≡ Menu

Linux X11 Connection Rejected Because of Wrong Authentication Error and Solution

Q. I'm trying to login to my remote Ubuntu Linux server from Mac OS X desktop using following command:
ssh -X user@vpn.officeserver.example.com xeyes

But I'm getting an error that read as follows:

X11 connection rejected because of wrong authentication.

How do I fix this error?

A. This error can be caused by various factors. Try following solutions:

Make sure you are not running out of disk space

Run df and make sure you have sufficient disk space:
$ df -H
If you are low on disk space remove unnecessary files from your system.

Make sure ~/.Xauthority owned by you

Run following command to find ownweship:
$ ls -l ~/.Xauthority
Run chown and chmod to fix permission problems
$ chown user:group ~/.Xauthority
$ chmod 0600 ~/.Xauthority

Replace user:group with your actual username and groupname.

Make sure X11 SSHD Forwarding Enabled

Make sure following line exists in sshd_config file:
$ grep X11Forwarding /etc/ssh/sshd_config
Sample output:

X11Forwarding yes

If X11 disabled add following line to sshd_cofing and restart ssh server:
X11Forwarding yes

Make sure X11 client forwarding enabled

Make sure your local ssh_config has following lines:
Host *
ForwardX11 yes

Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system:
ssh -X user@remote.box.example.com xeyes

{ 37 comments… add one }

  • ariel September 18, 2008, 6:09 am

    In the end of the post you wrote “Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system”. What about Microsoft Windows Os’s? How do i use X11Forwarding in Windows?

  • nixCraft September 18, 2008, 6:29 am

    Use Putty Windows ssh client, it has support for X11 forwarding. You also need to install Win32-X11 for local display.

  • dot22 September 18, 2008, 11:43 am

    There is a programm – Xming, – that allows run some application from Linux server at Windows desktop.
    “Xming may be used with implementations of SSH to securely forward X11 sessions from Unix machines. It supports PuTTY and ssh.exe, and comes with a version of PuTTY’s plink.exe.”

  • leamanc September 24, 2008, 5:48 am

    Vivek, I believe since Mac OS X 10.4, you must use the -Y flag (instead of -X) to enable X11 forwarding. If I use -X on 10.4 or 10.5, I get the authentication error, but -Y always works.

    Not sure why Apple broke convention here, but I think this is the fix you are looking for.

    • Emad January 21, 2015, 3:13 pm

      leamanc: For weeks I was getting authentication errors when I SSH-connected using -X. I tried out many things I found on other blogs but none worked out for me. Many thanks! Using -Y fixed it!!!

  • jockie November 9, 2009, 1:19 pm

    Another issue might be a rc file named either ~/.ssh/rc or /etc/ssh/sshrc. If one of these files is present, it has to handle (given) xauth parameters as well, since sshd won’t execute xauth by itself anymore.

    • Josh March 4, 2011, 6:57 am

      Jockie, thank u!!!
      I did have a rc in my ~/.ssh.

  • She0gorath April 7, 2010, 4:04 pm

    I had a problem : when I tried to run a Xorg program, it returned :
    ego@Darth-Vader ~ % xcalc
    X11 connection rejected because of wrong authentication.
    Error: Can’t open display: localhost:10.0

    I fixed the problem by add -Y function in my ssh command :
    ssh -X -Y user@host

    (I’m sorry if my language isn’t clear, I’m not very good in english :/ )

  • Metajunkie June 21, 2010, 6:30 am

    The -X flag works again, on Mac OS X. I am running version 10.6.4

    I don’t know if it ever wasn’t working, for sure. But it is working now. There should be no reason to use the -Y flag (IMHO). It certainly shouldn’t be your first choice, as the -Y flag enables “trusted” forwarding, which are NOT subjected to the X11 SECURITY extension controls. This could leave your session vulnerable to keystroke monitoring.

    Fly safe – Metajunkie

  • mteppo August 16, 2010, 12:14 pm

    Also you could be experiencing this:

    The fix was to add

    X11UseLocalhost yes

    to your /etc/ssh/sshd.config

    This did the trick for me – at least.

  • D. Le August 19, 2010, 9:12 pm

    Do this from the machine that you are ssh from:

    $ xauth list $DISPLAY

    You’ll get something like
    machine1:10 mit-magic-cookie-1 4d22408a71a55b41ccd1657d377923ae

    Now ssh to the other machine (machine2) and tell it what the cookie is by adding it to the authentication list.

    $ xauth add :10 MIT-MAGIC-COOKIE-1 4d22408a71a55b41ccd1657d377923ae

    $ echo $DISPLAY

    The echo command should show machine1

  • rpetras October 6, 2010, 2:34 pm

    Thanks for this!

