Use neither when you don't need to run X11 programs remotely; use -X when you do; and hypothetically use -Y if an X11 program you care about works better with -Y than with -X. But currently (Ubuntu 15.10), -X is identical to -Y, unless you edit ssh_config to say ForwardX11Trusted no . -X was originally intended to enable the X Security extension of the 1990's, but that is old and inflexible, and crashes some programs, and so is ignored by default.

Both ssh -Y and -X let you run an X11 program on a remote machine, with its windows appearing on the local X monitor. The issue is what the program is allowed to do to other programs' windows, and to the X server itself.

local$ ssh -X remote remote$ xlogo # Runs xlogo on remote, but the logo pops up on the local screen.

Trusted X11 forwarding is enabled by -Y . This is the historical behavior. A program with access to the display, is trusted with access to the entire display. It can screenshot, keylog, and inject input into all the windows of other programs. And it can use all X server extensions, including ones like accelerated graphics, which are security exposures. Which is good for running smoothly, but bad for security. You are trusting the remote programs to be as safe as your local programs.

Untrusted X11 forwarding tries to restrict remote programs to accessing only their own windows, and to using only those parts of X which are relatively secure. Which sounds good, but currently doesn't work well in practice.

The meaning of -X currently depends on your ssh configuration.

On Ubuntu 14.04 LTS, unless you edit your ssh_config , there is no difference between -X and -Y . "[B]ecause too many programs currently crash in [untrusted] mode."

ubuntu1404$ man ssh ... -X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. ... (Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension restrictions by default, because too many programs cur‐ rently crash in this mode. Set the ForwardX11Trusted option to “no” to restore the upstream behavior. This may change in future depending on client-side improvements.) ubuntu1404$ grep ForwardX11Trusted /etc/ssh/ssh_config # ForwardX11Trusted yes