Your browser does not allow storing cookies. We recommend enabling them.


X11 Forwarding (Unix)

X11 forwarding is a special case of remote tunneling.

Tectia Server supports X11 forwarding on Unix platforms. Tectia Client and ConnectSecure support X11 forwarding on both Unix and Windows platforms.

X11 forwarding

Figure 8.6. X11 forwarding

By default, Tectia Server allows X11 forwarding for all users. To enable X11 forwarding only for the specified users, include an entry similar to the following in your ssh-server-config.xml file:

  <rule group="admins">
    <tunnel-x11 action="allow" />
    <tunnel-x11 action="deny" />

On Unix, you can define what type of X11 listener address will be used in X11 forwarding. The address type is configured with the settings element by adding attribute x11-listen-address that takes the following values:

  • localhost (default) - sets the DISPLAY environment variable to<screen>, where <screen> is the tunneled screen number, typically 10.0. This means that the x11 listener is bound to a loopback address; this setting should be sufficient for most use cases.

  • any - sets the DISPLAY environment variable to <address:screen>, where <address> is the interface to which the SSH session is bound (typically the first network interface) and the <screen> is the tunneled screen number, typically 10.0. This setting will bind the X11 listener to the (wildcard) interface thereby allowing connections to the proxy from other hosts. Use this setting on HPUX systems, if you need to tunnel older X11 applications (such as hpterm).

    When x11-listen-address=any, the SO_REUSEADDR socket option will be left non-set in order to prevent the possibility of session hijacking on some operating systems by other users binding to the same port with a more specific address.

For example:

    x11-listen-address="any" />


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more