How do I debug “X11 connection rejected because of wrong authentication”












10















I have a problem with X forwarding through SSH. I've battled for ages, but no-one can seem to help.



I'm now taking a different tact. I would like to know how I would debug the errors?



What logs should I look in, what extra flags should I set (-v etc) and what should I look for?



Further Edit:



If I log into Putty into the server and try to xeyes, I get:



PuTTY X11 proxy: wrong authorisation protocol attemptedError: Can't open display: localhost:10.0



If I xauth generate $DISPLAY I get:



PuTTY X11 proxy: wrong authorisation protocol attemptedxauth: (argv):1: unable to open display "localhost:10.0".






ssh logging debug x11-forwarding







share|improve this question

























  • In your question from the other day you describe different symptoms. Are you still suffering from "Can't open display", or did you solve that? If you solved that, and one of the answers to that question was helpful, you should select it as an answer to reward the person who helped you.

    – Kenster
    Sep 1 '14 at 13:25











  • Agreed, it's a different error now, I've closed that question.

    – wkdmarty
    Sep 1 '14 at 14:00











  • See if this answer applies to your server.

    – Kenster
    Sep 1 '14 at 14:04











  • Kenster, I didn't have either rc file on the server, so I created one and pasted the code. No difference.

    – wkdmarty
    Sep 1 '14 at 14:12











  • In the PuTTY logs, this comes up after I try to run an x program (after SSH login). 2014-09-01 15:16:38 Received X11 connect request from 127.0.0.1:59566 2014-09-01 15:16:38 Opening X11 forward connection succeeded 2014-09-01 15:16:38 Nothing left to send, closing channel 2014-09-01 15:16:38 Forwarded X11 connection terminated

    – wkdmarty
    Sep 1 '14 at 14:18
















10















I have a problem with X forwarding through SSH. I've battled for ages, but no-one can seem to help.



I'm now taking a different tact. I would like to know how I would debug the errors?



What logs should I look in, what extra flags should I set (-v etc) and what should I look for?



Further Edit:



If I log into Putty into the server and try to xeyes, I get:



PuTTY X11 proxy: wrong authorisation protocol attemptedError: Can't open display: localhost:10.0



If I xauth generate $DISPLAY I get:



PuTTY X11 proxy: wrong authorisation protocol attemptedxauth: (argv):1: unable to open display "localhost:10.0".






ssh logging debug x11-forwarding







share|improve this question

























  • In your question from the other day you describe different symptoms. Are you still suffering from "Can't open display", or did you solve that? If you solved that, and one of the answers to that question was helpful, you should select it as an answer to reward the person who helped you.

    – Kenster
    Sep 1 '14 at 13:25











  • Agreed, it's a different error now, I've closed that question.

    – wkdmarty
    Sep 1 '14 at 14:00











  • See if this answer applies to your server.

    – Kenster
    Sep 1 '14 at 14:04











  • Kenster, I didn't have either rc file on the server, so I created one and pasted the code. No difference.

    – wkdmarty
    Sep 1 '14 at 14:12











  • In the PuTTY logs, this comes up after I try to run an x program (after SSH login). 2014-09-01 15:16:38 Received X11 connect request from 127.0.0.1:59566 2014-09-01 15:16:38 Opening X11 forward connection succeeded 2014-09-01 15:16:38 Nothing left to send, closing channel 2014-09-01 15:16:38 Forwarded X11 connection terminated

    – wkdmarty
    Sep 1 '14 at 14:18














10












10








10


2






I have a problem with X forwarding through SSH. I've battled for ages, but no-one can seem to help.



I'm now taking a different tact. I would like to know how I would debug the errors?



What logs should I look in, what extra flags should I set (-v etc) and what should I look for?



Further Edit:



If I log into Putty into the server and try to xeyes, I get:



PuTTY X11 proxy: wrong authorisation protocol attemptedError: Can't open display: localhost:10.0



If I xauth generate $DISPLAY I get:



PuTTY X11 proxy: wrong authorisation protocol attemptedxauth: (argv):1: unable to open display "localhost:10.0".






ssh logging debug x11-forwarding







share|improve this question
















I have a problem with X forwarding through SSH. I've battled for ages, but no-one can seem to help.



I'm now taking a different tact. I would like to know how I would debug the errors?



What logs should I look in, what extra flags should I set (-v etc) and what should I look for?



Further Edit:



If I log into Putty into the server and try to xeyes, I get:



PuTTY X11 proxy: wrong authorisation protocol attemptedError: Can't open display: localhost:10.0



If I xauth generate $DISPLAY I get:



PuTTY X11 proxy: wrong authorisation protocol attemptedxauth: (argv):1: unable to open display "localhost:10.0".






ssh logging debug x11-forwarding




ssh logging debug x11-forwarding






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 3 '14 at 9:43







wkdmarty

















asked Sep 1 '14 at 10:41









wkdmartywkdmarty

1902212




1902212













  • In your question from the other day you describe different symptoms. Are you still suffering from "Can't open display", or did you solve that? If you solved that, and one of the answers to that question was helpful, you should select it as an answer to reward the person who helped you.

    – Kenster
    Sep 1 '14 at 13:25











  • Agreed, it's a different error now, I've closed that question.

