up vote 25 down vote favorite
8

When I ssh into a remote server that's not running any type of X11 desktop environment I get the following message.

$ ssh user@server
X11 forwarding request failed

$ ssh user@server ls
X11 forwarding request failed on channel 1
file1
file2
...

How can I get rid of these messages?

share|improve this question
up vote 30 down vote accepted

These messages can be eliminated through 1 of 3 methods, using just SSH options. You can always send messages to /dev/null too but these methods try to deal with the message through configuration, rather than just trapping and dumping them.

Method #1 - install xauth

The server you're remoting into is complaining that it cannot create an entry in the user's .Xauthority file, because xauth is not installed. So you can install it on each server to get rid of this annoying message.

On Fedora 19 you install xauth like so:

$ sudo yum install xorg-x11-xauth

If you then attempt to ssh into the server you'll see a message that an entry is being created in the user's .Xauthority file.

$ ssh root@server
/usr/bin/xauth:  creating new authority file /root/.Xauthority
$

Subsequent logins will no longer show this message.

Method #2 - disable it via ForwardX11

You can instruct the ssh client to not attempt to enable X11 forwarding by inclusion of the SSH parameter ForwardX11.

$ ssh -o ForwardX11=no root@server

You can do the same thing with the -x switch:

$ ssh -x root@server

This will only temporarily disable this message, but is a good option if you're not able to or unwilling to install xauth on the remote server.

Method #3 - disable it via sshd_config

This is typically the default but in case it isn't, you can setup your sshd server so that X11Forwarding is off, in /etc/ssh/sshd_config.

X11Forwarding no

Of the 3 methods I generally use #2, because I'll often want X11Forwarding on for most of my servers, but then don't want to see the X11.... warnings

$HOME/.ssh/config

Much of the time these message won't even show up. They're usually only present when you have the following entries in your $HOME/.ssh/config file, at the top.

ServerAliveInterval 15
ForwardX11 yes
ForwardAgent yes
ForwardX11Trusted yes

GatewayPorts yes

So it's this setup, which is ultimately driving the generation of those X11.. messages, so again, method #2 would seem to be the most appropriate if you want to operate with ForwardX11 yes on by default, but then selectively disable it for certain connections from the ssh client's perspective.

Security

It's generally ill-advised to run with ForwardX11 yes on at all times. So if you're wanting to operate your SSH connections in the most secure manor possible, it's best to do the following:

  1. Don't include ForwardX11 yes in your $HOME/.ssh/config file
  2. Only use ForwardingX11 when you need to via ssh -X user@server
  3. If you can, disable X11Forwarding completely on the server so it's disallowed

References

share|improve this answer
up vote 10 down vote

In my case adding this string to /etc/ssh/sshd_config solved the problem:

X11UseLocalhost no
share|improve this answer
  • This worked for me (the server already had xauth installed). Thanks. – Paul Higgins Aug 27 '15 at 16:30
  • This appeared to solve my issue, but I don't understand why, which is concerning. I have what should be three identical Debian 7 machines, one of which suddenly stopped accepting locahost X11 forwarding. X11 forwarding on the other two still works. Any idea what could have changed? – Kyle Strand Oct 28 '16 at 18:27
up vote 9 down vote

Ran across this today and beat my head for a while until I stumbled across an ssh setting:

If it's RHEL 7 (centOS, OEL, etc), and it has ipv6 disabled, it needs:

AddressFamily inet

set in /etc/ssh/sshd_config.

share|improve this answer
up vote 2 down vote

Another slight variation would be if you wanted to stop seeing this message (i.e. stop trying to forward X11) for certain servers but yet keep the default to ForwardX11 yes for all other connections.

For this scenario, you could disable X11 forwarding for a specific host (or range) in your ~/.ssh/config. Something like this:

host 10.1.1.*
ForwardX11 no

Acknowledgment: This is a slight embellishment to the existing (and very complete) existing answer - since I couldn't comment!

share|improve this answer
up vote 2 down vote

If running the client in verbose mode (ssh -v user@host) gives you

debug1: Remote: No xauth program; cannot forward with spoofing.

but xauth is indeed installed on the server, then it is probably because sshd looks for xauth executable in wrong location (/usr/X11R6/bin/xauth usually). One can fix that by setting

XAuthLocation /usr/bin/xauth

in /etc/sshd/sshd_config (or whatever your server is configured with).

share|improve this answer
up vote 0 down vote

One important point to note after making the configuration changes is that you'll have to kill sshd so that it picks up the changes:

cat /var/run/sshd.pid | xargs kill -1

being the root user.

share|improve this answer
up vote -2 down vote

  1. Set the following 2 options in /etc/ssh/sshd_config in your RHEL host

    X11Forwarding yes X11UseLocalhost no

  2. sudo /etc/init.d/sshd reload

  3. sudo yum install xauth
  4. ssh back to your RHEL host with -X switch: ssh -X yourname@rhelbox
share|improve this answer

Your Answer

 
discard

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.