Linux X11 Connection Rejected Because of Wrong Authentication Error and Solution

by on September 17, 2008 · 34 comments· LAST UPDATED September 17, 2008

in , ,

Q. I'm trying to login to my remote Ubuntu Linux server from Mac OS X desktop using following command:
ssh -X user@vpn.officeserver.example.com xeyes

But I'm getting an error that read as follows:

X11 connection rejected because of wrong authentication.

How do I fix this error?

A. This error can be caused by various factors. Try following solutions:

Make sure you are not running out of disk space

Run df and make sure you have sufficient disk space:
$ df -H
If you are low on disk space remove unnecessary files from your system.

Make sure ~/.Xauthority owned by you

Run following command to find ownweship:
$ ls -l ~/.Xauthority
Run chown and chmod to fix permission problems
$ chown user:group ~/.Xauthority
$ chmod 0600 ~/.Xauthority

Replace user:group with your actual username and groupname.

Make sure X11 SSHD Forwarding Enabled

Make sure following line exists in sshd_config file:
$ grep X11Forwarding /etc/ssh/sshd_config
Sample output:

X11Forwarding yes

If X11 disabled add following line to sshd_cofing and restart ssh server:
X11Forwarding yes

Make sure X11 client forwarding enabled

Make sure your local ssh_config has following lines:
Host *
ForwardX11 yes

Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system:
ssh -X user@remote.box.example.com xeyes

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 34 comments… read them below or add one }

1 ariel September 18, 2008 at 6:09 am

In the end of the post you wrote “Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system”. What about Microsoft Windows Os’s? How do i use X11Forwarding in Windows?

Reply

2 nixCraft September 18, 2008 at 6:29 am

Use Putty Windows ssh client, it has support for X11 forwarding. You also need to install Win32-X11 for local display.

Reply

3 dot22 September 18, 2008 at 11:43 am

There is a programm – Xming, – that allows run some application from Linux server at Windows desktop.
“Xming may be used with implementations of SSH to securely forward X11 sessions from Unix machines. It supports PuTTY and ssh.exe, and comes with a version of PuTTY’s plink.exe.”
http://en.wikipedia.org/wiki/Xming

Reply

4 leamanc September 24, 2008 at 5:48 am

Vivek, I believe since Mac OS X 10.4, you must use the -Y flag (instead of -X) to enable X11 forwarding. If I use -X on 10.4 or 10.5, I get the authentication error, but -Y always works.

Not sure why Apple broke convention here, but I think this is the fix you are looking for.

Reply

5 jockie November 9, 2009 at 1:19 pm

Another issue might be a rc file named either ~/.ssh/rc or /etc/ssh/sshrc. If one of these files is present, it has to handle (given) xauth parameters as well, since sshd won’t execute xauth by itself anymore.

Reply

6 Josh March 4, 2011 at 6:57 am

Jockie, thank u!!!
I did have a rc in my ~/.ssh.

Reply

7 She0gorath April 7, 2010 at 4:04 pm

I had a problem : when I tried to run a Xorg program, it returned :
—–
ego@Darth-Vader ~ % xcalc
X11 connection rejected because of wrong authentication.
Error: Can’t open display: localhost:10.0
—–

I fixed the problem by add -Y function in my ssh command :
—–
ssh -X -Y user@host
—–

(I’m sorry if my language isn’t clear, I’m not very good in english :/ )

Reply

8 Metajunkie June 21, 2010 at 6:30 am

The -X flag works again, on Mac OS X. I am running version 10.6.4

I don’t know if it ever wasn’t working, for sure. But it is working now. There should be no reason to use the -Y flag (IMHO). It certainly shouldn’t be your first choice, as the -Y flag enables “trusted” forwarding, which are NOT subjected to the X11 SECURITY extension controls. This could leave your session vulnerable to keystroke monitoring.

Fly safe – Metajunkie

Reply

9 mteppo August 16, 2010 at 12:14 pm

Also you could be experiencing this:
http://ubuntuforums.org/showthread.php?t=571809

The fix was to add

X11UseLocalhost yes

to your /etc/ssh/sshd.config

This did the trick for me – at least.

Reply

10 D. Le August 19, 2010 at 9:12 pm

Do this from the machine that you are ssh from:

$ xauth list $DISPLAY

You’ll get something like
machine1:10 mit-magic-cookie-1 4d22408a71a55b41ccd1657d377923ae

Now ssh to the other machine (machine2) and tell it what the cookie is by adding it to the authentication list.