    – wkdmarty
    Sep 1 '14 at 14:00











  • See if this answer applies to your server.

    – Kenster
    Sep 1 '14 at 14:04











  • Kenster, I didn't have either rc file on the server, so I created one and pasted the code. No difference.

    – wkdmarty
    Sep 1 '14 at 14:12











  • In the PuTTY logs, this comes up after I try to run an x program (after SSH login). 2014-09-01 15:16:38 Received X11 connect request from 127.0.0.1:59566 2014-09-01 15:16:38 Opening X11 forward connection succeeded 2014-09-01 15:16:38 Nothing left to send, closing channel 2014-09-01 15:16:38 Forwarded X11 connection terminated

    – wkdmarty
    Sep 1 '14 at 14:18



















  • In your question from the other day you describe different symptoms. Are you still suffering from "Can't open display", or did you solve that? If you solved that, and one of the answers to that question was helpful, you should select it as an answer to reward the person who helped you.

    – Kenster
    Sep 1 '14 at 13:25











  • Agreed, it's a different error now, I've closed that question.

    – wkdmarty
    Sep 1 '14 at 14:00











  • See if this answer applies to your server.

    – Kenster
    Sep 1 '14 at 14:04











  • Kenster, I didn't have either rc file on the server, so I created one and pasted the code. No difference.

    – wkdmarty
    Sep 1 '14 at 14:12











  • In the PuTTY logs, this comes up after I try to run an x program (after SSH login). 2014-09-01 15:16:38 Received X11 connect request from 127.0.0.1:59566 2014-09-01 15:16:38 Opening X11 forward connection succeeded 2014-09-01 15:16:38 Nothing left to send, closing channel 2014-09-01 15:16:38 Forwarded X11 connection terminated

    – wkdmarty
    Sep 1 '14 at 14:18

















In your question from the other day you describe different symptoms. Are you still suffering from "Can't open display", or did you solve that? If you solved that, and one of the answers to that question was helpful, you should select it as an answer to reward the person who helped you.

– Kenster
Sep 1 '14 at 13:25





In your question from the other day you describe different symptoms. Are you still suffering from "Can't open display", or did you solve that? If you solved that, and one of the answers to that question was helpful, you should select it as an answer to reward the person who helped you.

– Kenster
Sep 1 '14 at 13:25













Agreed, it's a different error now, I've closed that question.

– wkdmarty
Sep 1 '14 at 14:00





Agreed, it's a different error now, I've closed that question.

– wkdmarty
Sep 1 '14 at 14:00













See if this answer applies to your server.

– Kenster
Sep 1 '14 at 14:04





See if this answer applies to your server.

– Kenster
Sep 1 '14 at 14:04













Kenster, I didn't have either rc file on the server, so I created one and pasted the code. No difference.

– wkdmarty
Sep 1 '14 at 14:12





Kenster, I didn't have either rc file on the server, so I created one and pasted the code. No difference.

– wkdmarty
Sep 1 '14 at 14:12













In the PuTTY logs, this comes up after I try to run an x program (after SSH login). 2014-09-01 15:16:38 Received X11 connect request from 127.0.0.1:59566 2014-09-01 15:16:38 Opening X11 forward connection succeeded 2014-09-01 15:16:38 Nothing left to send, closing channel 2014-09-01 15:16:38 Forwarded X11 connection terminated

– wkdmarty
Sep 1 '14 at 14:18





In the PuTTY logs, this comes up after I try to run an x program (after SSH login). 2014-09-01 15:16:38 Received X11 connect request from 127.0.0.1:59566 2014-09-01 15:16:38 Opening X11 forward connection succeeded 2014-09-01 15:16:38 Nothing left to send, closing channel 2014-09-01 15:16:38 Forwarded X11 connection terminated

– wkdmarty
Sep 1 '14 at 14:18










4 Answers
4






active

oldest

votes


















11














My solution step by step:



1) login with option -X remote host login root





$ ssh -X root@192.168.1.39


2) check if existing .Xauthority file





[root@localhost ~]# ls -al

[root@localhost ~]# vim .Xauthority


3) copy .Xauthority file to directory the other user





[root@localhost ~]# cp .Xauthority /home/oracle/

cp: overwrite `/home/oracle/.Xauthority'? y


4) set permissions for this file





[root@localhost ~]# chown oracle:oinstall .Xauthority

[root@localhost ~]# chmod 0600 .Xauthority


5) login oracle user





[root@localhost ~]# su - oracle


6) display setting in localhost:10.0





[oracle@localhost ~]$ echo $DISPLAY

localhost:10.0

[oracle@localhost ~]$ ls -al


7) lists xauth cookies existing





[oracle@localhost ~]$ xauth list

localhost.localdomain/unix:11  MIT-MAGIC-COOKIE-1  310f1b02c1080e73059391c193a1881b

localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb759


8) adding





[oracle@localhost ~]$ xauth add localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb75


9) test





[oracle@localhost ~]$ xclock


Hope they serve! @wcaraza






share|improve this answer



















  • 1





    The part xauth add .... is the trick

    – Winston
    Dec 29 '14 at 0:15











  • steps 3. and 4. did the trick for me

    – kiltek
    Mar 3 '17 at 12:53



















5














Make sure the SSH server has the xauth tool installed, and that your ~/.Xauthority file is writable. (Non-existent is also okay, as long as xauth can create it.)



