X11 forwarding support in builtin SSH server

[JunJie-zhang-o]

Bash info

XQuartz version: 2.8.5
orbstack: 0.6.0
macos: 13.3 m1pro

Problem

cannot display gui normally

Config

in Mac, /etc/ssh/sshd_config

$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# This Include directive is not part of the default sshd_config shipped with
# OpenSSH. Options set in the included configuration files generally override
# those that follow.  The defaults only apply to options that have not been
# explicitly set.  Options that appear multiple times keep the first value set,
# unless they are a multivalue option such as HostKey.
Include /etc/ssh/sshd_config.d/*

#Port 22
AddressFamily inet
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
#Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

# XAuthLocation added by XQuartz (https://www.xquartz.org)
XAuthLocation /opt/X11/bin/xauth

in linux, /etc/ssh/ssh_config

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Include /etc/ssh/ssh_config.d/*.conf

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
#   UserKnownHostsFile ~/.ssh/known_hosts.d/%k
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

in linux, ~.bashrc

 ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples

# If not running interactively, don't do anything
case $- in
    *i*) ;;
      *) return;;
esac

# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth

# append to the history file, don't overwrite it
shopt -s histappend

# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar

# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
    debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
    xterm-color|*-256color) color_prompt=yes;;
esac

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
	# We have color support; assume it's compliant with Ecma-48
	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
	# a case would tend to support setf rather than setaf.)
	color_prompt=yes
    else
	color_prompt=
    fi
fi

if [ "$color_prompt" = yes ]; then
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
    ;;
*)
    ;;
esac

# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
    alias ls='ls --color=auto'
    #alias dir='dir --color=auto'
    #alias vdir='vdir --color=auto'

    alias grep='grep --color=auto'
    alias fgrep='fgrep --color=auto'
    alias egrep='egrep --color=auto'
fi

# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'

# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'

# Add an "alert" alias for long running commands.  Use like so:
#   sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'

# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.

if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
  if [ -f /usr/share/bash-completion/bash_completion ]; then
    . /usr/share/bash-completion/bash_completion
  elif [ -f /etc/bash_completion ]; then
    . /etc/bash_completion
  fi
fi

export DISPLAY=:0

in linux, Already installed xauth（x11-apps）.

operate

When I use the following command ssh -X -v Ubuntu-Arm@orb, it shows

jay:jay/ $ ssh -X -v Ubuntu-Arm@orb                                                                [20:53:08]
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/jay/.ssh/config
debug1: Reading configuration data /Users/jay/.orbstack/ssh/config
debug1: /Users/jay/.orbstack/ssh/config line 1: Applying options for orb
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Executing proxy dialer command: exec '/Applications/OrbStack.app/Contents/MacOS/OrbStack Helper (VM)' ssh-proxy-fdpass
debug1: identity file /Users/jay/.orbstack/ssh/id_ed25519 type 3
debug1: identity file /Users/jay/.orbstack/ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug1: Authenticating to 127.0.0.1:32222 as 'Ubuntu-Arm'
debug1: load_hostkeys: fopen /Users/jay/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:2vx71mEbMSkrkrk2MN4Ior1VtrxO16FwV9mTSkraFmQ
debug1: load_hostkeys: fopen /Users/jay/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[127.0.0.1]:32222' is known and matches the ED25519 host key.
debug1: Found key in /Users/jay/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/jay/.orbstack/ssh/id_ed25519 ED25519 SHA256:d1/SV2l4AzHNIxZDJk0Jk9bHhFdoPmrceDYJ9l03BaA explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/jay/.orbstack/ssh/id_ed25519 ED25519 SHA256:d1/SV2l4AzHNIxZDJk0Jk9bHhFdoPmrceDYJ9l03BaA explicit
debug1: Server accepts key: /Users/jay/.orbstack/ssh/id_ed25519 ED25519 SHA256:d1/SV2l4AzHNIxZDJk0Jk9bHhFdoPmrceDYJ9l03BaA explicit
Authenticated to 127.0.0.1 ([127.0.0.1]:32222) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: exec
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: channel 0: setting env LC_TERMINAL = "iTerm2"
debug1: channel 0: setting env LC_TERMINAL_VERSION = "3.4.19"
X11 forwarding request failed on channel 0
jay@Ubuntu-Arm:~$ echo $DISPLAY
:0
jay@Ubuntu-Arm:~$ xclock
Error: Can't open display: :0
jay@Ubuntu-Arm:~$

