When I ssh into a remote server that’s not running any type of X11 desktop environment I get the following message.
$ ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="84f1f7e1f6c4f7e1f6f2e1f6">[email protected]</a> X11 forwarding request failed $ ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="93e6e0f6e1d3e0f6e1e5f6e1">[email protected]</a> ls X11 forwarding request failed on channel 1 file1 file2 ...
How can I get rid of these messages?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
These messages can be eliminated through 1 of 3 methods, using just SSH options. You can always send messages to /dev/null too but these methods try to deal with the message through configuration, rather than just trapping and dumping them.
Method #1 – install xauth
The server you’re remoting into is complaining that it cannot create an entry in the user’s .Xauthority file, because xauth is not installed. So you can install it on each server to get rid of this annoying message.
On Fedora 19 you install xauth like so:
$ sudo yum install xorg-x11-xauth
If you then attempt to ssh into the server you’ll see a message that an entry is being created in the user’s .Xauthority file.
$ ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="74061b1b0034071106021106">[email protected]</a> /usr/bin/xauth: creating new authority file /root/.Xauthority $
Subsequent logins will no longer show this message.
Method #2 – disable it via ForwardX11
You can instruct the ssh client to not attempt to enable X11 forwarding by inclusion of the SSH parameter ForwardX11.
$ ssh -o ForwardX11=no <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="55273a3a2115263027233027">[email protected]</a>
You can do the same thing with the -x switch:
$ ssh -x <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="fb8994948fbb889e898d9e89">[email protected]</a>
This will only temporarily disable this message, but is a good option if you’re not able to or unwilling to install xauth on the remote server.
Method #3 – disable it via sshd_config
This is typically the default but in case it isn’t, you can setup your sshd server so that X11Forwarding is off, in /etc/ssh/sshd_config.
X11Forwarding no
Of the 3 methods I generally use #2, because I’ll often want X11Forwarding on for most of my servers, but then don’t want to see the X11.... warnings
$HOME/.ssh/config
Much of the time these message won’t even show up. They’re usually only present when you have the following entries in your $HOME/.ssh/config file, at the top.
ServerAliveInterval 15 ForwardX11 yes ForwardAgent yes ForwardX11Trusted yes GatewayPorts yes
So it’s this setup, which is ultimately driving the generation of those X11.. messages, so again, method #2 would seem to be the most appropriate if you want to operate with ForwardX11 yes on by default, but then selectively disable it for certain connections from the ssh client’s perspective.
Security
It’s generally ill-advised to run with ForwardX11 yes on at all times. So if you’re wanting to operate your SSH connections in the most secure manor possible, it’s best to do the following:
- Don’t include
ForwardX11 yesin your$HOME/.ssh/configfile - Only use ForwardingX11 when you need to via
ssh -X [email protected] - If you can, disable
X11Forwardingcompletely on the server so it’s disallowed
References
Method 2
Ran across this today and beat my head for a while until I stumbled across an ssh setting:
If it’s RHEL 7 (centOS, OEL, etc), and it has ipv6 disabled, it needs:
AddressFamily inet
set in /etc/ssh/sshd_config.
Method 3
In my case adding this string to /etc/ssh/sshd_config solved the problem:
X11UseLocalhost no
Method 4
If running the client in verbose mode (ssh -v [email protected]) gives you
debug1: Remote: No xauth program; cannot forward with spoofing.
but xauth is indeed installed on the server, then it is probably because sshd looks for xauth executable in wrong location (/usr/X11R6/bin/xauth usually). One can fix that by setting
XAuthLocation /usr/bin/xauth
in /etc/sshd/sshd_config (or whatever your server is configured with).
Method 5
Another slight variation would be if you wanted to stop seeing this message (i.e. stop trying to forward X11) for certain servers but yet keep the default to ForwardX11 yes for all other connections.
For this scenario, you could disable X11 forwarding for a specific host (or range) in your ~/.ssh/config. Something like this:
host 10.1.1.* ForwardX11 no
Acknowledgment: This is a slight embellishment to the existing (and very complete) existing answer – since I couldn’t comment!
Method 6
I came across this question after a run in with an sshd-xauth bug nearly a decade old. Two solutions are reported, the first bypassing xauth, the second addressing the bug.
Solution 1 – bypass xauth
- local
— the local machine serving an Xserver. - remote
— the remote machine serving the application which drives the data going to the Xserver
Remote /etc/ssh/sshd_config:
X11Forwarding no X11DisplayOffset 10 X11UseLocalhost yes
Remote ~/.Xauthority is empty or does not exist
On local:
Xephyr -ac -screen 1280x800 -br -reset :2 & DISPLAY=:2 ssh -fR 6010:/tmp/.X11-unix/X2 <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="ed989e889fad9f8880829988">[email protected]</a> "DISPLAY=:10 xeyes"
In the test, local was running Ubuntu 18.05, remote was running Debian Jesse.
I also posted this solution as an answer another question.
Solution 2 – address the sshd/xauth bug
This solution is close to @systempoet ‘s solution above, although that alone was not enough.
In addition to modifying /etc/ssh/sshd_config on remote:
AddressFamily inet
/etc/hosts on remote was also modifed:
::1 localhost ip6-localhost ip6-loopback
If either were commented out, the error message
X11 forwarding request failed on channel 0
appeared after the ssh -X ... call.
In addition the /var/log/auth.log showed the error:
sshd[...]: error: Failed to allocate internet-domain X11 display socket
Test to produce the bug (before fix):
Local machine:
$ Xephyr -ac -screen 1280x800 -br -reset -terminate :2 & $ DISPLAY=:2 ssh -X <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="384d4b5d4a784a5d55574c5d">[email protected]</a> X11 forwarding request failed on channel 0
Method 7
Configuring X11 forwarding on a per host basis
In addition to all of the excellent answers already here, you can configure ForwardX11 on a per host basis, so if only server fails like this, you can add an entry to your ~/.ssh/config file of the following form:
Host server server.domain.dom
ForwardX11 no
You can even use entries like this as alliases for whole sets of configurations
Host my.server
HostName server.domain.dom
User user
Port 1234
ForwardX11 no
This is especially useful if you have set up Autocomplete server names for SSH and SCP.
Method 8
One important point to note after making the configuration changes is that you’ll have to kill sshd so that it picks up the changes:
cat /var/run/sshd.pid | xargs kill -1
being the root user.
Method 9
For those who have IPv6 disabled through /etc/sysctl.conf, try using the boot option disable.ipv6=1 instead.
The strange interaction with IPv6 seems to be a bug in OpenSSH: https://bugzilla.mindrot.org/show_bug.cgi?id=2143. Related Debian bug reports: https://bugs.debian.org/422327, https://bugs.debian.org/595014.
Method 10
-
Set the following 2 options in
/etc/ssh/sshd_configin your RHEL hostX11Forwarding yes
X11UseLocalhost no -
sudo /etc/init.d/sshd reload sudo yum install xauth- ssh back to your RHEL host with -X switch:
ssh -X [email protected]
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0