Check if xauth data is being updated:



server$ xauth list


Try manually adding dummy xauth data (again, on the SSH server), and see if xauth has any problems (e.g. being unable to create the lockfile or to modify the Xauthority file itself):



server$ xauth add localhost:123 MIT-MAGIC-COOKIE-1 d7e2e4a8c5aa4430bfcc2abb436940d2


If necessary, re-run under strace.



Run the SSH service in debug mode, by setting LogLevel DEBUG2 in the server configuration (/etc/ssh/sshd_config), or by starting sshd in debug mode directly:



server$ sshd -rddp 12234


(In this example, 12234 is the temporary SSH port that you need to connect to. Any free port will do.)






share|improve this answer
























  • Thank you. Xauth on the server can write to the .Xauthority file. But what should it be setting? server = N40L, client = Lin001. Should the xauth list on N40L show an entry for localhost:10 MIT-MAGIC-COOKIE-1 {Lin001'sHexKey}?

    – wkdmarty
    Sep 1 '14 at 11:15











  • @wkdmarty: Yes, your sshd will listen on a TCP port corresponding to display :10 (or :11, :12...), and this will show up as "localhost:10". As for the hex key, however, I don't really know if it's meant to use the same key – I think ssh actually generates a new one, and acts as a proxy...

    – grawity
    Sep 1 '14 at 11:53











  • ok perfect, I can see that 0.0.0.0:6011 is listening. My DISPLAY variable states N40L:11.0, which I'm thinking is wrong, so I'll change that to DISPLAY=localhost:10.0. Nope, still erroring. I did notice on the SSH connection this line: debug2: x11_get_proto /usr/bin/xauth list :0.0 2>/dev/null wherever I've seen SSH connection logging, this line is different...showing a key generation, never :0.0.?

    – wkdmarty
    Sep 1 '14 at 12:10











  • @wkdmarty: Normally sshd should set $DISPLAY to the correct value... and port 6011 does correspond to display 11, not 10, anyway.

    – grawity
    Sep 1 '14 at 13:10






  • 1





    "My DISPLAY variable states N40L:11.0...so I'll change that". To be blunt, leave DISPLAY alone. If ssh sets up X11 forwarding, it will set DISPLAY to a value that will work. Overriding the value that ssh sets will just make the troubleshooting process more difficult.

    – Kenster
    Sep 1 '14 at 13:50



















3














It's working, it's working. haha.



FINALLY.



After finding out that it wasn't the system, by adding a test user (which x forwarding worked "out the box"), I thought I'd start copying the .bash* startup files across to virginise the "broken" user.



None of the files were different, so next I deleted the users .ssh directory. When I ssh'd in, it moaned about "Server refused our key", but I could log in using password. Once logged in, I could x forward perfectly.



I'll now try to setup the key again and see if I can get that working too. Then it'll be back to normal.






share|improve this answer
























  • This worked for me too. I tried all other methods, but yeah apparently the problem lied in the keys.

    – Auxiliary
    Jan 7 '16 at 19:34



















0














One more thing that can cause this problem is the existence of a ~/.ssh/rc file on the server--the machine you're connecting to. Delete it (or rename it) to solve the problem.






share|improve this answer



















  • 1





    Per man sshd, sshd runs ~/.ssh/rc instead of xauth, @PimpJuiceIT.

    – Ken Jackson
    Feb 10 at 4:58











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f805725%2fhow-do-i-debug-x11-connection-rejected-because-of-wrong-authentication%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























4 Answers
4






active

oldest

votes








4 Answers
4






active

oldest

votes









active

oldest

votes






active

oldest

votes









11














My solution step by step:



1) login with option -X remote host login root





$ ssh -X root@192.168.1.39


2) check if existing .Xauthority file





[root@localhost ~]# ls -al

[root@localhost ~]# vim .Xauthority


3) copy .Xauthority file to directory the other user





[root@localhost ~]# cp .Xauthority /home/oracle/

cp: overwrite `/home/oracle/.Xauthority'? y


4) set permissions for this file





[root@localhost ~]# chown oracle:oinstall .Xauthority

[root@localhost ~]# chmod 0600 .Xauthority


5) login oracle user





[root@localhost ~]# su - oracle


6) display setting in localhost:10.0





[oracle@localhost ~]$ echo $DISPLAY

localhost:10.0

[oracle@localhost ~]$ ls -al


7) lists xauth cookies existing





[oracle@localhost ~]$ xauth list

localhost.localdomain/unix:11  MIT-MAGIC-COOKIE-1  310f1b02c1080e73059391c193a1881b

localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb759


8) adding





[oracle@localhost ~]$ xauth add localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb75


9) test





[oracle@localhost ~]$ xclock


Hope they serve! @wcaraza






share|improve this answer



















  • 1





    The part xauth add .... is the trick

    – Winston
    Dec 29 '14 at 0:15











  • steps 3. and 4. did the trick for me

    – kiltek
    Mar 3 '17 at 12:53
















11














My solution step by step:



