Problems forwarding X over SSH

by Juliet Kemp

A few weeks back I found that, for some reason, one of my machines wasn't allowing X forwarding over SSH (which is normally run as standard within my local environment, since I have lots of users who at least occasionally run graphical stuff on multiple machines).

The initial error came up as:

xterm Xt error: Can't open display:
xterm: DISPLAY is not set

The obvious test was to try setting $DISPLAY manually (although this would obviously not have been a good permanent solution). New error:

xterm Xt error: Can't open display: localhost:10.0


Digging around online a bit, I found the suggestion of moving the -nolisten tcp option from /etc/X11/xinit/xserverrc - this may well work, but I was unhappy with it as it didn't match the setup I had on other machines which were entirely happy with X forwarding.

Eventually, I found the problem: not only do you need X11Forwarding yes in /etc/ssh/sshd_config on the machine you're sshing into, you also need AllowTcpForwarding yes. (And also ForwardX11 yes, or ForwardX11Trusted yes, depending on your security preferences and access requirements, in /etc/ssh/ssh_config on the machine you're sshing from, for the record.)

So fairly straightforward in the end, but took me a few min to disentangle, thus recorded here for others' reference.

15 Comments

Matt Doar
2006-08-18 10:08:06
Thanks, handy. Did you mean /etc/ssh/sshd_config in the last para?
Caitlyn Martin
2006-08-18 16:59:41
I've run into this myself. Good post.
Juliet
2006-08-19 00:48:08
Matt - doh, yes, I did. Now edited, thanks for pointing it out!
dietrich
2006-08-19 08:36:54
Good Lord.
My Dear Juliet,
May I suggest you try using Freenx (http://freenx.berlios.de/) with a free NX client (www.nomachine.com)?


Don't torture yourself! ;)

Lawrence D'Oliveiro
2006-08-19 18:38:11
There can be security implications with enabling X forwarding by default. Another option might be to explicitly use "ssh -X" when necessary. Most of my SSH connections do not require X forwarding, so this suits me
Patrick
2006-09-09 05:00:17
Thanks, I had this problem bugging me.


my own two bits - remember to restart sshd after you edit the config file ... whoops.

Ismael
2006-09-13 18:24:23


With security in mind, X11 forwarding is disabled by default on the
Debian stock sshd. Set "X11Forwarding yes" on your
/etc/ssh/sshd_config and restart the server.


# /etc/init.d/ssh restart


Regards, Ismael
--
"Tout fourmille de commentaries; d'auteurs il en est grande cherté"

Herb Swanson
2006-10-09 02:54:02
It worked great. Thanks for posting the solution and ending my several hours of googling.


Regards


Herb Swanson

Simon
2006-10-10 15:12:03
I also had to make sure xauth was installed - it's part of xbase-clients on debian. Without this, there's no x authentication process. The problem is manifest by lack of a DISPLAY envvar on the remote machine upon login.
Roland Nagtegaal
2007-04-17 07:21:12
One thing that must be present is the /usr/bin/xauth program on the server you want to ssh to. The server I wanted to connect to does not have X installed, and then generally the xauth program is missing too. I discovered the reason by doing ssh -vvv -X .


kind regards,


Roland Nagtegaal

Civil
2007-07-05 12:04:02
This is an excellent post. Please also note that UseLogin must be commented out or set to no in sshd_config since this is not compatable.


debug1: Remote: X11 forwarding disabled; not compatible with UseLogin=yes.


Peace.

Mohammad
2007-08-21 06:13:51
I try this but don't worked and I fixed it by adding xauth packages on Debian Etch
Robert W
2007-12-28 19:38:38
Thank you for posting this.
Amin Abbasopour
2008-03-12 07:18:15
+1 Simon & Roland
Alexander Borisov
2008-06-03 01:37:07
Thank you