search
Ctrlk
Download

SSH Agent & X11 Forwarding

Use SSH agent forwarding (1Password, ssh-agent, Pageant) and X11 forwarding in Tempest — keep keys local and run remote GUI apps on Mac/Win/Linux.

Two classic SSH features that Tempest exposes as one-click toggles in the host edit form: agent forwarding (use your local SSH keys on the remote host without copying them) and X11 forwarding (run remote GUI applications on your local desktop).

hashtag
SSH agent forwarding

When you enable agent forwarding, processes on the remote host can use your local SSH keys for outbound SSH — without ever transferring the private keys. The remote ssh invocation talks to your local agent through a forwarded Unix socket.

The classic use case: you SSH into a bastion, then git pull from a private repo that requires your SSH key. Without agent forwarding you'd have to copy your key onto the bastion (insecure). With it, the git invocation transparently uses your laptop's key.

hashtag
Enable in Tempest

  1. Edit your SSH host → Agent Forwarding → on.

  2. Optional: Agent Path — point at a specific socket. Useful for:

    • 1Password SSH agent~/.1password/agent.sock (macOS) or \\.\pipe\openssh-ssh-agent (Windows)

    • Self-managed ssh-agent — wherever $SSH_AUTH_SOCK points

  3. Save and reconnect.

Once connected, on the remote: ssh-add -L should list your local keys, and ssh other-host should work.

hashtag
1Password SSH agent integration

Tempest works seamlessly with 1Password's SSH agent — point Tempest at the 1Password agent socket and your SSH keys are touch-id-protected, never on disk, and synced via your 1Password vault. Each SSH auth attempt prompts 1Password to confirm.

hashtag
Pro feature

Agent forwarding is part of Tempest Pro.

hashtag
Security notes

  • Agent forwarding lets any process on the remote request a signature from your local agent while you're connected. Don't enable it on hosts you don't fully trust.

  • Use the agent injection feature (ssh-add -L to verify) to confirm before relying on the forwarded agent.

hashtag
X11 forwarding

Run a graphical Linux app remotely and have its window appear on your local desktop. Old-school but still the best way to run a one-off wireshark, gimp, or firefox from a remote box without setting up VNC / RDP.

hashtag
Enable in Tempest

  1. Edit your SSH host → X11 Forwarding → on.

  2. Optional: set X11 Socket if you have a non-default DISPLAY.

  3. Save and reconnect.

hashtag
Local X server requirements

Tempest just opens the SSH X11 channel — you need an X server running on your machine to actually display the windows.

Platform
X server

macOS

XQuartzarrow-up-right (brew install --cask xquartz)

Windows

VcXsrvarrow-up-right, Xming, or WSL2 with WSLg

Linux

Already installed (X.Org or Xwayland)

hashtag
Test it

After connecting:

hashtag
Pro feature

X11 forwarding is part of Tempest Pro.

hashtag
Performance

X11 over SSH is bandwidth-heavy and latency-sensitive — fine on a LAN, painful over a slow VPN. For frequent remote desktop work, consider VNC, RDP, or Mosh + tmux + a CLI workflow instead.

hashtag
See also

PreviousSSH Connection MultiplexingNextMosh (Mobile Shell) — Survive Flaky Connections

Last updated