$ xauth add :10 MIT-MAGIC-COOKIE-1 4d22408a71a55b41ccd1657d377923ae

$ echo $DISPLAY

The echo command should show machine1

Reply

11 rpetras October 6, 2010 at 2:34 pm

Thanks for this!

Of course I skipped the “Check your drive space” line believing I had lots of space, and went through and checked everything else first, before running a df and seeing that, in fact, I HAD run out of space.

Clearing out an out of control log file fixed the issue in a jiffy.

Reply

12 TuxMac December 11, 2010 at 8:14 pm

Another possibility – if you ssh and immediately see an error about the .Xauthority file (unreadable, not writeable, etc.), try this:
rm .Xauthority
…logout, log back in and then all is well!

Reply

13 Minime February 1, 2011 at 5:11 am

Followed your instructions and it worked for me at last. Have been trying to iplement this for the 2 weeks.

Thank you.

Reply

14 Aleksey Tsalolikhin February 9, 2011 at 6:14 am

Thank you for providing such useful articles!! The very first check (df) helped me find and fix my problem. Cheers! Aleksey

Reply

15 Phil March 5, 2011 at 11:22 pm

In my case X11 forwarding always worked. I had no problems until today (even 2 days ago it was working:/). So I followed your instructions. Permissions X11Forwarding was disabled for some reason. I fixed both ssh_config and sshd_config. Also sshd_config already had X11UseLocahost enabled so I don’t know what’s left to check :s my account owns .Xauthority and everything you mention is fine. The application I am trying to run on Xserver via ssh is gedit and I’m getting the same error even after the changes i made.

error message:
“X11 connection rejected because of wrong authentication.
The application ‘gedit’ lost its connection to the display localhost:13.0;
most likely the X server was shut down or you killed/destroyed
the application.”

does anyone have any other ideas on this?

Thanks

Reply

16 nonye March 8, 2011 at 7:29 pm

I ran into this same error message trying to ssh -f -Y into a Fedora 14 box using Cygwin. Turns out, after trying all of the solution suggestions above and others found elsewhere, that the problem was the Firewall/Selinux settings on the Fedora box. As they’re local I just disabled both services and now my XWin works super charm.

Reply

17 Eric Garcia April 2, 2011 at 12:55 am

None of the solutions above worked for me, but I was able to create my own tunnel to bypass the built-in ssh X forwarding. This worked like a charm.

From localmachine:
ssh -R 6007:localhost:6000 remotemachine
This creates a port-forward that maps requests to port 6007 on remotemachine to port 6000 on localmachine. The default X server port (:0.0) is shorthand for 6000.

Then on the hostmachine:
export DISPLAY=localhost:7.0
This maps all display requests to port 6007 on the remotemachine

Instead of typing this every time, this can be automated by adding entries to files in ~/.ssh:

localmachine:~/.ssh/config
Host remotemachine
RemoteForward 6007 localhost:6000

remotemachine:~/.ssh/environment
DISPLAY=localhost:7.0

Reply

18 Hari April 7, 2011 at 7:05 pm

@Metajunkie Your understanding of -X and -Y options seems to be exactly opposite of what ssh man page says. If you read the documentation on -X, it says it IS vulnerable to keystroke monitoring, and recommends using -Y option. Per document -Y should be more secure than -X.

Also, from another forum, I solved my issue by adding XAUTHORITY=~/.Xauthority environment variable, so this worked: “XAUTHORITY=~/.Xauthority DISPLAY=localhost:10.0 gnome-terminal” while this: “DISPLAY=localhost:10.0 gnome-terminal” got me an error that the display couldn’t be opened on the client with the server side giving the error ” X11 connection rejected because of wrong authentication.”. I hope this information is helpful for someone.

Reply

19 Derek April 24, 2011 at 8:21 pm

Thank you! I’d ran out of disc space! I can’t believe the answer was this simple! Thanks again.

Reply

20 dE_logics April 29, 2011 at 11:24 am

“In the end of the post you wrote “Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system”. What about Microsoft Windows Os’s? How do i use X11Forwarding in Windows?”

Please ask ‘god knows’ questions to Bill Gates.

Reply

21 Juho May 17, 2011 at 12:46 pm

Thank you very much! Finally got it working with your help.

Reply

22 Peter Flynn September 8, 2011 at 8:52 am

I can ssh to my new RHEL6 server from my Ubuntu 11.04 desktop OK and run X apps in my local display.

