Linux X11 Connection Rejected Because of Wrong Authentication Error and Solution

Posted on in Categories , , , , , , , , last updated September 17, 2008

Q. I’m trying to login to my remote Ubuntu Linux server from Mac OS X desktop using following command:
ssh -X [email protected] xeyes

But I’m getting an error that read as follows:

X11 connection rejected because of wrong authentication.

How do I fix this error?

A. This error can be caused by various factors. Try following solutions:

Make sure you are not running out of disk space

Run df and make sure you have sufficient disk space:
$ df -H
If you are low on disk space remove unnecessary files from your system.

Make sure ~/.Xauthority owned by you

Run following command to find ownweship:
$ ls -l ~/.Xauthority
Run chown and chmod to fix permission problems
$ chown user:group ~/.Xauthority
$ chmod 0600 ~/.Xauthority

Replace user:group with your actual username and groupname.

Make sure X11 SSHD Forwarding Enabled

Make sure following line exists in sshd_config file:
$ grep X11Forwarding /etc/ssh/sshd_config
Sample output:

X11Forwarding yes

If X11 disabled add following line to sshd_cofing and restart ssh server:
X11Forwarding yes

Make sure X11 client forwarding enabled

Make sure your local ssh_config has following lines:
Host *
ForwardX11 yes

Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system:
ssh -X [email protected] xeyes

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

38 comment

  1. In the end of the post you wrote “Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system”. What about Microsoft Windows Os’s? How do i use X11Forwarding in Windows?

  2. Vivek, I believe since Mac OS X 10.4, you must use the -Y flag (instead of -X) to enable X11 forwarding. If I use -X on 10.4 or 10.5, I get the authentication error, but -Y always works.

    Not sure why Apple broke convention here, but I think this is the fix you are looking for.

    1. leamanc: For weeks I was getting authentication errors when I SSH-connected using -X. I tried out many things I found on other blogs but none worked out for me. Many thanks! Using -Y fixed it!!!

  3. Another issue might be a rc file named either ~/.ssh/rc or /etc/ssh/sshrc. If one of these files is present, it has to handle (given) xauth parameters as well, since sshd won’t execute xauth by itself anymore.

  4. I had a problem : when I tried to run a Xorg program, it returned :
    —–
    [email protected] ~ % xcalc
    X11 connection rejected because of wrong authentication.
    Error: Can’t open display: localhost:10.0
    —–

    I fixed the problem by add -Y function in my ssh command :
    —–
    ssh -X -Y [email protected]
    —–

    (I’m sorry if my language isn’t clear, I’m not very good in english :/ )

  5. The -X flag works again, on Mac OS X. I am running version 10.6.4

    I don’t know if it ever wasn’t working, for sure. But it is working now. There should be no reason to use the -Y flag (IMHO). It certainly shouldn’t be your first choice, as the -Y flag enables “trusted” forwarding, which are NOT subjected to the X11 SECURITY extension controls. This could leave your session vulnerable to keystroke monitoring.

    Fly safe – Metajunkie

  6. Do this from the machine that you are ssh from:

    $ xauth list $DISPLAY

    You’ll get something like
    machine1:10 mit-magic-cookie-1 4d22408a71a55b41ccd1657d377923ae

    Now ssh to the other machine (machine2) and tell it what the cookie is by adding it to the authentication list.

    $ xauth add :10 MIT-MAGIC-COOKIE-1 4d22408a71a55b41ccd1657d377923ae

    $ echo $DISPLAY

    The echo command should show machine1

  7. Thanks for this!

    Of course I skipped the “Check your drive space” line believing I had lots of space, and went through and checked everything else first, before running a df and seeing that, in fact, I HAD run out of space.

    Clearing out an out of control log file fixed the issue in a jiffy.

  8. Another possibility – if you ssh and immediately see an error about the .Xauthority file (unreadable, not writeable, etc.), try this:
    rm .Xauthority
    …logout, log back in and then all is well!

  9. In my case X11 forwarding always worked. I had no problems until today (even 2 days ago it was working:/). So I followed your instructions. Permissions X11Forwarding was disabled for some reason. I fixed both ssh_config and sshd_config. Also sshd_config already had X11UseLocahost enabled so I don’t know what’s left to check :s my account owns .Xauthority and everything you mention is fine. The application I am trying to run on Xserver via ssh is gedit and I’m getting the same error even after the changes i made.

    error message:
    “X11 connection rejected because of wrong authentication.
    The application ‘gedit’ lost its connection to the display localhost:13.0;
    most likely the X server was shut down or you killed/destroyed
    the application.”

    does anyone have any other ideas on this?

    Thanks

  10. I ran into this same error message trying to ssh -f -Y into a Fedora 14 box using Cygwin. Turns out, after trying all of the solution suggestions above and others found elsewhere, that the problem was the Firewall/Selinux settings on the Fedora box. As they’re local I just disabled both services and now my XWin works super charm.

  11. None of the solutions above worked for me, but I was able to create my own tunnel to bypass the built-in ssh X forwarding. This worked like a charm.

    From localmachine:
    ssh -R 6007:localhost:6000 remotemachine
    This creates a port-forward that maps requests to port 6007 on remotemachine to port 6000 on localmachine. The default X server port (:0.0) is shorthand for 6000.

