Getting “Xlib: PuTTY X11 proxy: wrong authentication protocol attempted”? I have the answer :)

Here’s the scenario:

You ssh to a remote server with your login and either sudo or su to another user to run some application that uses a X Windows front end.  There is a firewall between your desktop and the remote server that allows only ssh connections (port 22).  When you run into the error “Xlib: PuTTY X11 proxy: wrong authentication protocol attempted”.  What to do?

ssh jason@remote-server -X
jason $ echo $DISPLAY
localhost:10.0
jason $ su - oracle
oracle's Password:
oracle $ xterm
Xlib: connection to "localhost:10.0" refused by server
Xlib: PuTTY X11 proxy: wrong authentication protocol attempted
xterm Xt error: Can't open display: localhost:10.0

On recent OpenSSH Server releases, you can simply enable “ForwardX11Trusted yes” in the /etc/ssh/sshd_config file and restart the OpenSSH server.  If you’re not using a recent OpenSSH Server release or if you can’t for security or political reasons, what could you do? Give up? It’s simpler than you think.

You need to temporarily transfer the authorization to the other account. First, get the key from your account:

jason $ xauth list
aspc2o1/unix:10 MIT-MAGIC-COOKIE-1 bc334c66cfec3c5c3d5b0efc4ee9d3ad

Next, sudo/su to the other account and add the authorization key.

jason $ su - oracle
oracle $ xauth add aspc2o1/unix:10 MIT-MAGIC-COOKIE-1 bc334c66cfec3c5c3d5b0efc4ee9d3ad

Now, you should be able to start any X Windows application, assuming that your DISPLAY variable is set to go through the ssh tunnel:

oracle $ xterm

UPDATE:

Kyle McBride provided an easy way to automate adding the key to xauth. Add the following to your .bashrc or .profile file.

xauth list | while read x ; do sudo -u oracle xauth add $x ; done

The -u oracle will run the xauth command as the user oracle otherwise the keys will be added to the root user.

Share Button

113 Replies to “Getting “Xlib: PuTTY X11 proxy: wrong authentication protocol attempted”? I have the answer :)”

    1. I’ve been struggling with this issue for months and been doing silent Oracle installations as a result at one of my clients. I just tried your suggestion and it worked like a charm.

  1. Thank you for the tip Jason! I’ve been struggling with this issue for months and been doing silent Oracle installations as a result at one of my clients. I just tried your suggestion and it worked like a charm.

    Many, many thanks!

  2. hey i m not able to open the display when i want to open text editor or gvim it gives the error
    Xlib: connection to “yamsrv1.ece.gatech.edu:11.0” refused by server
    Xlib: PuTTY X11 proxy: wrong authentication protocol attempted

    (gedit:16728): Gtk-WARNING **: cannot open display:
    any help is appreciated

  3. Rahul,

    If you’re using Windows, you may have to tell your X Windows software to allow the incoming connection from the putty session. Which X Windows software are you using?

    I’m guessing you’re using Windows because putty isn’t too terribly common on Unix/Linux/MacOSX desktops.

    Jason

  4. I went thru that before only but the thing is my xserver is somehow not able to connect…
    I still dont know
    i m sure abt this cos none of my friends had this problem and we are accessing the same remoyte server so no change is required at the remote server side and neways we dont have root rights at remote server
    can thre be any fire wall problem i m gonna try tht now …but i m not sure

  5. hey I got it running
    I used X11 forwarding only
    The problem I gess was with my user account the xterm parameters were not set properly
    and I dont have the root accesss
    I donno whther you can do nething abt it without the root access…ne suggestions is welcome 🙂
    I have sent the request to the college support staff
    I am currently working on my friends account 🙂

  6. i came in to start my oracle install on a new box ( via sudo not a direct login as in the past ) at 8am monday morning and get this error – not a good start. so i cut and paste the whole message into google. your page comes up first on the list. the solution works as advertised 🙂 too easy.

    thanx heaps.

  7. I ran into the same problem, thanks for pointing me in the direction of xauth. Further googling got me the solution for my Ubuntu server:

    Install pam_xauth to transfer xauth cookies between users on su. Now the problem is solved!

  8. Thanks a bunch Jason.
    I normally never post messages..but GOD bless for passing on the knowledge and information.
    Thanks again!

  9. Thanks God you have the answer, and easy way to do it, the most importa thing, it is works, trying a lot before with out result, but you did it on easy 3 step.

    Great post!

  10. Excellent and clear explanation for an issue that bugged me big time.

    BTW: I was also striving to start some Oracle UI as oracle.

    Thanks for the article!

  11. Jason, does that mean we can now access X11 applications for instance, pidgin or any other thing from someone’s else computer and see the screen on our PC? I mean it’s been long since I’ve used putty, I used to use it for Shells for IRC and some other work but now I don’t have use it as I dual-boot with Linux.

    If that so, that seems a great discovery to me.

  12. Hmm. I’m still getting the infamous —

    PuTTY X11 proxy: wrong authentication protocol attempted
    Error: Can’t open display: localhost:10.0

    My Windows (Vista) PuTTY settings include everything I’ve seen here (but I note that my PuTTY 0.60 has slightly different configuration screens than the screenshots at straightrunning.com).

