Q. I'm trying to login to my remote Ubuntu Linux server from Mac OS X desktop using following command:
ssh -X user@vpn.officeserver.example.com xeyes
But I'm getting an error that read as follows:
X11 connection rejected because of wrong authentication.
How do I fix this error?
A. This error can be caused by various factors. Try following solutions:
Make sure you are not running out of disk space
Run df and make sure you have sufficient disk space:
$ df -H
If you are low on disk space remove unnecessary files from your system.
Make sure ~/.Xauthority owned by you
Run following command to find ownweship:
$ ls -l ~/.Xauthority
Run chown and chmod to fix permission problems
$ chown user:group ~/.Xauthority
$ chmod 0600 ~/.Xauthority
Replace user:group with your actual username and groupname.
Make sure X11 SSHD Forwarding Enabled
Make sure following line exists in sshd_config file:
$ grep X11Forwarding /etc/ssh/sshd_config
Sample output:
X11Forwarding yes
If X11 disabled add following line to sshd_cofing and restart ssh server:
X11Forwarding yes
Make sure X11 client forwarding enabled
Make sure your local ssh_config has following lines:
Host *
ForwardX11 yes
Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system:
ssh -X user@remote.box.example.com xeyes
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- Linux: 20 Iptables Examples For New SysAdmins
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Facebook it - Tweet it - Print it -
{ 21 comments… read them below or add one }
In the end of the post you wrote “Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system”. What about Microsoft Windows Os’s? How do i use X11Forwarding in Windows?
Use Putty Windows ssh client, it has support for X11 forwarding. You also need to install Win32-X11 for local display.
There is a programm – Xming, – that allows run some application from Linux server at Windows desktop.
“Xming may be used with implementations of SSH to securely forward X11 sessions from Unix machines. It supports PuTTY and ssh.exe, and comes with a version of PuTTY’s plink.exe.”
http://en.wikipedia.org/wiki/Xming
Vivek, I believe since Mac OS X 10.4, you must use the -Y flag (instead of -X) to enable X11 forwarding. If I use -X on 10.4 or 10.5, I get the authentication error, but -Y always works.
Not sure why Apple broke convention here, but I think this is the fix you are looking for.
Another issue might be a rc file named either ~/.ssh/rc or /etc/ssh/sshrc. If one of these files is present, it has to handle (given) xauth parameters as well, since sshd won’t execute xauth by itself anymore.
Jockie, thank u!!!
I did have a rc in my ~/.ssh.
I had a problem : when I tried to run a Xorg program, it returned :
—–
ego@Darth-Vader ~ % xcalc
X11 connection rejected because of wrong authentication.
Error: Can’t open display: localhost:10.0
—–
I fixed the problem by add -Y function in my ssh command :
—–
ssh -X -Y user@host
—–
(I’m sorry if my language isn’t clear, I’m not very good in english :/ )
The -X flag works again, on Mac OS X. I am running version 10.6.4
I don’t know if it ever wasn’t working, for sure. But it is working now. There should be no reason to use the -Y flag (IMHO). It certainly shouldn’t be your first choice, as the -Y flag enables “trusted” forwarding, which are NOT subjected to the X11 SECURITY extension controls. This could leave your session vulnerable to keystroke monitoring.
Fly safe – Metajunkie
Also you could be experiencing this:
http://ubuntuforums.org/showthread.php?t=571809
The fix was to add
–
X11UseLocalhost yes
–
to your /etc/ssh/sshd.config
This did the trick for me – at least.
Do this from the machine that you are ssh from:
$ xauth list $DISPLAY
You’ll get something like
machine1:10 mit-magic-cookie-1 4d22408a71a55b41ccd1657d377923ae
Now ssh to the other machine (machine2) and tell it what the cookie is by adding it to the authentication list.
$ xauth add :10 MIT-MAGIC-COOKIE-1 4d22408a71a55b41ccd1657d377923ae
$ echo $DISPLAY
The echo command should show machine1
Thanks for this!
Of course I skipped the “Check your drive space” line believing I had lots of space, and went through and checked everything else first, before running a df and seeing that, in fact, I HAD run out of space.
Clearing out an out of control log file fixed the issue in a jiffy.
Another possibility – if you ssh and immediately see an error about the .Xauthority file (unreadable, not writeable, etc.), try this:
rm .Xauthority
…logout, log back in and then all is well!
Followed your instructions and it worked for me at last. Have been trying to iplement this for the 2 weeks.
Thank you.
Thank you for providing such useful articles!! The very first check (df) helped me find and fix my problem. Cheers! Aleksey
In my case X11 forwarding always worked. I had no problems until today (even 2 days ago it was working:/). So I followed your instructions. Permissions X11Forwarding was disabled for some reason. I fixed both ssh_config and sshd_config. Also sshd_config already had X11UseLocahost enabled so I don’t know what’s left to check :s my account owns .Xauthority and everything you mention is fine. The application I am trying to run on Xserver via ssh is gedit and I’m getting the same error even after the changes i made.
error message:
“X11 connection rejected because of wrong authentication.
The application ‘gedit’ lost its connection to the display localhost:13.0;
most likely the X server was shut down or you killed/destroyed
the application.”
does anyone have any other ideas on this?
Thanks
I ran into this same error message trying to ssh -f -Y into a Fedora 14 box using Cygwin. Turns out, after trying all of the solution suggestions above and others found elsewhere, that the problem was the Firewall/Selinux settings on the Fedora box. As they’re local I just disabled both services and now my XWin works super charm.
None of the solutions above worked for me, but I was able to create my own tunnel to bypass the built-in ssh X forwarding. This worked like a charm.
From localmachine:
ssh -R 6007:localhost:6000 remotemachine
This creates a port-forward that maps requests to port 6007 on remotemachine to port 6000 on localmachine. The default X server port (:0.0) is shorthand for 6000.
Then on the hostmachine:
export DISPLAY=localhost:7.0
This maps all display requests to port 6007 on the remotemachine
Instead of typing this every time, this can be automated by adding entries to files in ~/.ssh:
localmachine:~/.ssh/config
Host remotemachine
RemoteForward 6007 localhost:6000
remotemachine:~/.ssh/environment
DISPLAY=localhost:7.0
@Metajunkie Your understanding of -X and -Y options seems to be exactly opposite of what ssh man page says. If you read the documentation on -X, it says it IS vulnerable to keystroke monitoring, and recommends using -Y option. Per document -Y should be more secure than -X.
Also, from another forum, I solved my issue by adding XAUTHORITY=~/.Xauthority environment variable, so this worked: “XAUTHORITY=~/.Xauthority DISPLAY=localhost:10.0 gnome-terminal” while this: “DISPLAY=localhost:10.0 gnome-terminal” got me an error that the display couldn’t be opened on the client with the server side giving the error ” X11 connection rejected because of wrong authentication.”. I hope this information is helpful for someone.
Thank you! I’d ran out of disc space! I can’t believe the answer was this simple! Thanks again.
Thank you very much! Finally got it working with your help.
I can ssh to my new RHEL6 server from my Ubuntu 11.04 desktop OK and run X apps in my local display.
But I also have sudo privs, and for a lot of server management I need to be able to run some X apps (eg Emacs) as root. I do this on a lot of other servers running RHEL{4|5} by becoming root, exiting, and running the app, thereby using the sticky-time of the X authentication, eg
$ sudo su -
[my password]
# exit
$ sudo system-config-printer &
$
This doesn’t work on the new machine: I get
X11 connection rejected because of wrong authentication.
I can’t see what I need to change: X11 forwarding is set, and all of the above suggestions.