X11 Forwarding in SSH: connection rejected because of wrong authentication

Answer

TARGET AUDIENCE:

Users of SSH X11 Forwarding who su - to become root

OBJECTIVE:

Provide an explanation of errors and work around

PROCEDURES:

The following instructions explain typical scenarios and provide resolution steps.

PROBLEM RE-CREATION STEPS:

1) Enable X11 forwarding on AIX

% cp /etc/ssh/sshd_config /etc/ssh/sshd_config.save % vi /etc/ssh/sshd_config

Change

#X11Forwarding no        to  X11Forwarding yes

 
  Stop and restart ssh

% stopsrc -s sshd % startsrc -s sshd

2) Connect to the AIX Server from a remote PC, or other Linux/Unix system with an Xserver running. (This can be through PUTTY, or various Xemulators which connect through ssh)

The basic underlying command is

% ssh -X NON_ROOT_USER@hostname

NOTE: NON_ROOT_USER is the non-root-userid

If the X11 forwarding is successful, the DISPLAY will be set

% echo $DISPLAY localhost:10

NOTE: The default DISPLAY number is 10 (See/etc/ssh/sshd_config #X11DisplayOffset 10) but this number may be different if multiple connections are established.

3) Now become root

% sudo su -

4) Check root's DISPLAY

% echo $DISPLAY (null)

 NOTE: This is expected. This is not the same userid which connected to, and established credentials for localhost:10.

5) Now, export the DISPLAY to the previously established secure X11 forwarding session

% export DISPLAY=localhost:10

6) Check connection access

% xhost

Typical Error: "X11 connection rejected because of wrong authentication "

NOTE: This is expected. The xauth credentials for this DISPLAY were established for $NON_ROOT_USER and must be shared with root.

PROBLEM RESOLUTION STEPS:

IMPORTANT: IBM does not recommend this method: The following work around is only provided as a solution to certain customers' unique situations. Since root login is disallowed by default (PermitRootLogin No"), administrators should examine their security policies to ensure this is an appropriate solution.

7) Add the $NON_ROOT_USER credentials to root user /.Xauthority

% xauth add $(xauth -f ~NON_ROOT_USER/.Xauthority list | tail -1)

  
   NOTE: Replace the "NON_ROOT_USER" string with the correct userid

8) Check connection access

% xhost

 
Typical Output: "access control enabled, only authorized clients can connect"

NOTE: This message will vary based on the Xserver access controls

9) Remove the access credentials if needed

% xauth remove localhost:10

 

REFERENCES:

• Developer Works "Remote X11 Windows to AIX"

https://www.ibm.com/developerworks/community/blogs/paixperiences/entry/remotex11aix?lang=en

CATEGORY:

WWMISC

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a service request (PMR) for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your support call will confirm that you have completed these steps.

 a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation

c.  Contact IBM to open a support call (PMR):

• For electronic support, please visit the web page:

https://www-947.ibm.com/support/servicerequest/newServiceRequest.action
• For telephone support, please visit the web page:

http://www.ibm.com/planetwide
• Please visit the IBM Support Portal web page for additional resources:

https://www-947.ibm.com/support/entry/myportal/support

d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your support call (PMR):

Please visit this web page for instructions:  https://www.secure.ecurep.ibm.com/app/upload

FEEDBACK:

Quality documentation is important to IBM and its customers.  If you have feedback specific to this article, please send an detailed message to the email address:

• aix_feedback@wwpdl.vnet.ibm.com

- This email address is monitored for feedback purposes only. 
- No support for any IBM products or services will be provided through this email. 
- To receive support, please follow the step-by-step instructions in the above "SUPPORT" section.