How to troubleshoot failed X11 forwarding with ssh?
Solution 1
For me, it has previously helped to erase .Xauthority
-files. You should probably back them up.
mkdir ~/Xauth-old
mv ~/.X* ~/Xauth-old/
Further, in ~/.ssh/config
you can avoid some other woes with authentication using
ForwardX11Trusted yes
Solution 2
Try steps here: http://www.cyberciti.biz/faq/x11-connection-rejected-because-of-wrong-authentication/
It might be ~/.Xauthority
ownership or /etc/ssh/sshd_config
problem. You also can check $ tail /var/log/messages
Solution 3
Adding this line to /etc/ssh/sshd_config
fixed it for me:
X11UseLocalhost yes
Solution 4
Please some Unix expert, correct me if I am incorrect:
This is particularly difficult because most of the answers do not clearly explain what side of the connection you are supposed to change.
For this example:
Host A is running X (this is sometimes confusing because it is a display server)
Host B is running sshd (the secure shell server)
The confusion starts if the instructions say "on the server, do x" so in this example we call them host-a and host-b
You are trying at the command line in Host A and you are trying to
user1@host-a:~$ ssh -v -X user2@host-b
You must configure the ssh daemon on host-b
Edit your /etc/ssh/sshd_config on host-b Add
AddressFamily inet
X11Forwarding yes
Restart sshd on host-b
sudo restart ssh
This should be working now
To test, try:
user1@host-a:~$ ssh -v -X user2@host-b
Again, this time echo $DISPLAY should show the DISPLAY value and xterm should create a xterm on host-a
Related videos on Youtube
kjo
Updated on September 18, 2022Comments
-
kjo over 1 year
When I try to establish an X11-forwarding connection to
myserver
, I get the following error:% ssh -X myserver xlogo X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication. X11 connection rejected because of wrong authentication. Error: Can't open display: localhost:10.0 %
(I get the same error if I use
-Y
instead of-X
. Either way, I never see thexlogo
window.)If I use the same command to connect to a different server it works fine (i.e. the
xlogo
window pops up, as expected), so I suspect the problem is withmyserver
(and not with my local configuration).Also, if instead I use
% ssh -X myserver
the connection succeeds, and I get logged in to
myserver
. If then I runxlogo
, I get the same error as shown above.BTW, the local ssh client/X11 server is an Ubuntu laptop, and the remote ssh server/X11 client is a workstation running OS X Lion.
I've also run
ssh -vvvX myserver xlogo
, but the copious output is not very meaningful to me, and I'm not able to diagnose the problem from it. (FWIW, I've copied this output below.)How can I troubleshoot this problem further?
% ssh -vvvX myserver xlogo OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /home/yrstruly/.ssh/config debug1: /home/yrstruly/.ssh/config line 19: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to myserver [10.0.140.33] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/yrstruly/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/yrstruly/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/yrstruly/.ssh/id_rsa-cert type -1 debug1: identity file /home/yrstruly/.ssh/id_dsa type -1 debug1: identity file /home/yrstruly/.ssh/id_dsa-cert type -1 debug1: identity file /home/yrstruly/.ssh/id_ecdsa type -1 debug1: identity file /home/yrstruly/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6 debug1: match: OpenSSH_5.6 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "myserver" from file "/home/yrstruly/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/yrstruly/.ssh/known_hosts:3 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: none,[email protected],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: none,[email protected] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 129/256 debug2: bits set: 521/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 3b:5b:22:9e:e4:d1:12:7a:b9:6e:1a:e6:25:6d:b8:0e debug3: load_hostkeys: loading entries for host "myserver" from file "/home/yrstruly/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/yrstruly/.ssh/known_hosts:3 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "10.0.140.33" from