When I use the following command ssh -Y -v Ubuntu-Arm@orb, it shows

jay:jay/ $ ssh -Y -v Ubuntu-Arm@orb                                                                [20:55:09]
OpenSSH_9.0p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/jay/.ssh/config
debug1: Reading configuration data /Users/jay/.orbstack/ssh/config
debug1: /Users/jay/.orbstack/ssh/config line 1: Applying options for orb
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Executing proxy dialer command: exec '/Applications/OrbStack.app/Contents/MacOS/OrbStack Helper (VM)' ssh-proxy-fdpass
debug1: identity file /Users/jay/.orbstack/ssh/id_ed25519 type 3
debug1: identity file /Users/jay/.orbstack/ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version Go
debug1: compat_banner: no match: Go
debug1: Authenticating to 127.0.0.1:32222 as 'Ubuntu-Arm'
debug1: load_hostkeys: fopen /Users/jay/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:2vx71mEbMSkrkrk2MN4Ior1VtrxO16FwV9mTSkraFmQ
debug1: load_hostkeys: fopen /Users/jay/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[127.0.0.1]:32222' is known and matches the ED25519 host key.
debug1: Found key in /Users/jay/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: get_agent_identities: bound agent to hostkey
debug1: get_agent_identities: ssh_fetch_identitylist: agent contains no identities
debug1: Will attempt key: /Users/jay/.orbstack/ssh/id_ed25519 ED25519 SHA256:d1/SV2l4AzHNIxZDJk0Jk9bHhFdoPmrceDYJ9l03BaA explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/jay/.orbstack/ssh/id_ed25519 ED25519 SHA256:d1/SV2l4AzHNIxZDJk0Jk9bHhFdoPmrceDYJ9l03BaA explicit
debug1: Server accepts key: /Users/jay/.orbstack/ssh/id_ed25519 ED25519 SHA256:d1/SV2l4AzHNIxZDJk0Jk9bHhFdoPmrceDYJ9l03BaA explicit
Authenticated to 127.0.0.1 ([127.0.0.1]:32222) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: exec
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: channel 0: setting env LC_TERMINAL = "iTerm2"
debug1: channel 0: setting env LC_TERMINAL_VERSION = "3.4.19"
X11 forwarding request failed on channel 0
jay@Ubuntu-Arm:~$ echo $DISPLAY
:0
jay@Ubuntu-Arm:~$ xclock
Error: Can't open display: :0
jay@Ubuntu-Arm:~$

Additional information

Ask for help and give an example to other friends

[kdrag0n]

OrbStack's builtin SSH server doesn't support X11 forwarding. You'll have to run your own OpenSSH server for now.

[JunJie-zhang-o]

I have installed openssh server on Linux, but I can't pass the mac ping successful Linux address.

[kdrag0n]

Direct access to machines by IP isn't implemented yet — see #89. Connect to it via localhost instead.

https://docs.orbstack.dev/machines/network#running-servers

[NickelLiang]

Not sure if this will help your use case or not, but when I run a VM and want to display xclock on my mac, I set export DISPLAY=host.internal as suggested. Maybe this should also be mentioned in the VM section here?

[JunJie-zhang-o]

Not sure if this will help your use case or not, but when I run a VM and want to display xclock on my mac, I set export DISPLAY=host.internal as suggested. Maybe this should also be mentioned in the VM section here?

Now, I can display xclock correctly, but in my application, it can't display normally like wsl. I'm trying to find out the reason.

[NickelLiang]

If x11-apps like xclock works fine but your application does not, maybe you can also try XRDP as suggested here or VNC to view the entire desktop. It could be an X11 issue with your specific application.

[JunJie-zhang-o]

If x11-apps like xclock works fine but your application does not, maybe you can also try XRDP as suggested here or VNC to view the entire desktop. It could be an X11 issue with your specific application.

On wsl2, he can work well with xming, but on orb, there will be some problems. I suspect it is a problem with architecture, and I will try more.

At least for now, I think there is still a gap between orb and wsl experience, but I am optimistic.

I believe that it can be seamlessly integrated with vscode in the future, and the corresponding configuration will be more convenient and faster, which will enhance the user experience.

I like the workflow of wsl & terminal & vscode very much, and I hope orb can be implemented earlier.

[NickelLiang]

You can use VSCode with the SSH plugin as suggested here, and that's what I'm using right now.

And I agree that I'm very optimistic about OrbStack. Right now I'm using some fairly heavy applications (Vivado, Cadence, etc.) that I never expect to be able to run on macOS before.

[JunJie-zhang-o]

You can use VSCode with the SSH plugin as suggested here, and that's what I'm using right now.

And I agree that I'm very optimistic about OrbStack. Right now I'm using some fairly heavy applications (Vivado, Cadence, etc.) that I never expect to be able to run on macOS before.

yeah，remote-ssh can be used，When I use the code command in orb vm, I can't open the vm folder directly, but on the mac. I think this can also be optimized to improve the experience.

When I saw that orb could realize the function of wsl, I couldn't wait to buy a mac. I liked my first mac very much, but now I can't completely migrate my work to mac.

[eric1932]

OrbStack's builtin SSH server doesn't support X11 forwarding. You'll have to run your own OpenSSH server for now.

Installing a standalone openssh-server works for me. Set the sshd port to 2222 and simply connect with ssh -X -p 2222 localhost. Not tested on other applications but at least I can see xeyes working.

[SalvatoreT]

Can someone give a quick summary on how to get X11 forwarding working? I've installed XQuartz, tried replicating the configuration from the top, but I'm still seeing the "forwarding request failed issue".

❯ ssh -Y -v orb
OpenSSH_9.0p1, LibreSSL 3.3.6
...
Authenticated to 127.0.0.1 ([127.0.0.1]:32222) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: exec
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment
....
X11 forwarding request failed on channel 0

Mac: sshd_config.txt
Ubuntu: ubuntu_sshd_config.txt

[kdrag0n]

@SalvatoreT orb is the builtin SSH server, which doesn't support X11 forwarding. You'll have to install a custom OpenSSH server in the machine and connect to it on localhost instead.