    Then on the hostmachine:
    export DISPLAY=localhost:7.0
    This maps all display requests to port 6007 on the remotemachine

    Instead of typing this every time, this can be automated by adding entries to files in ~/.ssh:

    localmachine:~/.ssh/config
    Host remotemachine
    RemoteForward 6007 localhost:6000

    remotemachine:~/.ssh/environment
    DISPLAY=localhost:7.0

  12. @Metajunkie Your understanding of -X and -Y options seems to be exactly opposite of what ssh man page says. If you read the documentation on -X, it says it IS vulnerable to keystroke monitoring, and recommends using -Y option. Per document -Y should be more secure than -X.

    Also, from another forum, I solved my issue by adding XAUTHORITY=~/.Xauthority environment variable, so this worked: “XAUTHORITY=~/.Xauthority DISPLAY=localhost:10.0 gnome-terminal” while this: “DISPLAY=localhost:10.0 gnome-terminal” got me an error that the display couldn’t be opened on the client with the server side giving the error ” X11 connection rejected because of wrong authentication.”. I hope this information is helpful for someone.

  13. “In the end of the post you wrote “Finally, login to remote server and run X11 as follows from your Mac OS X or Linux desktop system”. What about Microsoft Windows Os’s? How do i use X11Forwarding in Windows?”

    Please ask ‘god knows’ questions to Bill Gates.

  14. I can ssh to my new RHEL6 server from my Ubuntu 11.04 desktop OK and run X apps in my local display.

    But I also have sudo privs, and for a lot of server management I need to be able to run some X apps (eg Emacs) as root. I do this on a lot of other servers running RHEL{4|5} by becoming root, exiting, and running the app, thereby using the sticky-time of the X authentication, eg

    $ sudo su –
    [my password]
    # exit
    $ sudo system-config-printer &
    $

    This doesn’t work on the new machine: I get
    X11 connection rejected because of wrong authentication.

    I can’t see what I need to change: X11 forwarding is set, and all of the above suggestions.

  15. X11 forwarding over SSH had always worked for me, but I just got this error today when trying to open a file in gedit. Turns out I had a gedit instance open at the physical terminal (display 0). When I closed the locally running instance, I was able to launch a remote instance with no problem. Strange.

  16. It is also worth noting that if you change your HOME environment available then X wont be able to find your ~/.Xauthority also resulting in error “X11 connection rejected because of wrong authentication”.

    1. I have changed my home directory using “export HOME=/other/home/directory” and forgot to link Xauthority to the new home directory. spoonyfork’s reply helped me figure it out. Thanks,

  17. Hi All,

    I had the same problem, but with a small difference. User root was able to create X11 sessions without a problem, but application user got an error message when running X applications:

    [[email protected] eclipse]$ xclock
    X11 connection rejected because of wrong authentication.
    Error: Can’t open display: localhost:10.0

    DISPLAY variable was set, ~/.Xauthority file was owned by user, permissions was correctly set.

    Solution:
    Run: xauth list as root

    [[email protected] ~]# xauth list
    localhost/unix:13 MIT-MAGIC-COOKIE-1 c77169a6fa8139ea36f538e1c72e1b98

    Add all the listed sessions to the users auth:
    [[email protected] ~]$ xauth
    Using authority file /home/wasadm/.Xauthority
    xauth> add localhost/unix:13 MIT-MAGIC-COOKIE-1 c77169a6fa8139ea36f538e1c72e1b98

    Hope it will help others to avoid a half day agony! :)

  18. [[email protected] ~]# xhost +
    access control disabled, clients can connect from any host
    [[email protected] ~]# ssh -Y seshu2
    [email protected]’s password:
    Last login: Tue Feb 18 12:42:19 2014
    [[email protected] ~]# su – oracle
    [[email protected] ~]$ cd /u01/app/oracle/product/11.2.0/db_home/network/admin/
    [[email protected] admin]$ ls
    samples shrept.lst
    [[email protected] admin]$ netca

    Oracle Net Services Configuration:
    X11 connection rejected because of wrong authentication.
    X connection to localhost:10.0 broken (explicit kill or server shutdown).

    how can i solve plz telme

  19. The solution is to make your server record your session detaills and then reuse them when you have become root.

    1. Add this to your .bashrc:

    LIVE=`echo $DISPLAY | awk -F: ‘{print $2}’ | awk -F. ‘{print $1}’`
    xauth list | grep unix:$LIVE | awk ‘{print “xauth add ” $0}’ >xuser

    2. Then when you become root (or another user)

    . /home/yourname/xuser

    This gives the xauth magic cookies to the current shell. It’s probably horribly insecure.

  20. There’s also one simple detail, but alas, I did make the dumb mistake once:

    Make sure that you are not sudoed into the superuser (root) account, even if you are trying to start an administration GUI tool. If sshd is properly configured it should be blocking authentication as root user, therefore the X11 connection gets denied on the remote host. When you try to start the graphical utility make sure you do so with a regular user. Don’t worry about privileges, the X11 server will present you with a dialog to enter the password to elevate privileges if necessary.

  21. For those of you having this issue on RED HAD systems (centos, fedora etc) You have to disable SELINUX. This was preventing the .Xauthority file from creating properly. I’m sure there is a way to allow it in SELINUX, but the quick way is to disable SELINUX.

Leave a Comment