1) login with option -X remote host login root





$ ssh -X root@192.168.1.39


2) check if existing .Xauthority file





[root@localhost ~]# ls -al

[root@localhost ~]# vim .Xauthority


3) copy .Xauthority file to directory the other user





[root@localhost ~]# cp .Xauthority /home/oracle/

cp: overwrite `/home/oracle/.Xauthority'? y


4) set permissions for this file





[root@localhost ~]# chown oracle:oinstall .Xauthority

[root@localhost ~]# chmod 0600 .Xauthority


5) login oracle user





[root@localhost ~]# su - oracle


6) display setting in localhost:10.0





[oracle@localhost ~]$ echo $DISPLAY

localhost:10.0

[oracle@localhost ~]$ ls -al


7) lists xauth cookies existing





[oracle@localhost ~]$ xauth list

localhost.localdomain/unix:11  MIT-MAGIC-COOKIE-1  310f1b02c1080e73059391c193a1881b

localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb759


8) adding





[oracle@localhost ~]$ xauth add localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb75


9) test





[oracle@localhost ~]$ xclock


Hope they serve! @wcaraza






share|improve this answer



















  • 1





    The part xauth add .... is the trick

    – Winston
    Dec 29 '14 at 0:15











  • steps 3. and 4. did the trick for me

    – kiltek
    Mar 3 '17 at 12:53














11












11








11







My solution step by step:



1) login with option -X remote host login root





$ ssh -X root@192.168.1.39


2) check if existing .Xauthority file





[root@localhost ~]# ls -al

[root@localhost ~]# vim .Xauthority


3) copy .Xauthority file to directory the other user





[root@localhost ~]# cp .Xauthority /home/oracle/

cp: overwrite `/home/oracle/.Xauthority'? y


4) set permissions for this file





[root@localhost ~]# chown oracle:oinstall .Xauthority

[root@localhost ~]# chmod 0600 .Xauthority


5) login oracle user





[root@localhost ~]# su - oracle


6) display setting in localhost:10.0





[oracle@localhost ~]$ echo $DISPLAY

localhost:10.0

[oracle@localhost ~]$ ls -al


7) lists xauth cookies existing





[oracle@localhost ~]$ xauth list

localhost.localdomain/unix:11  MIT-MAGIC-COOKIE-1  310f1b02c1080e73059391c193a1881b

localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb759


8) adding





[oracle@localhost ~]$ xauth add localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb75


9) test





[oracle@localhost ~]$ xclock


Hope they serve! @wcaraza






share|improve this answer













My solution step by step:



1) login with option -X remote host login root





$ ssh -X root@192.168.1.39


2) check if existing .Xauthority file





[root@localhost ~]# ls -al

[root@localhost ~]# vim .Xauthority


3) copy .Xauthority file to directory the other user





[root@localhost ~]# cp .Xauthority /home/oracle/

cp: overwrite `/home/oracle/.Xauthority'? y


4) set permissions for this file





[root@localhost ~]# chown oracle:oinstall .Xauthority

[root@localhost ~]# chmod 0600 .Xauthority


5) login oracle user





[root@localhost ~]# su - oracle


6) display setting in localhost:10.0





[oracle@localhost ~]$ echo $DISPLAY

localhost:10.0

[oracle@localhost ~]$ ls -al


7) lists xauth cookies existing





[oracle@localhost ~]$ xauth list

localhost.localdomain/unix:11  MIT-MAGIC-COOKIE-1  310f1b02c1080e73059391c193a1881b

localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb759


8) adding





[oracle@localhost ~]$ xauth add localhost.localdomain/unix:10  MIT-MAGIC-COOKIE-1  41843db100830a2aa352641ac47bb75


9) test





[oracle@localhost ~]$ xclock


Hope they serve! @wcaraza







share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 28 '14 at 19:10









Walter CarazaWalter Caraza

21113




21113








  • 1





    The part xauth add .... is the trick

    – Winston
    Dec 29 '14 at 0:15











  • steps 3. and 4. did the trick for me

    – kiltek
    Mar 3 '17 at 12:53














  • 1





    The part xauth add .... is the trick

    – Winston
    Dec 29 '14 at 0:15











  • steps 3. and 4. did the trick for me

    – kiltek
    Mar 3 '17 at 12:53








1




1





The part xauth add .... is the trick

– Winston
Dec 29 '14 at 0:15





The part xauth add .... is the trick

– Winston
Dec 29 '14 at 0:15













steps 3. and 4. did the trick for me

– kiltek
Mar 3 '17 at 12:53





steps 3. and 4. did the trick for me

– kiltek
Mar 3 '17 at 12:53













5














Make sure the SSH server has the xauth tool installed, and that your ~/.Xauthority file is writable. (Non-existent is also okay, as long as xauth can create it.)



Check if xauth data is being updated:



server$ xauth list


Try manually adding dummy xauth data (again, on the SSH server), and see if xauth has any problems (e.g. being unable to create the lockfile or to modify the Xauthority file itself):



server$ xauth add localhost:123 MIT-MAGIC-COOKIE-1 d7e2e4a8c5aa4430bfcc2abb436940d2


If necessary, re-run under strace.



