xauth failure when tunneling over ssh

Wed Nov 12 07:51:43 PST 2008

> On Tuesday 11 November 2008 21:27:38 Elliot Isaacson wrote:
> > Hi,
> >
> > I've set up X11Forwarding on several linux servers before, but
> > I've just wasted a day trying (unsuccessfully) to figure out
> > why I can't get it working on freebsd (7.0-RELEASE GENERIC).
> >
> > I have not changed the defaults in the sshd_config file.
> >
> > One the client computer:
> >
> > $ xhost +
> >
> > $ ssh -Y 192.ip.of.server
> > Warning: No xauth data; using fake authentication data for X11
> > forwarding.
> >
> > /usr/local/bin/xauth:  creating new authority
> > file /home/xxx/.Xauthority
> > /usr/local/bin/xauth: (stdin):1:  bad display name "unix:10.0"
> > in "remove" command
> > /usr/local/bin/xauth: (stdin):2:  bad display name "unix:10.0"
> > in "add" command
> >
> > [xxx@ ~] kcalc
> > X11 connection rejected because of wrong authentication.
> > kcalc: Fatal IO error: client killed
> >
> > [xxx@ ~] ls -a .Xauth*
> > <no results>
> >
> > Now, when I go to the server and login directly, and do a
> > startx, the x server starts fine, but there's still no
> > .Xauthority file in the home directory. I find that odd.
> >
> > This also looks strange to me:
> >
> > [xxx@ ~] ps -aux | grep X
> > root    1470  0.0  2.7 65456 13668  v0  S     4:01PM   0:01.24
> > X :0 -auth /home/xxx/.serverauth.1451 (Xorg)
> >
> > [xxx@ ~] ls -a /home/xxx/.serverauth*
> > <no results>
> >
> > How could it authenticate with a non-existent file?
> >
> > Any pointers in the right direction would be greatly
> > appreciated.
>
> I had the same problem when trying to SSH to the FreeBSD machines
> from Linux. If I remember correctly, I had to make a change to
> ssh_config on the Linux side to get things to work:
>
> Host *
>   XAuthLocation /usr/bin/xauth
>
> It might also help if you would post sshd_config on the FreeBSD
> side.
>

Thanks for your suggestion. On my Linux system, the default path for 
ssh to find xauth is already /usr/bin/xauth (according to the man 
page). To be sure, I tried setting it explicitly but it still 
didn't work. I know that I can tunnel to other X servers, just not 
the FreeBSD one. My FreeBSD sshd_config is rather uninteresting 
because everything is commented out and using the defaults. For 
convenience's sake, here are some of the interesting lines:

#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

I also tried doing it the old fashioned way and viewing the X 
clients over telnet, which worked fine. It's too insecure to do 
that from outside the local network, though.

Thanks,
Elliot Isaacson