Ssh – How to troubleshoot failed X11 forwarding with ssh

osxsshx11xauth

When I try to establish an X11-forwarding connection to myserver, I get the following error:

% ssh -X myserver xlogo
X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:10.0
%

(I get the same error if I use -Y instead of -X. Either way, I never see the xlogo window.)

If I use the same command to connect to a different server it works fine (i.e. the xlogo window pops up, as expected), so I suspect the problem is with myserver (and not with my local configuration).

Also, if instead I use

% ssh -X myserver

the connection succeeds, and I get logged in to myserver. If then I run xlogo, I get the same error as shown above.

BTW, the local ssh client/X11 server is an Ubuntu laptop, and the remote ssh server/X11 client is a workstation running OS X Lion.

I've also run ssh -vvvX myserver xlogo, but the copious output is not very meaningful to me, and I'm not able to diagnose the problem from it. (FWIW, I've copied this output below.)

How can I troubleshoot this problem further?

% ssh -vvvX myserver xlogo
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/yrstruly/.ssh/config
debug1: /home/yrstruly/.ssh/config line 19: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myserver [10.0.140.33] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/yrstruly/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/yrstruly/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/yrstruly/.ssh/id_rsa-cert type -1
debug1: identity file /home/yrstruly/.ssh/id_dsa type -1
debug1: identity file /home/yrstruly/.ssh/id_dsa-cert type -1
debug1: identity file /home/yrstruly/.ssh/id_ecdsa type -1
debug1: identity file /home/yrstruly/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "myserver" from file "/home/yrstruly/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/yrstruly/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 521/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 3b:5b:22:9e:e4:d1:12:7a:b9:6e:1a:e6:25:6d:b8:0e
debug3: load_hostkeys: loading entries for host "myserver" from file "/home/yrstruly/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/yrstruly/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "10.0.140.33" from file "/home/yrstruly/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/yrstruly/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'myserver' is known and matches the RSA host key.
debug1: Found key in /home/yrstruly/.ssh/known_hosts:3
debug2: bits set: 511/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/yrstruly/.ssh/id_rsa (0xb7a97898)
debug2: key: yrstruly@mylaptop (0xb7a991c8)
debug2: key: yrstruly@mylaptop (0xb7a99398)
debug2: key: /home/yrstruly/.ssh/id_dsa ((nil))
debug2: key: /home/yrstruly/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/yrstruly/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp 0e:d0:ba:5c:c1:39:a9:c7:7b:c4:b7:11:87:33:b7:d7
debug3: sign_and_send_pubkey: RSA 0e:d0:ba:5c:c1:39:a9:c7:7b:c4:b7:11:87:33:b7:d7
debug1: Authentication succeeded (publickey).
Authenticated to myserver ([10.0.140.33]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-gMzJTOiJ3041/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null
debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-gMzJTOiJ3041/xauthfile list :0.0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: client_session2_setup: id 0
debug2: fd 3 setting TCP_NODELAY
debug1: Sending environment.
debug3: Ignored env PWD
debug3: Ignored env DISPLAY
debug3: Ignored env TERM
debug3: Ignored env TERMCAP
debug3: Ignored env COLUMNS
debug3: Ignored env EMACS
debug3: Ignored env INSIDE_EMACS
debug3: Ignored env _
debug3: Ignored env VENV_DIR
debug3: Ignored env VIRTUALENVWRAPPER_LOG_DIR
debug3: Ignored env VIRTUALENVWRAPPER_HOOK_DIR
debug3: Ignored env WORKON_HOME
debug3: Ignored env VIRTUALENVWRAPPER_PROJECT_FILENAME
debug3: Ignored env RSYNC_GLOBAL_INCLUDES
debug3: Ignored env RSYNC_GLOBAL_EXCLUDES
debug3: Ignored env RSYNC_PARTIAL_DIR
debug3: Ignored env RSYNC_DIR
debug3: Ignored env CVSEDITOR
debug3: Ignored env EDITOR
debug3: Ignored env GIT_PAGER
debug3: Ignored env LESS
debug3: Ignored env PAGER
debug3: Ignored env PERL_RL
debug3: Ignored env HISTCONTROL
debug3: Ignored env HISTFILESIZE
debug3: Ignored env HISTFILE
debug3: Ignored env SAVEHIST
debug3: Ignored env HISTSIZE
debug3: Ignored env LSCOLORS
debug3: Ignored env perld
debug1: Sending env LC_ALL = en_US.utf8
debug2: channel 0: request env confirm 0
debug3: Ignored env LANGUAGE
debug3: Ignored env ZSHVARDIR
debug3: Ignored env ZDOTDIROS
debug3: Ignored env ZDOTDIRLOCAL
debug3: Ignored env ZDOTDIR
debug3: Ignored env OLDPWD
debug3: Ignored env SHLVL
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env XDG_SESSION_PATH
debug3: Ignored env USER
debug3: Ignored env HOME
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env PATH
debug3: Ignored env XDG_CURRENT_DESKTOP
debug3: Ignored env SESSION_MANAGER
debug3: Ignored env SSH_AGENT_PID
debug3: Ignored env WINDOWID
debug3: Ignored env XDG_SESSION_COOKIE
debug3: Ignored env XDG_DATA_DIRS
debug3: Ignored env UBUNTU_MENUPROXY
debug3: Ignored env DBUS_SESSION_BUS_ADDRESS
debug3: Ignored env GNOME_DESKTOP_SESSION_ID
debug3: Ignored env GNOME_KEYRING_CONTROL
debug3: Ignored env GDMSESSION
debug3: Ignored env DEFAULTS_PATH
debug3: Ignored env DESKTOP_SESSION
debug3: Ignored env COLORTERM
debug3: Ignored env XAUTHORITY
debug3: Ignored env GNOME_KEYRING_PID
debug3: Ignored env MANDATORY_PATH
debug3: Ignored env LOGNAME
debug1: Sending env LANG = en_US.utf8
debug2: channel 0: request env confirm 0
debug3: Ignored env XDG_CONFIG_DIRS
debug3: Ignored env XDG_SEAT_PATH
debug3: Ignored env SHELL
debug3: Ignored env WINDOW
debug3: Ignored env STY
debug3: Ignored env LD_LIBRARY_PATH
debug1: Sending command: xlogo
debug2: channel 0: request exec confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 51763
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug2: X11 connection uses different authentication protocol.
X11 connection rejected because of wrong authentication.
debug2: X11 rejected 1 i0/o0
debug2: channel 1: read failed
debug2: channel 1: close_read
debug2: channel 1: input open -> drain
debug2: channel 1: ibuf empty
debug2: channel 1: send eof
debug2: channel 1: input drain -> closed
debug2: channel 1: write failed
debug2: channel 1: close_write
debug2: channel 1: output open -> closed
debug2: X11 closed 1 i3/o3
debug2: channel 1: send close
debug2: channel 1: rcvd close
debug2: channel 1: is dead
debug2: channel 1: garbage collecting
debug1: channel 1: free: x11, nchannels 2
debug3: channel 1: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1)
  #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1)

debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 51764
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug2: X11 connection uses different authentication protocol.
X11 connection rejected because of wrong authentication.
debug2: X11 rejected 1 i0/o0
debug2: channel 1: read failed
debug2: channel 1: close_read
debug2: channel 1: input open -> drain
debug2: channel 1: ibuf empty
debug2: channel 1: send eof
debug2: channel 1: input drain -> closed
debug2: channel 1: write failed
debug2: channel 1: close_write
debug2: channel 1: output open -> closed
debug2: X11 closed 1 i3/o3
debug2: channel 1: send close
debug2: channel 1: rcvd close
debug2: channel 1: is dead
debug2: channel 1: garbage collecting
debug1: channel 1: free: x11, nchannels 2
debug3: channel 1: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1)
  #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1)

debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 51765
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug2: X11 connection uses different authentication protocol.
X11 connection rejected because of wrong authentication.
debug2: X11 rejected 1 i0/o0
debug2: channel 1: read failed
debug2: channel 1: close_read
debug2: channel 1: input open -> drain
debug2: channel 1: ibuf empty
debug2: channel 1: send eof
debug2: channel 1: input drain -> closed
debug2: channel 1: write failed
debug2: channel 1: close_write
debug2: channel 1: output open -> closed
debug2: X11 closed 1 i3/o3
debug2: channel 1: send close
debug2: channel 1: rcvd close
debug2: channel 1: is dead
debug2: channel 1: garbage collecting
debug1: channel 1: free: x11, nchannels 2
debug3: channel 1: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1)
  #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1)

debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from ::1 51766
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug2: X11 connection uses different authentication protocol.
X11 connection rejected because of wrong authentication.
debug2: X11 rejected 1 i0/o0
debug2: channel 1: read failed
debug2: channel 1: close_read
debug2: channel 1: input open -> drain
debug2: channel 1: ibuf empty
debug2: channel 1: send eof
debug2: channel 1: input drain -> closed
debug2: channel 1: write failed
debug2: channel 1: close_write
debug2: channel 1: output open -> closed
debug2: X11 closed 1 i3/o3
debug2: channel 1: send close
debug2: channel 1: rcvd close
debug2: channel 1: is dead
debug2: channel 1: garbage collecting
debug1: channel 1: free: x11, nchannels 2
debug3: channel 1: status: The following connections are open:
  #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cc -1)
  #1 x11 (t7 r3 i3/0 o3/0 fd 7/7 cc -1)

debug2: channel 0: rcvd ext data 42
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: obuf_empty delayed efd 6/(42)
Error: Can't open display: localhost:10.0
debug2: channel 0: written 42 to efd 6
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
  #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

Transferred: sent 3152, received 2728 bytes, in 0.4 seconds
Bytes per second: sent 8679.2, received 7511.7
debug1: Exit status 1

Best Answer

For me, it has previously helped to erase .Xauthority-files. You should probably back them up.

 mkdir ~/Xauth-old
 mv ~/.X* ~/Xauth-old/

Further, in ~/.ssh/config you can avoid some other woes with authentication using

ForwardX11Trusted yes

Reasoning to be found here.

Method #1 - install xauth

The server you're remoting into is complaining that it cannot create an entry in the user's .Xauthority file, because xauth is not installed. So you can install it on each server to get rid of this annoying message.

On Fedora 19 you install xauth like so:

$ sudo yum install xorg-x11-xauth

If you then attempt to ssh into the server you'll see a message that an entry is being created in the user's .Xauthority file.

$ ssh root@server
/usr/bin/xauth:  creating new authority file /root/.Xauthority
$

Subsequent logins will no longer show this message.

Method #2 - disable it via ForwardX11

You can instruct the ssh client to not attempt to enable X11 forwarding by inclusion of the SSH parameter ForwardX11.

$ ssh -o ForwardX11=no root@server

You can do the same thing with the -x switch:

$ ssh -x root@server

This will only temporarily disable this message, but is a good option if you're not able to or unwilling to install xauth on the remote server.

Method #3 - disable it via sshd_config

This is typically the default but in case it isn't, you can setup your sshd server so that X11Forwarding is off, in /etc/ssh/sshd_config.

X11Forwarding no

Of the 3 methods I generally use #2, because I'll often want X11Forwarding on for most of my servers, but then don't want to see the X11.... warnings

$HOME/.ssh/config

Much of the time these message won't even show up. They're usually only present when you have the following entries in your $HOME/.ssh/config file, at the top.

ServerAliveInterval 15
ForwardX11 yes
ForwardAgent yes
ForwardX11Trusted yes

GatewayPorts yes

So it's this setup, which is ultimately driving the generation of those X11.. messages, so again, method #2 would seem to be the most appropriate if you want to operate with ForwardX11 yes on by default, but then selectively disable it for certain connections from the ssh client's perspective.

Security

It's generally ill-advised to run with ForwardX11 yes on at all times. So if you're wanting to operate your SSH connections in the most secure manor possible, it's best to do the following:

Don't include ForwardX11 yes in your $HOME/.ssh/config file
Only use ForwardingX11 when you need to via ssh -X user@server
If you can, disable X11Forwarding completely on the server so it's disallowed

References

SSH: The Secure Shell - The Definitive Guide - 9.3. X Forwarding

Ssh – Why is the SSH connection being closed immediately after pubkey auth succeeds

It's working now. I did the following

set the permission for ~/.ssh 0700
all the files under ~/.ssh 0600
run the sshd service as cyg_server id (created during ssh-host-config)
edit /etc/sshd_config to allow PubkeyAuthentication yes