Last updated on October 23, 2020 by Dan Nanni
When you are running X applications over SSH, the encryption/decryption overhead of the SSH protocol may slow down the rendering of remotely running X applications. Furthermore, if an SSH session is established over a wide area network, X11 forwarding over SSH may become even slower due to network latency and throughput limitation.
In this tutorial, I will describe some tips on how to speed up X11 forwarding in SSH over wide area networks.
There are two ways to boost the performance of X11 forwarding via SSH.
First, you can use the compression option of OpenSSH client. With
-C option, OpenSSH client will compress all data exchanged over SSH, including
stderr and forwarded X11 sessions.
You can also consider using less computation-heavy ciphers in SSH, so that less time is spent during encryption/decryption. The default
AES cipher used by OpenSSH is known to be slow.
An independent study shows that
blowfish ciphers are faster than
AES, as shown below. According to SSH man page,
blowfish is a fast block cipher which is also very secure. Meanwhile,
arcfour stream cipher is known to be more vulnerable than common block ciphers. So use caution when using
To speed up X11 forwarding by using the above tips, you can SSH to a remote host as follows.
$ ssh -XC -c blowfish-cbc,arcfour [email protected]_host.com
Alternatively, you can specify these options in an SSH configuration file.
To edit a system-wide SSH configuration file:
$ sudo vi /etc/ssh/ssh_config
To edit a per-user SSH configuration file:
$ vi ~/.ssh/config
In either SSH configuration file, add the following:
Host remote_host.com Compression yes ForwardX11 yes Ciphers blowfish-cbc,arcfour
Then you can SSH to the remote host without using any command-line option:
$ ssh [email protected]_host.com
Note that there are some caveats in switching to a different cipher in SSH. First, the performance of a particular cipher may vary across different processor architecture. For instance, recent generations of Intel processors (e.g., Intel i5, i7, Xeon) come with hardware support for AES (e.g., AES-NI), in which case (hardware-accelerated) AES would be much faster than the rest.
Second, if the network over which X11 forwarding is established is extremely slow, then the bottleneck of X11 forwarding is actually the network, not the CPU. In this case, the performance of X11 forwarding would not be affected whichever cipher you are using.
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.