Skip to main content

I made a GIF!

Post a Comment

X11 Forwarding issue solved

TL;DR

Disabling IPv6 necessitates SSHd AddressFamily is "inet" for X11 Forwarding to work.

Issue

OpenSSH assumes both IPv6 and IPv4 protocols are enabled, and default SSHd AddressFamily value "any" is valid. Quickly skimming the OpenSSH source code, it was not obvious why SSHd does not fail gracefully, selecting only an available IP address family.

Therefore, for X11 Forwarding to work correctly, in /etc/ssh/sshd_config we must choose:

  1. Defaults - IPv6 enabled and SSHd AddressFamily value "any"
  2. Custom - IPv6 disabled and SSHd AddressFamily value "inet"

Background

PuTTY was not creating a $HOME/.Xauthority file on ssh login and no X11 applications would run, despite setting $DISPLAY.  PuTTY was correctly configured with:

  • X11 Forwarding enabled
  • X display location empty
  • Remote authentication protocol MIT-Magic-Cookie-1
  • X authority file for local display empty


On the initial ssh login there should be a .Xauthority notice:

/usr/bin/xauth:  creating new authority file /home/cleverguy/.Xauthority

Likewise, the file $HOME/.Xauthority did not exist:

$ ls -lac $HOME/.Xauthority
ls: cannot access /home/cleverguy/.Xauthority: No such file or directory

After updating the SSHd AddressFamily and restarting the service, the $HOME/.Xauthority file was created as expected on login and X11 applications worked.

$ ls -lac $HOME/.Xauthority
-rw-------. 1 cleverguy cleverguy 49 Jun 13 16:49 /home/cleverguy/.Xauthority

The X11 application "xterm" and others ran fine afterward.  Solved.

Additional Information

Red Hat Bugzilla – Bug 1173052 titled "X11 forwarding fails if AddressFamily not inet and no IPV6 addresses configured" (two and a half years after this post) contains the same workarounds. Guess I should have opened a bug! :P

UPDATE: Updated for new information and clarifications on 2017-JUL-05
Labels:

Comments

Anonymous said…
Thank you for this post, I'm having exact same issue, however in you post "After updating the sshd address family" could you please indicate what to update and where.
Thank you very much
Gina
7/31/2013 07:36:00 PM
Unknown said…
in my case i had to make "X11Forwarding yes" and restart sshd , worked !
5/25/2016 09:04:00 PM
Anonymous said…
Thanks for this tip. Thought it was the X11Forwarding issue but when that was set - stumped. Your suggestion resolved it.
7/13/2016 04:57:00 PM
Ben Williams said…
many thanks for sharing. Unremming AddressFamily and setting it to inet worked a treat for me.
9/06/2016 09:44:00 AM
Anonymous said…
Thank you so very much for this post. It is very helpful.
9/28/2016 08:20:00 PM
Anonymous said…
Fantastic. Saved me time.
1/03/2017 05:17:00 AM
Anonymous said…
Thanks a lot. Saved my day.
1/15/2017 10:02:00 AM
Unknown said…
Tried this with no luck but then realized that normal gui programs would run ok while anything that required sudo would not. While logged into shell from PuTTY I copied the .Xauthority file from my home directory to /root and was then able to run a gui program using sudo.
2/24/2017 05:54:00 PM
JanHH said…
Thank you very much. Saved my life.
There are nearly 1 billion answers regarding X11 errors...but you seem to be the only one talking about IP configuration.
6/19/2017 02:11:00 PM
Anonymous said…
Great help ! Thank you.
8/25/2017 03:36:00 AM
Anonymous said…
Thank you so much!
11/17/2017 11:25:00 AM
Unknown said…
when i run xclock on mobaxterm console,
xclock
MobaXterm X11 proxy: Unsupported authorisation protocol
Error: Can't open display: localhost:10.0

please help
6/21/2018 09:35:00 PM
Post a Comment

Popular posts from this blog

Cisco ASA ICMP packet-tracer

Occasionally devices fail to respond to a ping.  This can result from devices being off-line, having a local firewall enabled or the perimeter firewall configuration.  The Cisco ASA ICMP packet-tracer options differ from the TCP or UDP command options.  An example is below: packet-tracer input outside icmp A.B.C.D 8 0 E.F.G.H The ICMP type is "8" (echo request) with code"0" (none).  There are no options on destination IPv4 address E.F.G.H. Complete ICMP documentation at URL http://www.iana.org/assignments/icmp-parameters/ Complete Cisco ASA packet-tracer documentation at URL http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
Post a Comment
Read more

Xfce4 lock screen not working

Xfce4 would not start a screensaver on my Linux system.  Researching it, it ran xflock4 from the command line ad received an error: Property "/general/LockCommand" does not exist on channel "xfce4-session". To fix this, additional configuration needed, but no hacks. First, verify xflock4 and xfconf-query are available. $ which xflock4 xfconf-query /bin/xflock4 /bin/xfconf-query Next  install a lock screen package that provides 'xlock', 'slock', 'i3lock' or similar.  $ sudo yum install -y xlockmore-gtk i3lock Last, add an executable (with options) as /general/LockCommand in the xfce4-session settings. $ xfconf-query -c xfce4-session --create -p /general/LockCommand --set "xlock -mode matrix" --type  string $ xfconf-query -c xfce4-session --create -p /general/LockCommand --set "i3lock -c 000000" --type string Test by running xflock4 from the command line or through the GUI.
7 comments
Read more