SSH X11 Forwarding

SSH X11 Forwarding

In order to enable this, you must login with

ssh -X <username>@<host>

SSH supports tunneling of X11 (X-Windows). This is also very useful if you want to open graphical displays from the remote machine on your local computer. To achieve this, an X11 server must be running on your local machine. The X11 connections are then tunneled and automatically encrypted by your SSH client.

For some types of graphical software this does not work correctly (if they need input from keystrokes). In those cases you must use

ssh -Y <username>@<host>

This is not recommended otherwise, as a program then potentially has access to do things like keylogging.

Installing an X11 Server

In order to use X11, you need to have an X11 server running on your local machine. There are both free and commercial X11 servers available for the various operating systems.


  • If you are logged in to a graphical environment (like X), an X11 server is most likely already running.


  • XQuartz - X11 used to be available as an optional package on the install disc, but is now maintained in the XQuartz project.


There are several X11 servers available, here are three that are free.

  • Xming - available for all versions of Windows. May sometimes hang and need restarting.  
  • MobaXterm - SSH client with X11 included. Also includes file browser.
  • Cygwin - available for all versions of Windows. Download setup.exe and make sure you select the following packages (from the 'Select Package' screen - should be available after the initial file downloads):
    • Go to “xorg-X11-base” and click on it to open it and select these files (or just change "skip" to "install"): Under the Graphics group, also select opengl, if you want OpenGL support.

      Then when the Cygwin X server is installed, start an xterm and type XWin -multiwindow in it and then enter. You can now run your SSH client.

Enabling X11 Forwarding in your SSH Client

Once you are running an X11 server, you will need to enable X11 forwarding/tunneling in your SSH client

The descriptions will be for a few select - but common - ones.

  • "ssh": X11 tunneling should be enabled by default. To be certain it is enabled, you may use ssh -X.
  • PuTTY: Prior to connection, in your connection's options, under "Tunnels", check "Enable X11 forwarding", and save your connection.
  • MobaXterm: X11 is automatically enabled.
  • Secure CRT: Right-click a saved connection, and select "Properties". Expand the "Connection" settings, then go to "Port Forwarding" -> "Remote/X11". Check "Forward X11 packets" and click "OK".

SSH will set the remote environment variable $DISPLAY to "localhost:XX.YY" when this is working correctly. If you had previously set your $DISPLAY environment variable to your local IP or hostname, you must remove any set/export/setenv of this variable from your login scripts. The environment variable $DISPLAY must be left as SSH sets it, which is to a random local port address. Setting $DISPLAY to an IP or hostname will not work.

Note: If you are logging in with GSSAPI, you must forward your credentials (Kerberos ticket) in order to be able to login. There is a little about logging in with GSSAPI here.

Updated: 2024-06-11, 11:16