IBM Support

X11 Forwarding in SSH: connection rejected because of wrong authentication

Question & Answer


Why is the "connection rejected because of wrong authentication" in X11 Forwarding through SSH?


The issue occurs because they have changed the userid to root with "su -".
The root user does not have a DISPLAY set, nor will root have credentials for the original user DISPLAY.



Users of SSH X11 Forwarding who su - to become root


Provide an explanation of errors and work around


The following instructions explain typical scenarios and provide resolution steps.


1) Enable X11 forwarding on AIX
% cp /etc/ssh/sshd_config /etc/ssh/
% vi /etc/ssh/sshd_config

#X11Forwarding no
 X11Forwarding yes
  Stop and restart ssh
% stopsrc -s sshd
% startsrc -s sshd

2) Connect to the AIX Server from a remote PC, or other Linux/Unix system with an Xserver running. (This can be through PUTTY, or various Xemulators which connect through ssh)

The basic underlying command is
% ssh -X NON_ROOT_USER@hostname

NOTE: NON_ROOT_USER is the non-root-userid

If the X11 forwarding is successful, the DISPLAY will be set
 % echo $DISPLAY

NOTE: The default DISPLAY number is 10 (See/etc/ssh/sshd_config #X11DisplayOffset 10) but this number may be different if multiple connections are established.

3) Now become root
% sudo su -

4) Check root's DISPLAY
% echo $DISPLAY

 NOTE: This is expected. This is not the same userid which connected to, and established credentials for localhost:10.

5) Now, export the DISPLAY to the previously established secure X11 forwarding session
% export DISPLAY=localhost:10

6) Check connection access
% xhost

Typical Error: "X11 connection rejected because of wrong authentication "

NOTE: This is expected. The xauth credentials for this DISPLAY were established for $NON_ROOT_USER and must be shared with root.


IMPORTANT: IBM does not recommend this method: The following work around is only provided as a solution to certain customers' unique situations. Since root login is disallowed by default (PermitRootLogin No"), administrators should examine their security policies to ensure this is an appropriate solution.

7) Add the $NON_ROOT_USER credentials to root user /.Xauthority
% xauth add $(xauth -f ~NON_ROOT_USER/.Xauthority list | tail -1)
   NOTE: Replace the "NON_ROOT_USER" string with the correct userid

8) Check connection access
% xhost
Typical Output: "access control enabled, only authorized clients can connect"

NOTE: This message will vary based on the Xserver access controls

9) Remove the access credentials if needed
% xauth remove localhost:10





If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a service request (PMR) for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your support call will confirm that you have completed these steps.

 a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation

c.  Contact IBM to open a support call (PMR):

d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your support call (PMR):

Please visit this web page for instructions:


Quality documentation is important to IBM and its customers.  If you have feedback specific to this article, please send an detailed message to the email address:


  • - This email address is monitored for feedback purposes only. 
    - No support for any IBM products or services will be provided through this email. 
    - To receive support, please follow the step-by-step instructions in the above "SUPPORT" section.

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
15 September 2021