dropdown menu

Using X11 forwarding in SSH

The SSH protocol has the ability to securely forward X Window System applications over your encrypted SSH connection, so that you can run an application on the SSH server machine and have it put its windows up on your local machine without sending any X network traffic in the clear.

In order to use this feature, you will need an X display server for your Windows machine, such as Cygwin/X, X-Win32, or Exceed. This will probably install itself as display number 0 on your local machine; if it doesn't, the manual for the X server should tell you what it does do.

You should then tick the ‘Enable X11 forwarding’ box in the Tunnels panel before starting your SSH session. The ‘X display location’ box is blank by default, which means that PuTTY will try to use a sensible default such as :0, which is the usual display location where your X server will be installed. If that needs changing, then change it.

Now you should be able to log in to the SSH server as normal. To check that X forwarding has been successfully negotiated during connection startup, you can check the PuTTY Event Log. It should say something like this:

2001-12-05 17:22:01 Requesting X11 forwarding
2001-12-05 17:22:02 X11 forwarding enabled

If the remote system is Unix or Unix-like, you should also be able to see that the DISPLAY environment variable has been set to point at display 10 or above on the SSH server machine itself:

fred@unixbox:~$ echo $DISPLAY


Overview of the X server:

I think your problem is a confusion about how X works, so a few clarifications first:

An "X-Server" is a process which handles and manages a certain (physically available) display. This usually runs on a *client*. Think of an "X-Server" as sort of a driver for a graphics card. (X-Server is where the Keyboard, Video & Mouse were attached.)

An "X-Client" is a process which uses an X-Server to display (a window with) some information on it. This usually runs on the server. An example would be "xterm" or "aixterm" or "Mozilla", etc.

To tell your xclient which Xserver to use there is an environment variable DISPLAY, which is set pointing to your Xserver:
export DISPLAY="mymachine.withxserverrunning.com:0.0"

means use the Xserver running on this machine and managing display 0 (there could be several) and use screen 0 (mymachine.withxserverrunning.com:0.1 would be screen 1), since displays could consist of several screens (this is: monitors handled by graphics cards). As you see, unlike in Windoze one doesn't need multiheaded graphics cards with dual (several) monitor capabilities to span a graphical environment over several screens, this can be done by run-of-the-mill X-Servers and windowmanagers running on top of them.

You can run your X-Server directly on ylour server only if you have a graphical terminal (an "lft" ) attached to it. Check in your inventory (man lscfg, man lsdev) to find out if you have one.

If you have none (this is the common case, as servers usually don't come with graphics cards), you will have a machine you work on (if you have to endure common working conditions this is a Windoze machine, if you are lucky this is a real computer running some real OS, Linux or AIX for instance). On this machine (client.yournet.com) you start your X-Server. Start a local X-client (a window), then use some Telnet or similar program to log in to your host (host.yournet.com.

On this host issue issue a "export DISPLAY=client.yournet.com:0.0" and then a "xterm &".

A window should pop up on your display with an xterm. This xterm is not running on your local machine, but on the server. The process on the server only uses your screen (vie your X-Server) to display its content. You can check that by issuing "kill -9 %1" in the first window, which would make the second window vanish.

If it doesn't work as described: issue an "xhost +" on your client machine, X-Windows contains a mechanism to limit access to an X-Servers resource only to a defined group of hosts (which is empty by default), the command will enable any host to use the screen.


X11 forwarding:
(in putty X11 forwarding should be enabled and an X server (e.g. XMING) has to be run)

0. Xming

1. ssh settings:
    in sshd_config (/etc/ssh)set: X11Forwarding yes
    stopsrc -s sshd; startsrc -s sshd

2. install X11
    in /mnt/5300-00/installp/ppc: smitty install:
   -X11.base. (this will install some requisites as well from apps, fonts...)
   -X11.apps    (it contains a startx, xauth, xhost commands)
   do an update to the needed TL level

4. startx

5. then login again:
    ssh -X root@aix40
    it did this: 1356-364 /usr/bin/X11/xauth:  creating new authority file /.Xauthority

5. xclock :)))))
    echo $DISPLAY showed: localhost:10.0 (I did not set it at all)

(export DISPLAY=localhost:10.0 perhaps does not needed at all)
(It happend that under roo xlock worked, but as other user it didn't. After copying .Xauthority file (from root) it worked)


Hostname - where the display physically attached
Number - ID number of the display server on that host machine
Scrreen - number of the screen on that host server

xhost command???