Run the SSH service in debug mode, by setting LogLevel DEBUG2 in the server configuration (/etc/ssh/sshd_config), or by starting sshd in debug mode directly:



server$ sshd -rddp 12234


(In this example, 12234 is the temporary SSH port that you need to connect to. Any free port will do.)






share|improve this answer
























  • Thank you. Xauth on the server can write to the .Xauthority file. But what should it be setting? server = N40L, client = Lin001. Should the xauth list on N40L show an entry for localhost:10 MIT-MAGIC-COOKIE-1 {Lin001'sHexKey}?

    – wkdmarty
    Sep 1 '14 at 11:15











  • @wkdmarty: Yes, your sshd will listen on a TCP port corresponding to display :10 (or :11, :12...), and this will show up as "localhost:10". As for the hex key, however, I don't really know if it's meant to use the same key – I think ssh actually generates a new one, and acts as a proxy...

    – grawity
    Sep 1 '14 at 11:53











  • ok perfect, I can see that 0.0.0.0:6011 is listening. My DISPLAY variable states N40L:11.0, which I'm thinking is wrong, so I'll change that to DISPLAY=localhost:10.0. Nope, still erroring. I did notice on the SSH connection this line: debug2: x11_get_proto /usr/bin/xauth list :0.0 2>/dev/null wherever I've seen SSH connection logging, this line is different...showing a key generation, never :0.0.?

    – wkdmarty
    Sep 1 '14 at 12:10











  • @wkdmarty: Normally sshd should set $DISPLAY to the correct value... and port 6011 does correspond to display 11, not 10, anyway.

    – grawity
    Sep 1 '14 at 13:10






  • 1





    "My DISPLAY variable states N40L:11.0...so I'll change that". To be blunt, leave DISPLAY alone. If ssh sets up X11 forwarding, it will set DISPLAY to a value that will work. Overriding the value that ssh sets will just make the troubleshooting process more difficult.

    – Kenster
    Sep 1 '14 at 13:50
















5














Make sure the SSH server has the xauth tool installed, and that your ~/.Xauthority file is writable. (Non-existent is also okay, as long as xauth can create it.)



Check if xauth data is being updated:



server$ xauth list


Try manually adding dummy xauth data (again, on the SSH server), and see if xauth has any problems (e.g. being unable to create the lockfile or to modify the Xauthority file itself):



server$ xauth add localhost:123 MIT-MAGIC-COOKIE-1 d7e2e4a8c5aa4430bfcc2abb436940d2


If necessary, re-run under strace.



Run the SSH service in debug mode, by setting LogLevel DEBUG2 in the server configuration (/etc/ssh/sshd_config), or by starting sshd in debug mode directly:



server$ sshd -rddp 12234


(In this example, 12234 is the temporary SSH port that you need to connect to. Any free port will do.)






share|improve this answer
























  • Thank you. Xauth on the server can write to the .Xauthority file. But what should it be setting? server = N40L, client = Lin001. Should the xauth list on N40L show an entry for localhost:10 MIT-MAGIC-COOKIE-1 {Lin001'sHexKey}?

    – wkdmarty
    Sep 1 '14 at 11:15











  • @wkdmarty: Yes, your sshd will listen on a TCP port corresponding to display :10 (or :11, :12...), and this will show up as "localhost:10". As for the hex key, however, I don't really know if it's meant to use the same key – I think ssh actually generates a new one, and acts as a proxy...

    – grawity
    Sep 1 '14 at 11:53











  • ok perfect, I can see that 0.0.0.0:6011 is listening. My DISPLAY variable states N40L:11.0, which I'm thinking is wrong, so I'll change that to DISPLAY=localhost:10.0. Nope, still erroring. I did notice on the SSH connection this line: debug2: x11_get_proto /usr/bin/xauth list :0.0 2>/dev/null wherever I've seen SSH connection logging, this line is different...showing a key generation, never :0.0.?

    – wkdmarty
    Sep 1 '14 at 12:10











  • @wkdmarty: Normally sshd should set $DISPLAY to the correct value... and port 6011 does correspond to display 11, not 10, anyway.

    – grawity
    Sep 1 '14 at 13:10






  • 1





    "My DISPLAY variable states N40L:11.0...so I'll change that". To be blunt, leave DISPLAY alone. If ssh sets up X11 forwarding, it will set DISPLAY to a value that will work. Overriding the value that ssh sets will just make the troubleshooting process more difficult.

    – Kenster
    Sep 1 '14 at 13:50














5












5








5







Make sure the SSH server has the xauth tool installed, and that your ~/.Xauthority file is writable. (Non-existent is also okay, as long as xauth can create it.)



Check if xauth data is being updated:



server$ xauth list


Try manually adding dummy xauth data (again, on the SSH server), and see if xauth has any problems (e.g. being unable to create the lockfile or to modify the Xauthority file itself):



server$ xauth add localhost:123 MIT-MAGIC-COOKIE-1 d7e2e4a8c5aa4430bfcc2abb436940d2


If necessary, re-run under strace.



Run the SSH service in debug mode, by setting LogLevel DEBUG2 in the server configuration (/etc/ssh/sshd_config), or by starting sshd in debug mode directly:



server$ sshd -rddp 12234


(In this example, 12234 is the temporary SSH port that you need to connect to. Any free port will do.)






share|improve this answer













Make sure the SSH server has the xauth tool installed, and that your ~/.Xauthority file is writable. (Non-existent is also okay, as long as xauth can create it.)



Check if xauth data is being updated:



server$ xauth list


Try manually adding dummy xauth data (again, on the SSH server), and see if xauth has any problems (e.g. being unable to create the lockfile or to modify the Xauthority file itself):



server$ xauth add localhost:123 MIT-MAGIC-COOKIE-1 d7e2e4a8c5aa4430bfcc2abb436940d2


If necessary, re-run under strace.



Run the SSH service in debug mode, by setting LogLevel DEBUG2 in the server configuration (/etc/ssh/sshd_config), or by starting sshd in debug mode directly:



server$ sshd -rddp 12234


(In this example, 12234 is the temporary SSH port that you need to connect to. Any free port will do.)







share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 1 '14 at 11:06









grawitygrawity

241k37509565




241k37509565













  • Thank you. Xauth on the server can write to the .Xauthority file. But what should it be setting? server = N40L, client = Lin001. Should the xauth list on N40L show an entry for localhost:10 MIT-MAGIC-COOKIE-1 {Lin001'sHexKey}?

    – wkdmarty
    Sep 1 '14 at 11:15











  • @wkdmarty: Yes, your sshd will listen on a TCP port corresponding to display :10 (or :11, :12...), and this will show up as "localhost:10". As for the hex key, however, I don't really know if it's meant to use the same key – I think ssh actually generates a new one, and acts as a proxy...

    – grawity
    Sep 1 '14 at 11:53











  • ok perfect, I can see that 0.0.0.0:6011 is listening. My DISPLAY variable states N40L:11.0, which I'm thinking is wrong, so I'll change that to DISPLAY=localhost:10.0. Nope, still erroring. I did notice on the SSH connection this line: debug2: x11_get_proto /usr/bin/xauth list :0.0 2>/dev/null wherever I've seen SSH connection logging, this line is different...showing a key generation, never :0.0.?

    – wkdmarty
    Sep 1 '14 at 12:10











  • @wkdmarty: Normally sshd should set $DISPLAY to the correct value... and port 6011 does correspond to display 11, not 10, anyway.

    – grawity
    Sep 1 '14 at 13:10






  • 1





    "My DISPLAY variable states N40L:11.0...so I'll change that". To be blunt, leave DISPLAY alone. If ssh sets up X11 forwarding, it will set DISPLAY to a value that will work. Overriding the value that ssh sets will just make the troubleshooting process more difficult.

    – Kenster
    Sep 1 '14 at 13:50



















  • Thank you. Xauth on the server can write to the .Xauthority file. But what should it be setting? server = N40L, client = Lin001. Should the xauth list on N40L show an entry for localhost:10 MIT-MAGIC-COOKIE-1 {Lin001'sHexKey}?

    – wkdmarty
    Sep 1 '14 at 11:15











  • @wkdmarty: Yes, your sshd will listen on a TCP port corresponding to display :10 (or :11, :12...), and this will show up as "localhost:10". As for the hex key, however, I don't really know if it's meant to use the same key – I think ssh actually generates a new one, and acts as a proxy...

    – grawity
    Sep 1 '14 at 11:53











  • ok perfect, I can see that 0.0.0.0:6011 is listening. My DISPLAY variable states N40L:11.0, which I'm thinking is wrong, so I'll change that to DISPLAY=localhost:10.0. Nope, still erroring. I did notice on the SSH connection this line: debug2: x11_get_proto /usr/bin/xauth list :0.0 2>/dev/null wherever I've seen SSH connection logging, this line is different...showing a key generation, never :0.0.?

    – wkdmarty
    Sep 1 '14 at 12:10











  • @wkdmarty: Normally sshd should set $DISPLAY to the correct value... and port 6011 does correspond to display 11, not 10, anyway.

    – grawity
    Sep 1 '14 at 13:10






  • 1





    "My DISPLAY variable states N40L:11.0...so I'll change that". To be blunt, leave DISPLAY alone. If ssh sets up X11 forwarding, it will set DISPLAY to a value that will work. Overriding the value that ssh sets will just make the troubleshooting process more difficult.

    – Kenster
    Sep 1 '14 at 13:50

















Thank you. Xauth on the server can write to the .Xauthority file. But what should it be setting? server = N40L, client = Lin001. Should the xauth list on N40L show an entry for localhost:10 MIT-MAGIC-COOKIE-1 {Lin001'sHexKey}?

– wkdmarty
Sep 1 '14 at 11:15





Thank you. Xauth on the server can write to the .Xauthority file. But what should it be setting? server = N40L, client = Lin001. Should the xauth list on N40L show an entry for localhost:10 MIT-MAGIC-COOKIE-1 {Lin001'sHexKey}?

– wkdmarty
Sep 1 '14 at 11:15













@wkdmarty: Yes, your sshd will listen on a TCP port corresponding to display :10 (or :11, :12...), and this will show up as "localhost:10". As for the hex key, however, I don't really know if it's meant to use the same key – I think ssh actually generates a new one, and acts as a proxy...

