What does "Warning: untrusted X11 forwarding setup failed: xauth key data not generated" mean when ssh'ing with -X?

ssh x11forwarding warning

222,762

Solution 1

Try ssh -Y

Any reason you don't want to use the -Y flag instead of the -X flag?

Quite simply, the difference between -X and -Y is that -Y enables trusted X11 forwarding.

Solution 2

BEWARE (tired of reading incomplete answers which lead to security flaw)

using ssh -Y means here having fake xauth information which is bad!
ssh -X should work since XQuartz, once enabled, uses xauth. The only problem is that ssh is looking for xauth in /usr/X11R6/bin and on macos with XQuartz it is in /opt/X11/bin

Secure solving:

Enable the first option in Security tab of preferences (Cmd-,) which enables authenticated connections
add the following to $HOME/.ssh/config

XAuthLocation /opt/X11/bin/xauth
ssh -X you_server works in a secure maner

Solution 3

If you're coming here in 2015: even if everything else is set up properly, this can also happen on Mac OS X 10.10 Yosemite, when using ssh -X and running an XQuartz version <= 2.7.7. The root cause is X11 display sockets getting written outside of the xauth search path: issue #2068 in the XQuartz tracker.

Edit: A fixed XQuartz has since been released at the new homepage, xquartz.org, and installing the latest version from there (currently 2.7.9) will work around the issue.

Solution 4

If you get the same message even when using -Y, the xauth program might be missing on the server. On Debian-like systems, you need the xauth package. On RedHat-like systems, you need the xorg-x11-xauth package.

Solution 5

"Untrusted" in this context means you don't trust the connection. SSH will use additional security measures to try to make X11 forwarding safer. "Trusted" means you are entirely confident that no on on the remote host will get access to your Xauth data and use it to monitor your keystrokes for instance.

This terminology actually confused me for years. I thought "Trusted" connections were safer. But actually it's an option you're supposed to use in situations where the connection IS trustworthy and you want to run stuff without extra security measures getting in your way. "Untrusted" is the one that makes it (somewhat) safer to deal with an untrusted remote host.

An "Untrusted" connection attempts to limit what a black hat could do to you by engaging the X11 security extension and disabling other extensions that you (hopefully) don't need. This is probably why RandR is disabled with -X. Do you need to be able to rotate your X display from the remote host?

It's also important to note that "untrusted" X11 forwarding turns off after a certain amount of time to keep you from accidentally leaving it on. New attempts to open windows will just fail after that. That bit me several times before I read enough docs to understand what was happening.

View more solutions

222,762

Author by

Daryl Spitzer

Father of three, husband, computer programmer (Pythonista), skeptic, atheist, podcast listener, baseball fan, Canadian (in the United States).

Updated on September 18, 2022

Comments

Daryl Spitzer almost 2 years

When I use ssh -X on my Mac (running OS X 10.6.7) to connect to my Ubuntu (11.04) box, I get the following warning:

Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding.

Is there something I can do to make this warning go away? If not, can I safely ignore it?

X11 forwarding seems to work fine, though I do see this message:

Xlib: extension "RANDR" missing on display "localhost:10.0".

Is that related to the warning? (I'm guessing not. If it's not, I'll file a new question about that.)
- slubman about 13 years
  
  IS the xauth program installed on the ubuntu server ?
- Daryl Spitzer about 13 years
  
  sudo apt-get install xauth tells me "xauth is already the newest version"
- slubman about 13 years
  
  When logged in on the ubuntu server, what is the output of 'which xauth' ?
- slubman about 13 years
  
  Indeed I think you should read this explanation: mail-archive.com/[email protected]/msg17927.html … you can ignore this warning
- michael almost 12 years
  
  occasionally this can be caused by issues w/ your ~/.Xauthority file. If you delete it, it will be re-created the next time you attempt to login.
Daryl Spitzer over 12 years

No, I just wasn't aware of the -Y flag when I wrote the question. I believe that did turn out to be a solution. Change your answer so it's not a question (and it would be nice if you briefly explained the difference between -Y and -C) and I'll accept it.
Rooster almost 9 years

is there any case when you wouldnt want to use -Y instead of -X ?
craigds almost 9 years

Thank you! I had no idea that the XQuartz I just downloaded from the top of the XQuartz page is not actually the latest release.
Pavel Šimerda over 8 years

One can use ssh -Y to do trusted X11 forwarding but how can one fix the untrusted one?
Martin Cleaver over 8 years

Worth noting that brew install xquartz presently installs the out of date 2.7.7 version.
Petr over 8 years

@Rooster for very old systems where -Y isn't supported I would say
Pierre.Vriens about 8 years

I don't understand ...
Curtis Yallop about 7 years

Troubleshooting tip: Run "ssh -vv ..." and look for the xauth line and any error messages. You can try running the xauth line it shows directly. For mine I needed it to be something like "xauth list :0" (trusted) not "xauth -f /tmp/ssh... list :0" (untrusted). Which -Y fixed and "ForwardX11Trusted yes" in remote host /etc/ssh/ssh_config (or ~/.ssh/config) also fixed.
Nick about 7 years

brew install Caskroom/cask/xquartz should get you the latest XQuartz with HomeBrew
Gangadhar Jannu about 6 years

I got the same error in Redhat and now I'm able to solve it by editing the config file /etc/ssh/ssh_config at client side. Thank you
Franklin Yu over 5 years

Or shorter brew cask install xquartz.
Eric Leschinski over 5 years

Two factor auth administered by linux side, with client side macbook seems to suddenly require -Y wheras in the past, either by cheese shoppian edict from apple HQ devs: before, and without two factor auth, -X works fine and without warning.
Tomachi almost 4 years

omg finally after 5 years I'm back wtih a new version of XQuartz! they said they'd never update it... why Apple doesn't pay it the respect it deserves is beyond me.
aggregate1166877 about 3 years

I'm coming here from 2021, I implore you: get off the planet! 2021 Earth is crazy, friend.
dokkaebi over 2 years

Works for me today with macOS Big Sur 11.6, xquartz 2.8.1 installed through homebrew. Thanks!