file "/home/yrstruly/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /home/yrstruly/.ssh/known_hosts:4 debug3: load_hostkeys: loaded 1 keys debug1: Host 'myserver' is known and matches the RSA host key. debug1: Found key in /home/yrstruly/.ssh/known_hosts:3 debug2: bits set: 511/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/yrstruly/.ssh/id_rsa (0xb7a97898) debug2: key: yrstruly@mylaptop (0xb7a991c8) debug2: key: yrstruly@mylaptop (0xb7a99398) debug2: key: /home/yrstruly/.ssh/id_dsa ((nil)) debug2: key: /home/yrstruly/.ssh/id_ecdsa ((nil)) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/yrstruly/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp 0e:d0:ba:5c:c1:39:a9:c7:7b:c4:b7:11:87:33:b7:d7 debug3: sign_and_send_pubkey: RSA 0e:d0:ba:5c:c1:39:a9:c7:7b:c4:b7:11:87:33:b7:d7 debug1: Authentication succeeded (publickey). Authenticated to myserver ([10.0.140.33]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting [email protected] debug1: Entering interactive session. debug2: callback start debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-gMzJTOiJ3041/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-gMzJTOiJ3041/xauthfile list :0.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 1 debug2: client_session2_setup: id 0 debug2: fd 3 setting TCP_NODELAY debug1: Sending environment. debug3: Ignored env PWD debug3: Ignored env DISPLAY debug3: Ignored env TERM debug3: Ignored env TERMCAP debug3: Ignored env COLUMNS debug3: Ignored env EMACS debug3: Ignored env INSIDE_EMACS debug3: Ignored env _ debug3: Ignored env VENV_DIR debug3: Ignored env VIRTUALENVWRAPPER_LOG_DIR debug3: Ignored env VIRTUALENVWRAPPER_HOOK_DIR debug3: Ignored env WORKON_HOME debug3: Ignored env VIRTUALENVWRAPPER_PROJECT_FILENAME debug3: Ignored env RSYNC_GLOBAL_INCLUDES debug3: Ignored env RSYNC_GLOBAL_EXCLUDES debug3: Ignored env RSYNC_PARTIAL_DIR debug3: Ignored env RSYNC_DIR debug3: Ignored env CVSEDITOR debug3: Ignored env EDITOR debug3: Ignored env GIT_PAGER debug3: Ignored env LESS debug3: Ignored env PAGER debug3: Ignored env PERL_RL debug3: Ignored env HISTCONTROL debug3: Ignored env HISTFILESIZE debug3: Ignored env HISTFILE debug3: Ignored env SAVEHIST debug3: Ignored env HISTSIZE debug3: Ignored env LSCOLORS debug3: Ignored env perld debug1: Sending env LC_ALL = en_US.utf8 debug2: channel 0: request env confirm 0 debug3: Ignored env LANGUAGE debug3: Ignored env ZSHVARDIR debug3: Ignored env ZDOTDIROS debug3: Ignored env ZDOTDIRLOCAL debug3: Ignored env ZDOTDIR debug3: Ignored env OLDPWD debug3: Ignored env SHLVL debug3: Ignored env GPG_AGENT_INFO debug3: Ignored env XDG_SESSION_PATH debug3: Ignored env USER debug3: Ignored env HOME debug3: Ignored env SSH_AUTH_SOCK debug3: Ignored env PATH debug3: Ignored env XDG_CURRENT_DESKTOP debug3: Ignored env SESSION_MANAGER debug3: Ignored env SSH_AGENT_PID debug3: Ignored env WINDOWID debug3: Ignored env XDG_SESSION_COOKIE debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env UBUNTU_MENUPROXY debug3: Ignored env DBUS_SESSION_BUS_ADDRESS debug3: Ignored env GNOME_DESKTOP_SESSION_ID debug3: Ignored env GNOME_KEYRING_CONTROL debug3: Ignored env GDMSESSION debug3: Ignored env DEFAULTS_PATH debug3: Ignored env DESKTOP_SESSION debug3: Ignored env COLORTERM debug3: Ignored env XAUTHORITY debug3: Ignored env GNOME_KEYRING_PID debug3: Ignored env MANDATORY_PATH debug3: Ignored env LOGNAME debug1: Sending env LANG = en_US.utf8 debug2: channel 0: request env confirm 0 debug3: Ignored env XDG_CONFIG_DIRS debug3: Ignored env XDG_SEAT_PATH debug3: Ignored env SHELL debug3: Ignored env WINDOW debug3: Ignored env STY debug3: Ignored env LD_LIBRARY_PATH debug1: Sending command: xlogo debug2: channel 0: request exec confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: X11 forwarding request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384 debug1: client_request_x11: request from ::1 51763 debug2: fd 7 setting O_NONBLOCK debug3: fd 7 is O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug2: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. debug2: X11 rejected 1 i0/o0 debug2: channel 1: read failed debug2: channel 1: close_read debug2: channel 1: input