X11 forwarding fails when SSH is misconfigured or missing dependencies. The SSH server cannot establish an X11 tunnel to display graphical applications on your local machine.
This error indicates that the SSH server received a request to forward X11 (the X Window System) graphics connections back to your local machine, but the forwarding failed. X11 forwarding is a feature that allows you to run graphical applications on a remote server and see their windows on your local computer. The error typically occurs on the SSH server-side during the channel setup phase, not on the client-side. It means the server accepted your SSH connection but could not set up the X11 tunnel when you tried to open a graphical application.
The xauth utility is required on the SSH server to handle X11 authentication. Install it based on your Linux distribution:
For Debian/Ubuntu:
sudo apt update
sudo apt install xauthFor RHEL/CentOS/Fedora:
sudo yum install xauth
# or on newer systems:
sudo dnf install xorg-x11-xauthFor Alpine Linux:
apk add xauthAfter installation, verify it's in the PATH:
which xauthThis should output something like /usr/bin/xauth.
Edit the SSH server configuration file on the remote machine:
sudo nano /etc/ssh/sshd_configFind or add these lines (uncomment if they're commented out):
X11Forwarding yes
X11UseLocalhost no
X11DisplayOffset 10Key settings:
- X11Forwarding yes - Enables X11 forwarding
- X11UseLocalhost no - Binds to wildcard address instead of localhost (required for proper forwarding)
- X11DisplayOffset 10 - Starts X display numbering at :10 (optional, default is fine)
After making changes, restart the SSH service:
sudo systemctl restart ssh
# or on other systems:
sudo systemctl restart sshd
# or older systems:
sudo service ssh restartIf the service fails to restart, check syntax with:
sudo sshd -tConnect to the remote server with X11 forwarding enabled:
# Untrusted X11 forwarding (safer, 20 minute timeout)
ssh -X [email protected]
# Trusted X11 forwarding (less secure, no timeout)
ssh -Y [email protected]Once connected, verify the DISPLAY variable is set:
echo $DISPLAYYou should see output like localhost:10.0 or localhost:11.0.
Test with a simple X11 application:
# Run the xeyes window (move to see eyes follow cursor)
xeyes &
# Or try xclock
xclock &If windows appear on your local screen, X11 forwarding is working. Close them with Ctrl+C.
In some cases, IPv6 can interfere with X11 socket binding. Try forcing IPv4-only mode:
Edit /etc/ssh/sshd_config again:
sudo nano /etc/ssh/sshd_configFind or add this line:
AddressFamily inetThis forces SSH to listen only on IPv4. Restart SSH:
sudo systemctl restart sshTry X11 forwarding again. If this fixes it, you can optionally revert to AddressFamily any if you need IPv6 support for other purposes.
SSH automatically sets the DISPLAY environment variable for X11 forwarding. If your shell startup files manually override it, it will break forwarding.
Check your shell configuration files on the remote server:
grep -n "DISPLAY=" ~/.bashrc ~/.bash_profile ~/.zshrc ~/.profile 2>/dev/nullIf you find any DISPLAY assignments, comment them out:
# export DISPLAY=:0 # COMMENTED OUT - Let SSH manage thisThen reconnect and test again.
If you're connecting FROM a Mac, the X11 server (XQuartz) must be properly initialized:
1. Ensure XQuartz is installed:
Download from https://www.xquartz.org/
2. Logout and login again (or reboot) after installing XQuartz so it can register with the system.
3. Verify XQuartz is running:
ps aux | grep Xquartz4. Test with:
ssh -Y [email protected]
xeyesUse -Y (trusted) instead of -X on macOS for better compatibility.
Instead of typing ssh -X every time, add it to your SSH config:
Edit ~/.ssh/config on your LOCAL machine:
nano ~/.ssh/configAdd a host entry:
Host myserver
HostName remote.example.com
User myusername
ForwardX11 yes
ForwardX11Trusted yesNow you can simply connect with:
ssh myserverAnd X11 forwarding will be enabled automatically.
X11 Forwarding Security Notes:
X11 forwarding carries some security implications. The -X flag (untrusted) is safer as it applies restrictions, while -Y (trusted) gives full access. Only use trusted forwarding with servers you control.
SELinux Considerations:
On systems with SELinux enabled, the ssh_t domain must have permissions to manage X11 sockets. If SELinux is blocking X11 forwarding, first confirm it is the cause by checking the audit log for denials:
sudo ausearch -m avc -ts recent | grep sshdPrefer a targeted fix over loosening SELinux globally:
1. Check the relevant boolean (if present) and enable it persistently:
getsebool -a | grep ssh
# e.g. enable X11 forwarding-related access without disabling enforcement:
sudo setsebool -P ssh_chroot_rw_homedirs on # only if applicable to your denial2. If no boolean covers the denial, generate and install a scoped policy module from the exact audit entries:
sudo ausearch -m avc -ts recent | audit2allow -M ssh_x11_local
sudo semodule -i ssh_x11_local.ppReview the generated .te rules before installing so you grant only what the denial requires.
Setting SELinux to permissive mode (setenforce 0) is strongly discouraged: it disables enforcement system-wide to work around one narrow X11 issue, removing protection for every other confined service. Use it only as a temporary diagnostic step to confirm SELinux is the cause, then immediately re-enable enforcement (setenforce 1) and apply a targeted boolean or policy module instead.
Rootless Docker and X11:
If running Docker rootlessly and trying to forward X11 to containers, additional socket mapping is required. The host's X11 socket path (usually /tmp/.X11-unix) must be volume-mounted into containers.
Remote X over SSH with Wayland:
On systems using Wayland instead of X11, traditional X11 forwarding may not work. Consider using VNC or other remote desktop protocols instead.
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation
How to fix "sign_and_send_pubkey: signing failed for RSA from agent: agent refused operation" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH