SSH X11 Forwarding – Fix ‘X11 Forwarding Request Failed’

sshx11

When I ssh into a remote server that's not running any type of X11 desktop environment I get the following message.

$ ssh user@server
X11 forwarding request failed

$ ssh user@server ls
X11 forwarding request failed on channel 1
file1
file2
...

How can I get rid of these messages?

Best Answer

These messages can be eliminated through 1 of 3 methods, using just SSH options. You can always send messages to /dev/null too but these methods try to deal with the message through configuration, rather than just trapping and dumping them.

Method #1 - install xauth

The server you're remoting into is complaining that it cannot create an entry in the user's .Xauthority file, because xauth is not installed. So you can install it on each server to get rid of this annoying message.

On Fedora 19 you install xauth like so:

$ sudo yum install xorg-x11-xauth

If you then attempt to ssh into the server you'll see a message that an entry is being created in the user's .Xauthority file.

$ ssh root@server
/usr/bin/xauth:  creating new authority file /root/.Xauthority
$

Subsequent logins will no longer show this message.

Method #2 - disable it via ForwardX11

You can instruct the ssh client to not attempt to enable X11 forwarding by inclusion of the SSH parameter ForwardX11.

$ ssh -o ForwardX11=no root@server

You can do the same thing with the -x switch:

$ ssh -x root@server

This will only temporarily disable this message, but is a good option if you're not able to or unwilling to install xauth on the remote server.

Method #3 - disable it via sshd_config

This is typically the default but in case it isn't, you can setup your sshd server so that X11Forwarding is off, in /etc/ssh/sshd_config.

X11Forwarding no

Of the 3 methods I generally use #2, because I'll often want X11Forwarding on for most of my servers, but then don't want to see the X11.... warnings

$HOME/.ssh/config

Much of the time these message won't even show up. They're usually only present when you have the following entries in your $HOME/.ssh/config file, at the top.

ServerAliveInterval 15
ForwardX11 yes
ForwardAgent yes
ForwardX11Trusted yes

GatewayPorts yes

So it's this setup, which is ultimately driving the generation of those X11.. messages, so again, method #2 would seem to be the most appropriate if you want to operate with ForwardX11 yes on by default, but then selectively disable it for certain connections from the ssh client's perspective.

Security

It's generally ill-advised to run with ForwardX11 yes on at all times. So if you're wanting to operate your SSH connections in the most secure manor possible, it's best to do the following:

Don't include ForwardX11 yes in your $HOME/.ssh/config file
Only use ForwardingX11 when you need to via ssh -X user@server
If you can, disable X11Forwarding completely on the server so it's disallowed

References

SSH: The Secure Shell - The Definitive Guide - 9.3. X Forwarding

Related Solutions

Ssh – How to troubleshoot failed X11 forwarding with ssh

For me, it has previously helped to erase .Xauthority-files. You should probably back them up.

 mkdir ~/Xauth-old
 mv ~/.X* ~/Xauth-old/

Further, in ~/.ssh/config you can avoid some other woes with authentication using

ForwardX11Trusted yes

Reasoning to be found here.

Ssh – What do the channel numbers in ssh error message refer to

From the SSH Protocol documentation, regarding channels:

All terminal sessions, forwarded connections, etc., are channels. Either side may open a channel. Multiple channels are multiplexed into a single connection.

Channels are identified by numbers at each end. The number referring to a channel may be different on each side. Requests to open a channel contain the sender's channel number. Any other channel related messages contain the recipient's channel number for the channel.

Channels are flow-controlled. No data may be sent to a channel until a message is received to indicate that window space is available.

Port forwarding

The command you have looks fine. Are you sure that the service you're trying to connect to is up and accepting connections? The channel errors would seem to indicate that it's not.

What are my active channels?

If you have an active ssh connection you can use the following key combination to get help:

Shift+~ followed by Shift+?

$ ~?
Supported escape sequences:
  ~.  - terminate connection (and any multiplexed sessions)
  ~B  - send a BREAK to the remote system
  ~C  - open a command line
  ~R  - Request rekey (SSH protocol 2 only)
  ~^Z - suspend ssh
  ~#  - list forwarded connections
  ~&  - background ssh (when waiting for connections to terminate)
  ~?  - this message
  ~~  - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
debug2: channel 2: written 480 to efd 8

You can then use this key combination to get a list of the active channels:

Shift+~ followed by Shift+#

$ ~#
The following connections are open:
  #2 client-session (t4 r0 i0/0 o0/0 fd 6/7 cc -1)
debug2: channel 2: written 93 to efd 8