– grawity
Sep 1 '14 at 11:53





@wkdmarty: Yes, your sshd will listen on a TCP port corresponding to display :10 (or :11, :12...), and this will show up as "localhost:10". As for the hex key, however, I don't really know if it's meant to use the same key – I think ssh actually generates a new one, and acts as a proxy...

– grawity
Sep 1 '14 at 11:53













ok perfect, I can see that 0.0.0.0:6011 is listening. My DISPLAY variable states N40L:11.0, which I'm thinking is wrong, so I'll change that to DISPLAY=localhost:10.0. Nope, still erroring. I did notice on the SSH connection this line: debug2: x11_get_proto /usr/bin/xauth list :0.0 2>/dev/null wherever I've seen SSH connection logging, this line is different...showing a key generation, never :0.0.?

– wkdmarty
Sep 1 '14 at 12:10





ok perfect, I can see that 0.0.0.0:6011 is listening. My DISPLAY variable states N40L:11.0, which I'm thinking is wrong, so I'll change that to DISPLAY=localhost:10.0. Nope, still erroring. I did notice on the SSH connection this line: debug2: x11_get_proto /usr/bin/xauth list :0.0 2>/dev/null wherever I've seen SSH connection logging, this line is different...showing a key generation, never :0.0.?

– wkdmarty
Sep 1 '14 at 12:10













@wkdmarty: Normally sshd should set $DISPLAY to the correct value... and port 6011 does correspond to display 11, not 10, anyway.

– grawity
Sep 1 '14 at 13:10





@wkdmarty: Normally sshd should set $DISPLAY to the correct value... and port 6011 does correspond to display 11, not 10, anyway.

– grawity
Sep 1 '14 at 13:10




1




1





"My DISPLAY variable states N40L:11.0...so I'll change that". To be blunt, leave DISPLAY alone. If ssh sets up X11 forwarding, it will set DISPLAY to a value that will work. Overriding the value that ssh sets will just make the troubleshooting process more difficult.

– Kenster
Sep 1 '14 at 13:50





"My DISPLAY variable states N40L:11.0...so I'll change that". To be blunt, leave DISPLAY alone. If ssh sets up X11 forwarding, it will set DISPLAY to a value that will work. Overriding the value that ssh sets will just make the troubleshooting process more difficult.

– Kenster
Sep 1 '14 at 13:50











3














It's working, it's working. haha.



FINALLY.



After finding out that it wasn't the system, by adding a test user (which x forwarding worked "out the box"), I thought I'd start copying the .bash* startup files across to virginise the "broken" user.



None of the files were different, so next I deleted the users .ssh directory. When I ssh'd in, it moaned about "Server refused our key", but I could log in using password. Once logged in, I could x forward perfectly.



I'll now try to setup the key again and see if I can get that working too. Then it'll be back to normal.






share|improve this answer
























  • This worked for me too. I tried all other methods, but yeah apparently the problem lied in the keys.

    – Auxiliary
    Jan 7 '16 at 19:34
















3














It's working, it's working. haha.



FINALLY.



After finding out that it wasn't the system, by adding a test user (which x forwarding worked "out the box"), I thought I'd start copying the .bash* startup files across to virginise the "broken" user.



None of the files were different, so next I deleted the users .ssh directory. When I ssh'd in, it moaned about "Server refused our key", but I could log in using password. Once logged in, I could x forward perfectly.



I'll now try to setup the key again and see if I can get that working too. Then it'll be back to normal.






share|improve this answer
























  • This worked for me too. I tried all other methods, but yeah apparently the problem lied in the keys.

    – Auxiliary
    Jan 7 '16 at 19:34














3












3








3







It's working, it's working. haha.



FINALLY.



After finding out that it wasn't the system, by adding a test user (which x forwarding worked "out the box"), I thought I'd start copying the .bash* startup files across to virginise the "broken" user.



None of the files were different, so next I deleted the users .ssh directory. When I ssh'd in, it moaned about "Server refused our key", but I could log in using password. Once logged in, I could x forward perfectly.



I'll now try to setup the key again and see if I can get that working too. Then it'll be back to normal.






share|improve this answer













It's working, it's working. haha.



FINALLY.



After finding out that it wasn't the system, by adding a test user (which x forwarding worked "out the box"), I thought I'd start copying the .bash* startup files across to virginise the "broken" user.



None of the files were different, so next I deleted the users .ssh directory. When I ssh'd in, it moaned about "Server refused our key", but I could log in using password. Once logged in, I could x forward perfectly.



I'll now try to setup the key again and see if I can get that working too. Then it'll be back to normal.







share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 4 '14 at 8:37









wkdmartywkdmarty

1902212




1902212













  • This worked for me too. I tried all other methods, but yeah apparently the problem lied in the keys.

    – Auxiliary
    Jan 7 '16 at 19:34



















  • This worked for me too. I tried all other methods, but yeah apparently the problem lied in the keys.

    – Auxiliary
    Jan 7 '16 at 19:34

















This worked for me too. I tried all other methods, but yeah apparently the problem lied in the keys.

