diff --git a/pkg/ssh/server/ssh.go b/pkg/ssh/server/ssh.go
index a1a10f319..7e509ffb3 100644
--- a/pkg/ssh/server/ssh.go
+++ b/pkg/ssh/server/ssh.go
@@ -64,6 +64,9 @@ func NewServer(addr string, hostKey []byte, keys []ssh.PublicKey, workdir string
 
 				return true
 			},
+			X11ForwardingCallback: func(ctx ssh.Context, x11 ssh.X11) bool {
+				return true
+			},
 			ChannelHandlers: map[string]ssh.ChannelHandler{
 				"direct-tcpip":                   ssh.DirectTCPIPHandler,
 				"direct-streamlocal@openssh.com": ssh.DirectStreamLocalHandler,
@@ -171,6 +174,7 @@ func getShell() ([]string, error) {
 
 func (s *Server) handler(sess ssh.Session) {
 	ptyReq, winCh, isPty := sess.Pty()
+	x11Req, isX11 := sess.X11()
 	cmd := s.getCommand(sess, isPty)
 	if ssh.AgentRequested(sess) {
 		// on some systems (like containers) /tmp may not exists, this ensures
@@ -191,6 +195,20 @@ func (s *Server) handler(sess ssh.Session) {
 		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", "SSH_AUTH_SOCK", l.Addr().String()))
 	}
 
+	if isX11 {
+		l, xauth, err := ssh.NewX11Forwarder(x11Req)
+		if err != nil {
+			s.exitWithError(sess, perrors.Wrap(err, "start X11 forwarder"))
+			return
+		}
+
+		defer l.Close()
+		defer os.Remove(xauth.Name())
+		go ssh.ForwardX11Connections(l, xauth, sess)
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s:%d.0", "DISPLAY", ssh.X11DisplayHost, l.Addr().(*net.TCPAddr).Port - ssh.X11DisplayBasePort))
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", "XAUTHORITY", xauth.Name()))
+	}
+
 	// start shell session
 	var err error
 	if isPty {