open -> drain debug2: channel 1: ibuf empty debug2: channel 1: send eof debug2: channel 1: input drain -> closed debug2: channel 1: write failed debug2: channel 1: close_write debug2: channel 1: output open -> closed debug2: X11 closed 1 i3/o3 debug2: channel 1: send close debug2: channel 1: rcvd close debug2: channel 1: is dead debug2: channel 1: garbage collecting debug1: channel 1: free: x11, nchannels 2 debug3: channel 1: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1) #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1) debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384 debug1: client_request_x11: request from ::1 51764 debug2: fd 7 setting O_NONBLOCK debug3: fd 7 is O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug2: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. debug2: X11 rejected 1 i0/o0 debug2: channel 1: read failed debug2: channel 1: close_read debug2: channel 1: input open -> drain debug2: channel 1: ibuf empty debug2: channel 1: send eof debug2: channel 1: input drain -> closed debug2: channel 1: write failed debug2: channel 1: close_write debug2: channel 1: output open -> closed debug2: X11 closed 1 i3/o3 debug2: channel 1: send close debug2: channel 1: rcvd close debug2: channel 1: is dead debug2: channel 1: garbage collecting debug1: channel 1: free: x11, nchannels 2 debug3: channel 1: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1) #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1) debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384 debug1: client_request_x11: request from ::1 51765 debug2: fd 7 setting O_NONBLOCK debug3: fd 7 is O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug2: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. debug2: X11 rejected 1 i0/o0 debug2: channel 1: read failed debug2: channel 1: close_read debug2: channel 1: input open -> drain debug2: channel 1: ibuf empty debug2: channel 1: send eof debug2: channel 1: input drain -> closed debug2: channel 1: write failed debug2: channel 1: close_write debug2: channel 1: output open -> closed debug2: X11 closed 1 i3/o3 debug2: channel 1: send close debug2: channel 1: rcvd close debug2: channel 1: is dead debug2: channel 1: garbage collecting debug1: channel 1: free: x11, nchannels 2 debug3: channel 1: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1) #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1) debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384 debug1: client_request_x11: request from ::1 51766 debug2: fd 7 setting O_NONBLOCK debug3: fd 7 is O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug2: X11 connection uses different authentication protocol. X11 connection rejected because of wrong authentication. debug2: X11 rejected 1 i0/o0 debug2: channel 1: read failed debug2: channel 1: close_read debug2: channel 1: input open -> drain debug2: channel 1: ibuf empty debug2: channel 1: send eof debug2: channel 1: input drain -> closed debug2: channel 1: write failed debug2: channel 1: close_write debug2: channel 1: output open -> closed debug2: X11 closed 1 i3/o3 debug2: channel 1: send close debug2: channel 1: rcvd close debug2: channel 1: is dead debug2: channel 1: garbage collecting debug1: channel 1: free: x11, nchannels 2 debug3: channel 1: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1) #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1) debug2: channel 0: rcvd ext data 42 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: obuf_empty delayed efd 6/(42) Error: Can't open display: localhost:10.0 debug2: channel 0: written 42 to efd 6 debug3: channel 0: will not send data after close debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) Transferred: sent 3152, received 2728 bytes, in 0.4 seconds Bytes per second: sent 8679.2, received 7511.7 debug1: Exit status 1
-
Mathieu CAROFF about 4 years<3 Tysm. This worked for me trying to connect from a WSL to a debian 10 (buster) running on AWS. Note: (maybe?) remember to run
sudo systemctl restart ssh.service
-
jeremiah over 3 yearsReasoning URL 404's
-
Jan over 3 years@jeremiah, tends to happen after close to a decade :-)
-
Jan over 3 years@jeremiah - fixed link to web.archive version