– Auxiliary
Jan 7 '16 at 19:34





This worked for me too. I tried all other methods, but yeah apparently the problem lied in the keys.

– Auxiliary
Jan 7 '16 at 19:34











0














One more thing that can cause this problem is the existence of a ~/.ssh/rc file on the server--the machine you're connecting to. Delete it (or rename it) to solve the problem.






share|improve this answer



















  • 1





    Per man sshd, sshd runs ~/.ssh/rc instead of xauth, @PimpJuiceIT.

    – Ken Jackson
    Feb 10 at 4:58
















0














One more thing that can cause this problem is the existence of a ~/.ssh/rc file on the server--the machine you're connecting to. Delete it (or rename it) to solve the problem.






share|improve this answer



















  • 1





    Per man sshd, sshd runs ~/.ssh/rc instead of xauth, @PimpJuiceIT.

    – Ken Jackson
    Feb 10 at 4:58














0












0








0







One more thing that can cause this problem is the existence of a ~/.ssh/rc file on the server--the machine you're connecting to. Delete it (or rename it) to solve the problem.






share|improve this answer













One more thing that can cause this problem is the existence of a ~/.ssh/rc file on the server--the machine you're connecting to. Delete it (or rename it) to solve the problem.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 10 at 1:25









Ken JacksonKen Jackson

22112




22112








  • 1





    Per man sshd, sshd runs ~/.ssh/rc instead of xauth, @PimpJuiceIT.

    – Ken Jackson
    Feb 10 at 4:58














  • 1





    Per man sshd, sshd runs ~/.ssh/rc instead of xauth, @PimpJuiceIT.

    – Ken Jackson
    Feb 10 at 4:58








1




1





Per man sshd, sshd runs ~/.ssh/rc instead of xauth, @PimpJuiceIT.

– Ken Jackson
Feb 10 at 4:58





Per man sshd, sshd runs ~/.ssh/rc instead of xauth, @PimpJuiceIT.

– Ken Jackson
Feb 10 at 4:58


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f805725%2fhow-do-i-debug-x11-connection-rejected-because-of-wrong-authentication%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

Image
0 I recently upgraded an Ubuntu 16.04 virtual machine to 18.04. I regularly use this VM to run apt-mirror at school on their high-speed internet, then rsync these files to my rack-mount server at home for updating multiple computers at home without wasting the tiny amount of bandwidth I have there. Since updating I can't get apt-mirror to run on my VM. It keeps giving the error: flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror line 214 immediately followed by: apt-mirror is already running, exiting at /usr/bin/apt-mirror line 217 apt-mirror is NOT running, and does not have a cron job. I've tried rebooting, and even looked for the old-style lockfile to delete, but I guess that method is no longer used. Is there some way to force unlock this so I can run apt-mirror? UPDATE: So... I f...
Read more

Mangá

Image
  Nota:  Não confundir com Manga. Mangás e Animes Mangá Mangaká • Tankōbon Film comic La nouvelle manga Mangá original em inglês Anime História Animação influenciada por animes • Filler • OVA • Seiyū Públicos Kodomo • Shōjo • Shōnen Josei • Seinen Gêneros Mahō shōjo • Mecha • Harém Ecchi • Hentai ( Yaoi • Yuri Futanari • Shotacon • Lolicon Toddlercon ) Termos Bishōjo • Chibi • Fan service Gaiden • Kawaii • Kaitō • Light novel Mahō shōnen • Moe (antropomorfismo • Kemonomimi Nekomimi ) • Super deformed Omake • Tsundere • Yonkoma Listas Mangás • Animes • Ecchi • Mangaka • Estúdios • Revistas Fãs ( otaku ) Anime Music Video Convenções • Cosplay Dōjinshi • Fansub • Fandub • Fujoshi OS-tan • Scanlation Portal de Anime e mangá v d e O mangá (português brasileiro) ou manga (português europeu) [ 1 ] (em japonês: 漫画 , manga ? , lit. “história em quadrinhos”) , é a ...
Read more

Eduardo VII do Reino Unido

Image
Eduardo VII Rei do Reino Unido da Grã-Bretanha e Irlanda e dos Domínios Britânicos de Além-mar Imperador da Índia Rei do Reino Unido e Imperador da Índia Reinado 22 de janeiro de 1901 a 6 de maio de 1910 Coroação 9 de agosto de 1902 Delhi Durbar 1 de janeiro de 1903 Predecessora Vitória Sucessor Jorge V   Esposa Alexandra da Dinamarca Descendência Alberto Vitor, Duque de Clarence e Avondale Jorge V do Reino Unido Luísa, Princesa Real Vitória de Gales Maud de Gales Alexandre João de Gales Casa Saxe-Coburgo-Gota Nome completo Alberto Eduardo Nascimento 9 de novembro de 1841   Palácio de Buckingham, Londres, Reino Unido Morte 6 de maio de 1910 (68 anos)   Palácio de Buckingham, Londres, Reino Unido Enterro Capela de São Jorge, Windsor, Berkshire, Reino Unido 20 de maio de 1910 Pai Alberto de Saxe-Coburgo-Gota Mãe Vitória do Reino Unido Assinatura ...
Read more