Best SSH options for X11 forwarding

Many versions of SSH, including the extremely common OpenSSH, provide support a feature known as “X11 forwarding.”

Say on you are on one computer running an X server. You want to be able to run a GUI program on another computer (to, say, access files on it), but display the program on the computer you’re sitting at. SSH’s X11 forwarding lets you do this easily in one command, without having to worry about firewalls and permissions.

But it’s a bit slow. There are several options to SSH that you can use to make things faster.

The “-c” option allows selection of cipher for a connection. The default AES cipher is extremely slow: you can get much better performance out of the arcfour and blowfish ciphers. I’ve noticed arcfour to perform the best, but there have been legitimate complaints in the cryptography community about whether or not it is “secure.” If your paramount concern is security, go with blowfish, as it can be just as fast.

The “-C” option enables compression for an SSH connection. On anything but LAN links, compression can make a big difference. SSH performs packet-based compression. That is, it can only compress the data immediately available to it, whatever may be contained in the packet it is currently processing. This immediately limits how much compression can be done, and results in bad compression ratios. But it is usually better than nothing.

All this can be incorporated into a simple bash alias:

alias ssh-x='ssh -c arcfour,blowfish-cbc -XC'

To run a program “xterm” on machine “” but display its GUI on the local machine, simply run:

ssh-x xterm

Like this article? Please support my writing! Flattr my blog (see my thoughts on Flattr), tip me via PayPal, or send me an item from my Amazon wish list.


Emanuel Heitlinger's picture

Wow, this works great! It just reduced the time needed to load graphics output from an emacs-ess R-session on a remote machine from ~40s to under ~1s.

Is -c arcfour,blowfish-cbc still good practice in 2009?


Samat's picture

AFAIK yes, these are still the best settings to use. There have not been any better performing ciphers added to SSH.

A Ubuntu bug report (#54180) also has some benchmarks. Copied from that page:

3des-cbc 22.6 MB/s
aes128-cbc 63.8 MB/s
aes192-cbc 67.6 MB/s
aes256-cbc 67.4 MB/s
aes128-ctr 74.9 MB/s
aes192-ctr 73.6 MB/s
aes256-ctr 73.3 MB/s
arcfour128 109 MB/s
arcfour256 108 MB/s
arcfour 107 MB/s
blowfish-cbc 75.0 MB/s
cast128-cbc 62.0 MB/s
Anonymous Visitor's picture

I will have a look when I want to dig deeper into ssh ciphers. For the meantime your your solution just works great. That is what a howto should be: one line of code solving the problem, and just enough accompanying information to trust the solution. So thanks again!

Ivan's picture

Instead of making an alias, you can also store the cipher settings in your ~/.ssh/config file.

In there, you can either specify all your SSH hosts to use the cipher settings or just have some of your SSH hosts use the ‘fast’ ciphers. For example:

Host * Compression yes

Host ForwardX11 yes Ciphers arcfour,blowfish-cbc

Anonymous Visitor's picture

Thanks so much! Really noticable difference, this makes X11 tunnelling way more useful!