Reese Knowledgebase

X11 connection rejected because of wrong authentication

View Kristian Reese's profile on LinkedIn

If you like this article, please +1 or Recommend via FB with the provided buttons above:

Article ID: 162
by: Reese K.
Posted: 09 Mar, 2015
Last updated: 16 Mar, 2015
Views: 4510

How to make X11 sessions work over ssh session when sudo to another user

There are a few checks we need to check to ensure X11 forwarding over SSH is configured properly on the client:

1. Ensure the following parameters are uncommented and their values are set as follows:

X11Forwarding yes

2. Restart ssh

service sshd restart

Now, from your client, launch your xsession manager.  I'm a Mac user and am using XQuartz.  I launch XQuartz, then open a terminal session.  I can confirm my DISPLAY variable is set after opening XQuartz:

reese@MacBook ~ $ echo $DISPLAY

If you're using a client like putty, you'll need to enable X11 Forwarding when configuring your ssh session.

Now, ssh to the client with either of the following ssh options, and check the xauth list and DISPLAY:

  • ssh -X <hostname>
  • ssh -Y <hostname>
reese@MacBook ~ $ ssh -X lnxclient
-bash-4.1$ xauth list
lnxclient/unix:11  MIT-MAGIC-COOKIE-1  3af0ce7d24521cb198bda7d22bc4b829
-bash-4.1$ echo $DISPLAY
-bash-4.1$ sudo su - newuser
[sudo] password for reese: 
[newuser@lnxclient ~]$ xclock &
[1] 60057
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:11.0
[1]+  Exit 1                  xclock
[newuser@lnxclient ~]$ xauth -f ~/.Xauthority
Using authority file /export/home/newuser/.Xauthority
xauth> add lnxclient/unix:11  MIT-MAGIC-COOKIE-1  3af0ce7d24521cb198bda7d22bc4b829
xauth> exit
Writing authority file /export/home/newuser/.Xauthority
[newuser@lnxclient ~]$ xclock &
[1] 60059
[newuser@lnxclient ~]$

In the above set of commands, the inital user who logs in runs the command 'xauth list' to display the authorization entries for each of the specified displays.  Copy this line for use when it comes time to add it to the authorization entries of the sudo user.

Notice at the xauth prompt of the sudo user to preface "add" prior to pasting in the entry.

xclock now lauches.

If xclock is not installed, it can be installed via 'yum install xorg-x11-apps' as xclock is part of the xorg-x11-apps package.

This article was:   Helpful | Not Helpful
Prev   Next
How to force NFSv3 via config files instead of mount options     Rename batch of files

Showing: 1-1 of 1  
Adelino | 01 Sep, 2015 09:40 AM
I've run into something silmair with disk quotas on users' home directories. xauth is nice enough to open the file for writing before checking if there's enough disk space, thereby zeroing out the file when it tries to write it. Suddenly existing X connections that worked a few minutes ago start complaining because their magic cookie is gone . Luckily, our home directories are stored on volumes that have easily recoverable snapshots.
Prev   Next
How to force NFSv3 via config files instead of mount options     Rename batch of files