  13. Hi Jeff,

    Are you able to open xterm or another x11 program as the person you’re logging in as (before the sudo)? If so, then run “xauth list” as yourself and as the user you sudo to. Make sure that all the xauth lines match up. Also verify the DISPLAY before and after sudo.

    jason

  14. I got the same error message, but I already entered the key from xauth some weeks ago. The last day I connected was yesterday. The problem was that no space was left. I deleted some files from /home/…/Downloads/ and restarted the server.

    By “df -h” you get left space on your system.
    [http://setaoffice.com/2009/09/19/xlib-putty-x11-proxy-wrong-authentication-protocol-attempted/]

    Thank you!

  15. One more detail
    The recent 10/2009 release of Solaris (x86) requires the “ForwardX11 yes” entry in the client config file (/etc/shh/ssh_config) not the daemon config file (/etc/shh/sshd_config).

    sshd will reject it as a bad configuration option in the daemon config file

  16. Great work Jason thanks so much for posting this solution – it really helped me do an open solaris install. [ unbelievably they don’t have a proper text install option yet ]

    -gregoire

  17. Hi

    Thank you for the article…Each time when I logout and login I see this error.
    Is there any one time fix that can be incorporated. I used Xming.

    1. You could write a script that writes the DISPLAY and xauth info to a file prior to changing users. As long as the user you changed to as read access to that file, you should be able to. 🙂

  18. Great article. Wish I would have seen this before wasting 10 hours troubleshooting and testing.

    Since you brought up politics, my question is — Should I let the security people who locked down all of our servers without warning or workaround know about your great solution? When they treated my like an annoying thorn for asking them to help? Muhahaha

  19. Thanks for the article. Its the exact situation I’m in. (windows laptop but have to run oracle install xwindows gui from solaris box – I don’t have login to ‘oracle’ user but sudo privs.)

    I got putty’s ssh (with x11 forwarding) to finally allow my login to run xclock, but couldn’t run it after sudo to the oracle user. When I tried to add the cookie as described in the article, I got:

    xauth: timeout in locking authority file $HOME/.Xauthority

    All I had to do was change my home directory to ‘read/writable’ (ie. chmod a+rw $HOME/.) and it worked. Thanks a bunch.

    XWindows is not really that complicated – but since its a networked based GUI system, its getting the networking to work that can be a pain.

  20. I had also been under the same circumstances. But now, I am locked and loaded & I am pretty hopeful I will get rid of this error and can easily use applications that require X Windows frontend. Thanks a lot for sharing this wonderful post.

  21. I’m still having the same problem. If i login .xclock is ok. then if i sudo su – > follow the steps also okay.

    problem is if i try su – oracle .then i try same steps i will get

    -bash-3.2$ xauth add XYZ.com/unix:11 MIT-MAGIC-COOKIE-1 2c12495022c0fca1668f4dd662562ceczzz
    xauth: error in locking authority file /home/oracle/.Xauthority
    -bash-3.2$ xclock
    Xlib: connection to “localhost:11.0” refused by server
    Xlib: PuTTY X11 proxy: wrong authorisation protocol attempted
    Error: Can’t open display: localhost:11.0

    ive been having this problem since last thursay..im getting crazy on this.

    please advice

    additional info ->
    -bash-3.2$ whoami
    oracle
    -bash-3.2$ id oracle
    uid=8647(oracle) gid=10001(oinstall) groups=10001(oinstall)
    -bash-3.2$

    thanks

  22. This was fantastic. Just as a heads up, you can use:

    xauth list | while read x ; do sudo xauth add $x ; done

    Which will automate the process of adding the information into xauth. I put it in my .bashrc so when I log in it just simply works. You might want to add that to the post so other people might benefit it as well.

    1. Thanks Kyle! Your mini script helped me run GTK programs from within `screen` session. Without your script, I think I would have had to figure out current screen tab’s cookie and export it for root. The touch of sudo within that command also a great trick.

  23. I wasted 12 hrs figuring out how to make it work. export display to this, set xhost to that.. blah crap blah… but this article fixed the problem in a trice!

    thank you sir!

  24. Hello,

    I ran it with oracle user which I logged in but I got the error listed below.

    Please give me some advice to fix this.

    Xlib: connection to “localhost:0.0” refused by server
    Xlib: No protocol specified.
    If you are not able to run xclock successfully, please refer to your PC-X Server or OS vendor for further assistance.
    Typical path for ‘xclock’: ‘/usr/openwin/bin/xclock’

    Thanks,

  25. Thanks for the info.

    I use putty in a windows 7 PC to connect to the linux machine that runs Xserver, i installed Xming on the PC. How can i add/find the key in windows environment?

  26. Thank you for outlining this solution!
    And please remember, that as always: for every one user that writes a thank you to a helpful blog post, there are at least 20 other users that were as as grateful but didnt write a comment…

  27. I get this error after the above procedure while launching xterm command:
    X connection to localhost:10.0 broken (explicit kill or server shutdown).

  28. Hi,

    Thank you very much.
    Works on a Raspbian, Jan 2015.
    Took me some time to reach your page but solved the problem !
    Beware of the ForwardX11Trusted sshd_config fix which blocks you ssh server from starting.

  29. Perfect and thank you… this was exactly what I was looking for…

    Using the xauth list and then xauth add when logged into the correct user was the trick…

Leave a Reply

Your email address will not be published. Required fields are marked *