of the configuration file and uncomment the X11Forwarding line and change it to “X11Forwarding yes”. 

X11Forwarding yes

This configuration change will allow X11 forwarding and consequently we will be able to open graphical applications from the remote computer on our machine.  

Then we will save and exit the nano editor using the commands “Ctrl + x” and then “y” + ENTER. 

Now, we need to restart the server. To do this, we can use the commands below.

sudo systemctl restart sshd

If you want, you can use another command below.

sudo service sshd restart

Configuring the ssh client to do X11 Forwarding

Now let’s configure the client (MyPC) so that it can make an SSH connection to the server (External PC).

To do this, we will execute the command line below using the “-X” option which tells SSH that we will have a session with X11 Forwarding.

ssh -X [email protected]

The above command indicates that we are making an SSH session with the characteristics below.

-X” = establishing an SSH session with X11 Forwarding.

redes11” = user we are using to connect to the SSH server machine (External PC).

192.168.10.1” = IP of the SSH server machine (External PC).

After logging in, enter your user password and press ENTER.

Running an X11 application

Now that we are inside the remote machine with the SSH session we established above. Let’s run an application like Firefox.

To do this, let’s execute the command below.

firefox

We can see a message that says “X11 connection rejected because of wrong authentication” and also that there was an error that says “Error: cannot open display“.

How to resolve X11 connection rejected because of wrong authentication“.

To resolve the error “X11 connection rejected because of wrong authentication” let’s configure an environment variable allowing us to run applications that are in the snap.

export XAUTHORITY=$HOME/.Xauthority

Next we will execute the command to open Firefox again.

firefox

Now we can open pages in this browser and the origin of the page request will be from the IP of the (External PC).

Opening a Game using X11 forwarding

Another possibility is to open a game that is only installed on the remote computer (External PC).

If you have not yet connected to (External PC) with the “-X” option, let’s connect to the remote PC using the command below.

ssh -X [email protected]

Next, in the terminal, we will execute the command to open the Pingus game.

pingus

And we will see the Pingus home screen. If you want, you can play, it’s worth it.

Considerations about X11 Forwarding in SSH 

Below we will make some considerations about using X11 Forwarding in SSH to run applications. 

Site blocking and proxy considerations

The first consideration we can make is related to the use of remote machines to access Internet content, such as a browser from an external machine being used to display pages on your machine. 

Now, let’s assume if you have a proxy that blocks some websites and allows SSH traffic. In this case, users on your network could use SSH to do X11 forwarding from a VPS or remote machine to access pages using the remote machine’s browser. Imagine the problem it would be to detect this.

Note that the difficulty in detecting this behavior is directly linked to the encryption used in SSH.

In this way, data that is sent from the remote machine, such as browser exposure, would be encrypted between the remote machine and a user’s machine within the network.

Considerations for applications such as games

Now, let’s imagine that games are prohibited within your company. In this case, users at your company could use X11 Forwarding to play games that are installed on a remote machine or on a VPS and would not need to install the game on the company’s machine.

And it is worth remembering that data that is sent from the remote machine, such as game content, would be encrypted between the remote machine and a user’s machine within the network.

This makes it difficult to identify behavior on the network.

See more:

How to install Ubuntu Server on VirtualBox

Install SSH server Windows 11

OpenVPN Revoke Certificate

Zabbix Appliance on VirtualBox

Zabbix how to monitor Windows

https://ubuntuforums.org/showthread.php?t=2485719

Juliana Mascarenhas

Data Scientist and Master in Computer Modeling by LNCC.
Computer Engineer

Linkedin

Related Posts