Ssh – Understanding ssh X11 forwarding

• I need X installed on the host too, right?

You need an X server installed on the host only, and it will need to be running. You will need some X client libraries in the container (installing xbmc will presumably pull these in as dependencies), but not an X server.

• What exactly are "displays" (like :0 and :1) and do I need to set them?

Displays are distinct (hypothetical) screens managed by a particular server, and the DISPLAY environment variable tells X clients how to connect. ssh -X sets that up automatically; you don't need to do anything.

It is possible to do this without involving ssh at all, using X natively. In that case you will need to set up DISPLAY appropriately. There's no particular advantage in that for you in these circumstances, other than lowering the resource cost from encrypting the connection.

If you are not running the ssh command from inside the host's X server environment you will need to set DISPLAY=:0 (or similar) explicitly on that end so that ssh can see it.

• Is what I'm trying to do possible?

Yes, it is almost the purpose of the X protocol.

You should check man ssh for details of the -X and -Y options, and man ssh_config for details of the ForwardX11Trusted option. In your case it's likely that the security concerns don't really apply, but do check and make sure.

In particular, ssh -Y has a higher success rate in some configurations, but gives the remote end unrestricted access to your X server, while ssh -X prevents many such accesses and forces the authentication to expire after a short time. The X protocol is not terribly secure and a client with unrestricted access can, for example, log every keypress made in every other client.