If everything looks OK, but you receive this:

root@bb_lpar: / # xclock
Error: Can't open display:

Probably the only problem,  you did not use -X: ssh -X root@servername.
When I used -X the DISPLAY variable was configured automatically.:
(I did not set up anything, when I used -X I could see this, but prior -X I received an empty line.)

root@bb_lpar: / # echo $DISPLAY


X server problems:
(This is not edited, I received these errors when I tried to config X)

X11.base is needed

errors I have received:
1 .Gtk-WARNING **: cannot open display        <--after setting X11Forwarding yes I received other errors)
someone suggested this:xhost +LOCAL (it gives all non-network connect. access to the display)

2. Gtk-WARNING **: cannot open display: 0.0   <--suggested solution: export DISPLAY=:0.0

3.Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

After I gave these commands:
xauth list

xclock                                          <--until I gave startx, xclock command did not work

export DISPLAY=localhost:10.0
xhost + localhost
export DISPLAY=


Xlib: connection to "localhost:10.0" refused by server
Xlib: Invalid MIT-MAGIC-COOKIE-1 key
Error: Can't open display: localhost:10.0

root@aix10: / # env

You can see in 'ps -ef' that display :10 is already in use:

root@aix10: / # ps -ef | grep ":10"
    root  643132  123006   0   Nov 10      - 79:10 /etc/ncs/llbd
    root  852170 1458410   0   May 22      -  1:10 /usr/lpp/OV/lbin/eaagt/opcmsga
yyxxxxx  999524 1188014   0 10:45:15      -  0:00 /usr/lpp/CTXSmf/slib/ctxlogin -display :10

Solution is to set in /etc/ssh/sshd_config:
X11DisplayOffset 70

Then displays will be start from 70 and hopefully will not interfere with citrix


When doing ssh -X user@host, I received these:

Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.

$ xclock
X11 connection rejected because of wrong authentication.
X connection to localhost:11.0 broken (explicit kill or server shutdown).

However xclock with ssh -Y user@host worked fine.

After adding on the client (where I was coming from) into /etc/ssh/ssh_config: "ForwardX11Trusted yes" it worked well with ssh -X. (This line was missing from ssh_config, so I added to it.)



  1. Use -Y on client side to request trusted X11 forwarding!

  2. Maybe it's also a good idea to put the "ForwardX11Trusted yes" into your local config ~/.ssh/config instead of the global one. You can even configure hosts or host groups in your local config with different ssh settings... some with and some without X11 forwarding. There are still people who consider X11 forwarding (=tunneling) a security risk, therefore you should only enable it when you need it.

    1. Good idea, I really appreciate your valuable contribution to this post :)

  3. My sincere thank you for this blog ...it sure help me as I also experienced the same issue.

  4. it is very helpful ....I appreciate your efforts...

    Many Thanks....

  5. Hello,
    I installed Xming and putty and it's working fine as long as I'm logged as root user.
    I can start Xclock and it's displayed immediately on my Windows laptop.
    The issue is when I start Xclock as oracle user (for example to install Oracle Database with the oracle account).
    In that case Xclock is displayed after 1 minute 15 secondes ???

    I assume the difference between root and oracle is int he .profile with different PATH and LIBPATH ?
    How can I find which file, bin or lib, is the issue when I'm logged as oracle ?

    thanks for your help.

  6. Hi

    i have ssh2 installed on my AIX server and enabled X11DisplayOffset 10 and X11Forwarding and X11UseLocalhost enabled too, but still xclock is not working, is this ssh2 issue?

    please help.

  7. thank you for this guide it was very helpful! :)