    Of course I skipped the “Check your drive space” line believing I had lots of space, and went through and checked everything else first, before running a df and seeing that, in fact, I HAD run out of space.

    Clearing out an out of control log file fixed the issue in a jiffy.

  • TuxMac December 11, 2010, 8:14 pm

    Another possibility – if you ssh and immediately see an error about the .Xauthority file (unreadable, not writeable, etc.), try this:
    rm .Xauthority
    …logout, log back in and then all is well!

  • Minime February 1, 2011, 5:11 am

    Followed your instructions and it worked for me at last. Have been trying to iplement this for the 2 weeks.

    Thank you.

  • Aleksey Tsalolikhin February 9, 2011, 6:14 am

    Thank you for providing such useful articles!! The very first check (df) helped me find and fix my problem. Cheers! Aleksey

  • Phil March 5, 2011, 11:22 pm

    In my case X11 forwarding always worked. I had no problems until today (even 2 days ago it was working:/). So I followed your instructions. Permissions X11Forwarding was disabled for some reason. I fixed both ssh_config and sshd_config. Also sshd_config already had X11UseLocahost enabled so I don’t know what’s left to check :s my account owns .Xauthority and everything you mention is fine. The application I am trying to run on Xserver via ssh is gedit and I’m getting the same error even after the changes i made.

    error message:
    “X11 connection rejected because of wrong authentication.
    The application ‘gedit’ lost its connection to the display localhost:13.0;
    most likely the X server was shut down or you killed/destroyed
    the application.”

    does anyone have any other ideas on this?


  • nonye March 8, 2011, 7:29 pm

    I ran into this same error message trying to ssh -f -Y into a Fedora 14 box using Cygwin. Turns out, after trying all of the solution suggestions above and others found elsewhere, that the problem was the Firewall/Selinux settings on the Fedora box. As they’re local I just disabled both services and now my XWin works super charm.

  • Eric Garcia April 2, 2011, 12:55 am

    None of the solutions above worked for me, but I was able to create my own tunnel to bypass the built-in ssh X forwarding. This worked like a charm.

    From localmachine:
    ssh -R 6007:localhost:6000 remotemachine
    This creates a port-forward that maps requests to port 6007 on remotemachine to port 6000 on localmachine. The default X server port (:0.0) is shorthand for 6000.

    Then on the hostmachine:
    export DISPLAY=localhost:7.0
    This maps all display requests to port 6007 on the remotemachine

    Instead of typing this every time, this can be automated by adding entries to files in ~/.ssh:

    Host remotemachine
    RemoteForward 6007 localhost:6000


  • Hari April 7, 2011, 7:05 pm

    @Metajunkie Your understanding of -X and -Y options seems to be exactly opposite of what ssh man page says. If you read the documentation on -X, it says it IS vulnerable to keystroke monitoring, and recommends using -Y option. Per document -Y should be more secure than -X.

    Also, from another forum, I solved my issue by adding XAUTHORITY=~/.Xauthority environment variable, so this worked: “XAUTHORITY=~/.Xauthority DISPLAY=localhost:10.0 gnome-terminal” while this: “DISPLAY=localhost:10.0 gnome-terminal” got me an error that the display couldn’t be opened on the client with the server side giving the error ” X11 connection rejected because of wrong authentication.”. I hope this information is helpful for someone.

  • Derek April 24, 2011, 8:21 pm

    Thank you! I’d ran out of disc space! I can’t believe the answer was this simple! Thanks again.

  • dE_logics April 29, 2011, 11:24 am

    “In the end of the post you wrote “Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system”. What about Microsoft Windows Os’s? How do i use X11Forwarding in Windows?”

    Please ask ‘god knows’ questions to Bill Gates.

  • Juho May 17, 2011, 12:46 pm

    Thank you very much! Finally got it working with your help.

  • Peter Flynn September 8, 2011, 8:52 am

    I can ssh to my new RHEL6 server from my Ubuntu 11.04 desktop OK and run X apps in my local display.

    But I also have sudo privs, and for a lot of server management I need to be able to run some X apps (eg Emacs) as root. I do this on a lot of other servers running RHEL{4|5} by becoming root, exiting, and running the app, thereby using the sticky-time of the X authentication, eg

    $ sudo su –
    [my password]
    # exit
    $ sudo system-config-printer &

    This doesn’t work on the new machine: I get
    X11 connection rejected because of wrong authentication.

    I can’t see what I need to change: X11 forwarding is set, and all of the above suggestions.

