X11 forwarding over SSH on firewalled CentOS host

I had a few issues with X11 forwarding over SSH on one of my CentOS hosts. After a bit of fiddling, I discovered that there were a couple of things I hadn’t taken into account.

I’d set my putty session up to allow X11 fowarding, and set the X display location to “localhost”. On the server, I installed xclock and its dependencies for testing, and set the following in /etc/ssh/sshd_config:

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

I restarted sshd, however this still wasn’t working.

In short, I was missing two things:

1) xauth wasn’t installed. This is required!
2) I wasn’t allowing connections to localhost in my iptables config. This was fixed in my ruleset with:

iptables -A INPUT -i lo -j ACCEPT

sshd was restarted after installing xauth and adding the firewall rule and it now works a treat!

X11 when using sudo

This is mentioned in a previous article, but I thought it was justified to publish it separately, seeing as this has caused so many headaches in the past.

Often, you are handed a server to build your application on, and are temporarily granted root access via sudo to do what you need. Sometimes, you need to run an X11 app as root for an installation routine. This doesn’t work!

How to work around this:

[user@server ~] xauth list
server.localdomain.com/unix:10  MIT-MAGIC-COOKIE-1  58682a5bb5a4f731ae15c186ff3d68f8
[user@server ~] sudo su -
[root@server ~] xauth add [PASTE xauth list OUTPUT HERE]
[root@server ~] xclock &

X11 forwarding will now work properly, assuming that X11Forwarding is allowed in your sshd_config and you have allowed X11 forwarding in your ssh client.

Beware that X11 these days can be a bit shaky. If your app crashes, it’s probably worth trying a different XServer. From experience, ReflectionX on Windows 7 has caused me a lot of pain. XMing and Exceed still work well.