X11 Forwarding on MacOS X

Setting up X11 forwading (the ability to run X11 applications on a remote computer) under MacOS X is quite simple. All the required components are already installed with MacOS X, or when you install the X11 package (or any other X11, like XDarwin or OroborOSX.)

These instructions are for a remote MacOS X machine, with substituions for other OSs in teal.

On the server (the remote machine), logged in as root (or using sudo):

Edit /etc/sshd_config (/etc/ssh/sshd_config), replacing the line that says
#X11Forwarding no
to
X11Forwarding yes
Enable Remote Login in the Sharing pane of System Preferences.
If you have already enabled it, make sshd reread the configuration file by issuing the command:
kill -HUP `cat /var/run/sshd.pid`

On the client (your desktop,) in a terminal:

Verify that you can connect with ssh:
ssh remote-host
Run the following command:
ssh -X remote-host /usr/X11R6/bin/xterm

That's it! Nothing else. It really is that simple. See below to make it even easier.

Common Mistakes to Avoid

Do not run xhost +: This has absolutely no benefit for this configuration. SSH takes care of all of that for you. Using xhost + only creates a security hole.
Do not click Apple's X11 Allow connections from network clients preference checkbox.: This has a similar effect to xhost +, and offers no benefit. This really should be a hidden option.
Do not set the DISPLAY on the remote host.: SSH does this for you, and you are only breaking it if you try to set it.
You don't need to be running X11 on the remote machine.: The X11.app on the remote machine doesn't need to be started, and no user needs to be logged in. Technically, you don't even have to have X11 installed on the remote machine, but it would make it difficult to install X11 software without it ;)
Don't specify your password on the command line.: This defeats the purpose of using ssh. Anybody can see your password by running ps. See below for a secure way to connect — without passwords!

Making it even easier to connect

You can make connecting to remote hosts even easier, by making a few changes to your ~/.ssh/config file, and by setting up public key authentication.

Connecting without the -X flag.: Adding an entry in your ~/.ssh/config file, you can connect to the remote host without having to specify -X, or log in as another user.
Connect without a password.: You can connect securely to a remote host without having to type your password by using public key authentication.

Copyright © 2003 Jerry Talkington
The contents of these web pages are licensed under the Open Software License version 1.1.
Any software hosted on this site is subject to the license that accompanies it.