# SSH Agent & X11 Forwarding Two classic SSH features that Tempest exposes as one-click toggles in the host edit form: **agent forwarding** (use your local SSH keys on the remote host without copying them) and **X11 forwarding** (run remote GUI applications on your local desktop). ## SSH agent forwarding When you enable agent forwarding, processes on the remote host can use *your local* SSH keys for outbound SSH — without ever transferring the private keys. The remote `ssh` invocation talks to your local agent through a forwarded Unix socket. The classic use case: you SSH into a bastion, then `git pull` from a private repo that requires your SSH key. Without agent forwarding you'd have to copy your key onto the bastion (insecure). With it, the `git` invocation transparently uses your laptop's key. ### Enable in Tempest 1. Edit your SSH host → **Agent Forwarding** → on. 2. Optional: **Agent Path** — point at a specific socket. Useful for: * **1Password SSH agent** — `~/.1password/agent.sock` (macOS) or `\\.\pipe\openssh-ssh-agent` (Windows) * Self-managed `ssh-agent` — wherever `$SSH_AUTH_SOCK` points 3. Save and reconnect. Once connected, on the remote: `ssh-add -L` should list your local keys, and `ssh other-host` should work. ### 1Password SSH agent integration Tempest works seamlessly with **1Password's SSH agent** — point Tempest at the 1Password agent socket and your SSH keys are touch-id-protected, never on disk, and synced via your 1Password vault. Each SSH auth attempt prompts 1Password to confirm. ### Pro feature Agent forwarding is part of **Tempest Pro**. ### Security notes * Agent forwarding lets *any process on the remote* request a signature from your local agent while you're connected. Don't enable it on hosts you don't fully trust. * Use the [agent injection](/connect-to-servers/ssh-agent-x11-forwarding.md) feature (`ssh-add -L` to verify) to confirm before relying on the forwarded agent. ## X11 forwarding Run a graphical Linux app remotely and have its window appear on your local desktop. Old-school but still the best way to run a one-off `wireshark`, `gimp`, or `firefox` from a remote box without setting up VNC / RDP. ### Enable in Tempest 1. Edit your SSH host → **X11 Forwarding** → on. 2. Optional: set **X11 Socket** if you have a non-default DISPLAY. 3. Save and reconnect. ### Local X server requirements Tempest just opens the SSH X11 channel — you need an X server running on your machine to actually display the windows. | Platform | X server | | ----------- | ------------------------------------------------------------------------------ | | **macOS** | [XQuartz](https://www.xquartz.org/) (`brew install --cask xquartz`) | | **Windows** | [VcXsrv](https://sourceforge.net/projects/vcxsrv/), Xming, or WSL2 with `WSLg` | | **Linux** | Already installed (X.Org or Xwayland) | ### Test it After connecting: ```bash echo $DISPLAY # should be set, e.g. localhost:10.0 xclock # a clock window appears on your machine ``` ### Pro feature X11 forwarding is part of **Tempest Pro**. ### Performance X11 over SSH is bandwidth-heavy and latency-sensitive — fine on a LAN, painful over a slow VPN. For frequent remote desktop work, consider VNC, RDP, or [Mosh + tmux + a CLI workflow](/connect-to-servers/mosh-mobile-shell.md) instead. ## See also * [YubiKey & FIDO2 SSH Authentication](/authentication/yubikey-fido2-ssh-authentication.md) — pair forwarded agent keys with hardware-backed auth on the remote * [SSH Connection Multiplexing](/connect-to-servers/ssh-connection-multiplexing.md) — agent forwarding cost is amortized across multiplexed sessions --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.gotempest.app/connect-to-servers/ssh-agent-x11-forwarding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.