X Protocol Forwarding

The X Window System provides support for graphical display on UNIX systems. X protocol forwarding provides a way to secure the communication between X clients and remote X servers. X forwarding is enabled by default. X forwarding works as follows:

1. If X forwarding is enabled, the Secure Shell client requests X forwarding when it connects to the server.
2. If X forwarding is supported by the server, the server sets itself up as a proxy X server on the server host, and sets the DISPLAY environment variable in the client shell to point to the proxy X display.
3. When you run an X client program on the server host, it connects to the proxy display.
4. The Secure Shell client acts as a proxy X client and connects to the X server on the client host.
5. All X protocol information is sent through the Secure Shell channel.

Working with X11 Settings

The client setting ForwardX11 enables or disables X11 forwarding. (The default is yes.) The client setting TrustX11Applications specifies whether the X server treats forwarded X11 client applications as trusted. (The default is no.)

Under some conditions, the configuration of these settings may affect the launch speed of X client applications. This happens when more than two systems are involved. For example:

System1 runs an X server and the Secure Shell client.
System2 runs an X client application, the Secure Shell client, and the Secure Shell server.
System3 runs an X client application and the Secure Shell server.

When a user makes an ssh connection from System1 to System2 with X11Forwarding=yes (the default) and TrustX11Applications=no (the default), there is no delay in starting X applications.

If the user makes a subsequent ssh connection from the new shell to System3 with X11Forwarding=yes (the default) and TrustX11Applications=no (the default), there will be a long delay (as much as 6 seconds) after the user authenticates during which X applications started from System3 will not be displayed to the X server running on System1. This delay is added by the xauth application as it tries to communicate with the X server and register a new cookie. In order to avoid this delay and run the X applications from System3, set TrustX11Applications=yes for the second connection.

Note: Setting TrustX11Applications=yes for the second connection does not create any additional security risk to the X server running on System1. This is because the xauth application registers into the existing cookie created on System2 by the initial X11 forwarding (done from System1), for which TrustX11Applications=no.