But I also have sudo privs, and for a lot of server management I need to be able to run some X apps (eg Emacs) as root. I do this on a lot of other servers running RHEL{4|5} by becoming root, exiting, and running the app, thereby using the sticky-time of the X authentication, eg

$ sudo su -
[my password]
# exit
$ sudo system-config-printer &
$

This doesn’t work on the new machine: I get
X11 connection rejected because of wrong authentication.

I can’t see what I need to change: X11 forwarding is set, and all of the above suggestions.

Reply

23 Joe June 14, 2012 at 5:49 pm

+1 for Eric Garcia. Thank you so much, for some reason -X or -Y were not sorting out the ports. This forced the issue and kept it secure. Thanks!

Reply

24 Scott July 19, 2012 at 7:28 pm

X11 forwarding over SSH had always worked for me, but I just got this error today when trying to open a file in gedit. Turns out I had a gedit instance open at the physical terminal (display 0). When I closed the locally running instance, I was able to launch a remote instance with no problem. Strange.

Reply

25 spoonyfork July 26, 2012 at 7:21 pm

It is also worth noting that if you change your HOME environment available then X wont be able to find your ~/.Xauthority also resulting in error “X11 connection rejected because of wrong authentication”.

Reply

26 Paul October 24, 2012 at 11:08 am

Well, I deleted .Xauthority and the system just reinstalled it with the correct permissions – hence working perfectly now.

Reply

27 sean parker December 5, 2012 at 2:01 pm

I Love this format – thanks for the excellent solution explanation

Reply

28 Dennis April 25, 2013 at 5:28 pm

Solved my problem… thanks!

Reply

29 Tsaby September 10, 2013 at 1:26 pm

Hi All,

I had the same problem, but with a small difference. User root was able to create X11 sessions without a problem, but application user got an error message when running X applications:

[wasadm@localhost eclipse]$ xclock
X11 connection rejected because of wrong authentication.
Error: Can’t open display: localhost:10.0

DISPLAY variable was set, ~/.Xauthority file was owned by user, permissions was correctly set.

Solution:
Run: xauth list as root

[root@localhost ~]# xauth list
localhost/unix:13 MIT-MAGIC-COOKIE-1 c77169a6fa8139ea36f538e1c72e1b98

Add all the listed sessions to the users auth:
[wasadm@localhost ~]$ xauth
Using authority file /home/wasadm/.Xauthority
xauth> add localhost/unix:13 MIT-MAGIC-COOKIE-1 c77169a6fa8139ea36f538e1c72e1b98

Hope it will help others to avoid a half day agony! :)

Reply

30 seshu February 18, 2014 at 3:01 pm

[root@seshu1 ~]# xhost +
access control disabled, clients can connect from any host
[root@seshu1 ~]# ssh -Y seshu2
root@seshu2′s password:
Last login: Tue Feb 18 12:42:19 2014
[root@seshu2 ~]# su – oracle
[oracle@seshu2 ~]$ cd /u01/app/oracle/product/11.2.0/db_home/network/admin/
[oracle@seshu2 admin]$ ls
samples shrept.lst
[oracle@seshu2 admin]$ netca

Oracle Net Services Configuration:
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).

how can i solve plz telme

Reply

31 seshu February 18, 2014 at 3:04 pm

i am working on red hat enterprise linux

Reply

32 Peter Flynn February 18, 2014 at 4:12 pm

The solution is to make your server record your session detaills and then reuse them when you have become root.

1. Add this to your .bashrc:

LIVE=`echo $DISPLAY | awk -F: ‘{print $2}’ | awk -F. ‘{print $1}’`
xauth list | grep unix:$LIVE | awk ‘{print “xauth add ” $0}’ >xuser

2. Then when you become root (or another user)

. /home/yourname/xuser

This gives the xauth magic cookies to the current shell. It’s probably horribly insecure.

Reply

33 Johann March 16, 2014 at 2:03 pm

There’s also one simple detail, but alas, I did make the dumb mistake once:

Make sure that you are not sudoed into the superuser (root) account, even if you are trying to start an administration GUI tool. If sshd is properly configured it should be blocking authentication as root user, therefore the X11 connection gets denied on the remote host. When you try to start the graphical utility make sure you do so with a regular user. Don’t worry about privileges, the X11 server will present you with a dialog to enter the password to elevate privileges if necessary.

Reply

34 Aleks March 19, 2014 at 12:08 am

For those of you having this issue on RED HAD systems (centos, fedora etc) You have to disable SELINUX. This was preventing the .Xauthority file from creating properly. I’m sure there is a way to allow it in SELINUX, but the quick way is to disable SELINUX.

Reply

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous Faq:

Next Faq: