What does "Warning: untrusted X11 forwarding setup failed: xauth key data not generated" mean when ssh'ing with -X?
Solution 1
Try ssh -Y
Any reason you don't want to use the -Y
flag instead of the -X
flag?
Quite simply, the difference between -X
and -Y
is that -Y
enables trusted X11 forwarding.
Solution 2
BEWARE (tired of reading incomplete answers which lead to security flaw)
-
using ssh -Y means here having fake xauth information which is bad!
-
ssh -X should work since XQuartz, once enabled, uses xauth. The only problem is that ssh is looking for xauth in /usr/X11R6/bin and on macos with XQuartz it is in /opt/X11/bin
Secure solving:
-
Enable the first option in Security tab of preferences (Cmd-,) which enables authenticated connections
-
add the following to
$HOME/.ssh/config
XAuthLocation /opt/X11/bin/xauth
-
ssh -X you_server
works in a secure maner
Solution 3
If you're coming here in 2015: even if everything else is set up properly, this can also happen on Mac OS X 10.10 Yosemite, when using ssh -X
and running an XQuartz version <= 2.7.7. The root cause is X11 display sockets getting written outside of the xauth search path: issue #2068 in the XQuartz tracker.
Edit: A fixed XQuartz has since been released at the new homepage, xquartz.org, and installing the latest version from there (currently 2.7.9) will work around the issue.
Solution 4
If you get the same message even when using -Y
, the xauth
program might be missing on the server. On Debian-like systems, you need the xauth
package. On RedHat-like systems, you need the xorg-x11-xauth
package.
Solution 5
"Untrusted" in this context means you don't trust the connection. SSH will use additional security measures to try to make X11 forwarding safer. "Trusted" means you are entirely confident that no on on the remote host will get access to your Xauth data and use it to monitor your keystrokes for instance.
This terminology actually confused me for years. I thought "Trusted" connections were safer. But actually it's an option you're supposed to use in situations where the connection IS trustworthy and you want to run stuff without extra security measures getting in your way. "Untrusted" is the one that makes it (somewhat) safer to deal with an untrusted remote host.
An "Untrusted" connection attempts to limit what a black hat could do to you by engaging the X11 security extension and disabling other extensions that you (hopefully) don't need. This is probably why RandR is disabled with -X. Do you need to be able to rotate your X display from the remote host?
It's also important to note that "untrusted" X11 forwarding turns off after a certain amount of time to keep you from accidentally leaving it on. New attempts to open windows will just fail after that. That bit me several times before I read enough docs to understand what was happening.
Daryl Spitzer
Father of three, husband, computer programmer (Pythonista), skeptic, atheist, podcast listener, baseball fan, Canadian (in the United States).
Updated on September 18, 2022Comments
-
Daryl Spitzer almost 2 years
When I use
ssh -X
on my Mac (running OS X 10.6.7) to connect to my Ubuntu (11.04) box, I get the following warning:Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding.
Is there something I can do to make this warning go away? If not, can I safely ignore it?
X11 forwarding seems to work fine, though I do see this message:
Xlib: extension "RANDR" missing on display "localhost:10.0".
Is that related to the warning? (I'm guessing not. If it's not, I'll file a new question about that.)
-
slubman about 13 yearsIS the xauth program installed on the ubuntu server ?
-
Daryl Spitzer about 13 years
sudo apt-get install xauth
tells me "xauth is already the newest version" -
slubman about 13 yearsWhen logged in on the ubuntu server, what is the output of 'which xauth' ?
-
slubman about 13 yearsIndeed I think you should read this explanation: mail-archive.com/[email protected]/msg17927.html … you can ignore this warning
-
michael almost 12 yearsoccasionally this can be caused by issues w/ your ~/.Xauthority file. If you delete it, it will be re-created the next time you attempt to login.
-
-
Daryl Spitzer over 12 yearsNo, I just wasn't aware of the -Y flag when I wrote the question. I believe that did turn out to be a solution. Change your answer so it's not a question (and it would be nice if you briefly explained the difference between -Y and -C) and I'll accept it.
-
Rooster almost 9 yearsis there any case when you wouldnt want to use -Y instead of -X ?
-
craigds almost 9 yearsThank you! I had no idea that the XQuartz I just downloaded from the top of the XQuartz page is not actually the latest release.
-
Pavel Šimerda over 8 yearsOne can use
ssh -Y
to do trusted X11 forwarding but how can one fix the untrusted one? -
Martin Cleaver over 8 yearsWorth noting that
brew install xquartz
presently installs the out of date 2.7.7 version. -
Petr over 8 years@Rooster for very old systems where -Y isn't supported I would say
-
Pierre.Vriens about 8 yearsI don't understand ...
-
Curtis Yallop about 7 yearsTroubleshooting tip: Run "ssh -vv ..." and look for the xauth line and any error messages. You can try running the xauth line it shows directly. For mine I needed it to be something like "xauth list :0" (trusted) not "xauth -f /tmp/ssh... list :0" (untrusted). Which -Y fixed and "ForwardX11Trusted yes" in remote host /etc/ssh/ssh_config (or ~/.ssh/config) also fixed.
-
Nick about 7 years
brew install Caskroom/cask/xquartz
should get you the latest XQuartz with HomeBrew -
Gangadhar Jannu about 6 yearsI got the same error in Redhat and now I'm able to solve it by editing the config file
/etc/ssh/ssh_config
at client side. Thank you -
Franklin Yu over 5 yearsOr shorter
brew cask install xquartz
. -
Eric Leschinski over 5 yearsTwo factor auth administered by linux side, with client side macbook seems to suddenly require
-Y
wheras in the past, either by cheese shoppian edict from apple HQ devs: before, and without two factor auth,-X
works fine and without warning. -
Tomachi almost 4 yearsomg finally after 5 years I'm back wtih a new version of XQuartz! they said they'd never update it... why Apple doesn't pay it the respect it deserves is beyond me.
-
aggregate1166877 about 3 yearsI'm coming here from 2021, I implore you: get off the planet! 2021 Earth is crazy, friend.
-
dokkaebi over 2 yearsWorks for me today with macOS Big Sur 11.6, xquartz 2.8.1 installed through homebrew. Thanks!