  • Joe June 14, 2012, 5:49 pm

    +1 for Eric Garcia. Thank you so much, for some reason -X or -Y were not sorting out the ports. This forced the issue and kept it secure. Thanks!

  • Scott July 19, 2012, 7:28 pm

    X11 forwarding over SSH had always worked for me, but I just got this error today when trying to open a file in gedit. Turns out I had a gedit instance open at the physical terminal (display 0). When I closed the locally running instance, I was able to launch a remote instance with no problem. Strange.

  • spoonyfork July 26, 2012, 7:21 pm

    It is also worth noting that if you change your HOME environment available then X wont be able to find your ~/.Xauthority also resulting in error “X11 connection rejected because of wrong authentication”.

    • Gemechu October 16, 2014, 7:51 pm

      I have changed my home directory using “export HOME=/other/home/directory” and forgot to link Xauthority to the new home directory. spoonyfork’s reply helped me figure it out. Thanks,

  • Paul October 24, 2012, 11:08 am

    Well, I deleted .Xauthority and the system just reinstalled it with the correct permissions – hence working perfectly now.

  • sean parker December 5, 2012, 2:01 pm

    I Love this format – thanks for the excellent solution explanation

  • Dennis April 25, 2013, 5:28 pm

    Solved my problem… thanks!

  • Tsaby September 10, 2013, 1:26 pm

    Hi All,

    I had the same problem, but with a small difference. User root was able to create X11 sessions without a problem, but application user got an error message when running X applications:

    [wasadm@localhost eclipse]$ xclock
    X11 connection rejected because of wrong authentication.
    Error: Can’t open display: localhost:10.0

    DISPLAY variable was set, ~/.Xauthority file was owned by user, permissions was correctly set.

    Run: xauth list as root

    [root@localhost ~]# xauth list
    localhost/unix:13 MIT-MAGIC-COOKIE-1 c77169a6fa8139ea36f538e1c72e1b98

    Add all the listed sessions to the users auth:
    [wasadm@localhost ~]$ xauth
    Using authority file /home/wasadm/.Xauthority
    xauth> add localhost/unix:13 MIT-MAGIC-COOKIE-1 c77169a6fa8139ea36f538e1c72e1b98

    Hope it will help others to avoid a half day agony! :)

  • seshu February 18, 2014, 3:01 pm

    [root@seshu1 ~]# xhost +
    access control disabled, clients can connect from any host
    [root@seshu1 ~]# ssh -Y seshu2
    root@seshu2’s password:
    Last login: Tue Feb 18 12:42:19 2014
    [root@seshu2 ~]# su – oracle
    [oracle@seshu2 ~]$ cd /u01/app/oracle/product/11.2.0/db_home/network/admin/
    [oracle@seshu2 admin]$ ls
    samples shrept.lst
    [oracle@seshu2 admin]$ netca

    Oracle Net Services Configuration:
    X11 connection rejected because of wrong authentication.
    X connection to localhost:10.0 broken (explicit kill or server shutdown).

    how can i solve plz telme

  • seshu February 18, 2014, 3:04 pm

    i am working on red hat enterprise linux

  • Peter Flynn February 18, 2014, 4:12 pm

    The solution is to make your server record your session detaills and then reuse them when you have become root.

    1. Add this to your .bashrc:

    LIVE=`echo $DISPLAY | awk -F: ‘{print $2}’ | awk -F. ‘{print $1}’`
    xauth list | grep unix:$LIVE | awk ‘{print “xauth add ” $0}’ >xuser

    2. Then when you become root (or another user)

    . /home/yourname/xuser

    This gives the xauth magic cookies to the current shell. It’s probably horribly insecure.

  • Johann March 16, 2014, 2:03 pm

    There’s also one simple detail, but alas, I did make the dumb mistake once:

    Make sure that you are not sudoed into the superuser (root) account, even if you are trying to start an administration GUI tool. If sshd is properly configured it should be blocking authentication as root user, therefore the X11 connection gets denied on the remote host. When you try to start the graphical utility make sure you do so with a regular user. Don’t worry about privileges, the X11 server will present you with a dialog to enter the password to elevate privileges if necessary.

  • Aleks March 19, 2014, 12:08 am

    For those of you having this issue on RED HAD systems (centos, fedora etc) You have to disable SELINUX. This was preventing the .Xauthority file from creating properly. I’m sure there is a way to allow it in SELINUX, but the quick way is to disable SELINUX.

  • Dennis March 28, 2015, 2:38 am

    Thanks! The ownership of ~/.XAuthority solved my problem

Leave a Comment

   Tagged with: , , , , , , , , , ,