Can't run "ssh -X" on MacOS Sierra

Question

I just upgraded to MacOS Sierra, and I realized that I can't seem to run the "ssh -X" command in the Terminal anymore. It used to launch xterm windows, but now it's like I didn't even put the -X option anymore. It was working absolutely fine right before I updated. Other than going from OS X Yosemite to MacOS Sierra, I didn't change anything else in the setup.

EDIT:

As suggested, this is what I found in the debug logs that might be causing this problem.

debug1: No xauth program.
Warning: untrusted X11 forwarding setup failed: xauth key data not generated

@arkascha sorry, lemme clarify. I'm running MacOS Sierra (client) trying to ssh into an Ubuntu Server. — Dodie, Sep 21 '16 at 17:10
Are you actually running an X server on your mac? In your mac shell, what is the DISPLAY environment set to? Could you run ssh with the "-vv" option and [edit] your question to include the debugging output? — Kenster, Sep 21 '16 at 17:26
@Kenster I found one reference to X11 that might be the problem. Any thoughts on what could have happened? Or should I just wait for an update from XQuartz or something? — Dodie, Sep 21 '16 at 18:03
I've solved my problem by reinstalling XQuartz on High Sierra. — Fabio Morais, Apr 14 '18 at 19:13

Christian · Accepted Answer · 2016-10-11T13:09:42.553

66

I didn't need to reinstall XQuartz, but, based on Matt Widjaja's answer, I came up with a refinement.

sudo vi /etc/ssh/ssh_config (This is ssh client config, not sshd_config)
- Under the Host * entry add (or add where appropriate per-host)
  - XAuthLocation /usr/X11/bin/xauth (The location of xauth changed in Sierra)
  - ServerAliveInterval 60 (Pings the server every 60 seconds to keep your ssh connection alive)
  - ForwardX11Timeout 596h (Allows untrusted X11 connections beyond the 20 minute default)

No need to restart ssh, except, of course, existing ssh client connections.

It sounds like -Y (trusted X11) would be preferable to untrusted. If you switch over to trusted, the ForwardX11Timeout line can probably be removed.

The ServerAliveInterval line is also an optional preference.

It may also be possible to make these changes in ~/.ssh/config (the user's config file) but the permissions have to be correct.

EDIT: I removed ForwardX11 and ForwardX11Trusted. They aren't needed and ForwardX11 is less secure and causes problems for git (or other tools using ssh).

edited Oct 11 '16 at 13:09

answered Oct 03 '16 at 15:26

Christian

1,900
14
19

I have been using ssh -Y for years now. However there does still seem to be a new problem with Sierra: If the remote window is using OpenGL, then it fails in various ways depending on the X-server. XQuartz seems to just give up, whereas someone else reports that xorg doesn't crash but also doesn't re-paint damaged windows. – bodgesoc Nov 22 '16 at 22:56
On 10.12 I had to use this: sudo /etc/ssh/ssh_config and I added these lines: ```Host * XAuthLocation /opt/X11/bin/xauth ServerAliveInterval 60 ForwardX11Timeout 596h``` – dajobe May 27 '17 at 21:11
1

It is possible to just stick this in $HOME/.ssh/config on a per-user basis.Thanks for finding the setting. – Walter Nissen Apr 25 '18 at 21:04
I think it makes sense to put the XAuthLocation for all. Maybe the other settings can be per-user, but I haven't tried it. – Christian Apr 27 '18 at 13:48
Just came here to comment that 3+ years later, this solution is still necessary and valid on Mojave. X knowledge is slowly becoming more arcane! – PeterT Dec 14 '19 at 22:56
A quick comment 4+ years later :-) : It is a common misconception that -Y (ForwardX11Trusted yes) is safer than -X (ForwardX11 yes). It is exactly the opposite! Because -Y means YOU trust the connection and hence give it full control over your local display (and potentially over all apps you are running...). On the other hand, -X is what you use if you are not sure if you can trust the connection, limiting control over your display to the running app. TLDR; -Y is more of a safety risk than -X – freddieknets Feb 02 '21 at 15:26

Matt Widjaja · Answer 2 · 2017-10-08T03:01:56.640

31

I noticed macOS Sierra resetted my X11 settings so that it disabled my xAuth program. To re-enable xAuth on macOS Sierra:

Reinstall X11/xQuartz to presumably reset any changes macOS Sierra made. I made the following changes below too although it sounds like this might be enough.
Load up a Terminal
sudo <text editor of your choice> /etc/ssh/sshd_config
In that file, uncomment the following lines, and set it to these values:
- X11Forwarding yes
- X11DisplayOffset 10
- [Update on 10/07/2017] When you reinstall X11/XQuartz, above all else, it should add an: XAuthLocation <path_to_your_xauth> where mine was in /opt/X11/bin/xauth. This was probably the golden step that explained why reinstalling worked.
Restart ssh via the terminal. I did this by running:
- sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
- sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

edited Oct 08 '17 at 03:01

answered Sep 25 '16 at 22:53

Matt Widjaja

420
4
6

I tried doing this but it didn't change anything for me. Any thoughts on what might be different with my machine? – Dodie Sep 26 '16 at 15:17
Did you try reinstalling whatever xAuth tool your Mac's using (my guess would be X11) as well? I did that too. I was skeptical if that's all it takes, so that's why I didn't mention it, but I guess that's the other thing I tried. – Matt Widjaja Sep 27 '16 at 15:33
3

Reinstalling XQuartz finally made it work! Didn't occur to me to try that because I was waiting for a new version of XQuartz. Thanks! – Dodie Sep 29 '16 at 10:15
3

I think Matt's observation of the XAuthLocation being required is the key. I had only X11Forwarding yes turned on (the display offset defaults to 10, so I left that unset), and X still didn't work, but once I set XAuthLocation, I am now able to use X11 on my mini. @MattWidjaja you get extra bonus points for including the instructions to reset sshd on OSX -- thanks!!! – Steve Byrne Nov 23 '17 at 15:15
3

`/System/Library/LaunchDaemons/ssh.plist: Could not find specified service` – holms Nov 30 '17 at 20:40
It should be ssh_config file instead of sshd_config? – Yuan Tao Apr 02 '18 at 23:54

score 13 · Answer 3 · answered Sep 23 '16 at 07:30

13

I'm having the same issues with X11 forwarding with the -X option after upgrading to Mac OS X Sierra.

Have a look at the ssh option -Y (trusted X11 forwarding). While using ssh -Y <host> things work for me.

answered Sep 23 '16 at 07:30

ebner

131
4

When I try -Y I still get this error: Warning: No xauth data; using fake authentication data for X11 forwarding. – Dodie Sep 24 '16 at 11:44
ssh -Y fixed it for me (after upgrading to High Sierra), I get the warning that @Dodie writes but it still worked. – BjornW Sep 15 '18 at 15:12

score 10 · Answer 4 · answered Dec 12 '18 at 20:03

It's an old question but I recently ran into the same issue on my Mac running 10.12.6. The DISPLAY variable is not set in the terminal and ssh -X doesn't work. This is what I did that solved the problem:

Reinstall XQuartz using Homebrew: brew cask install xquartz (the option --forced may be necessary)
Add the XQuartz launcher to the system default (following the solution in this Reddit post: launchctl load -w /Library/LaunchAgents/org.macosforge.xquartz.startx.plist
Restart the system.

After doing these, my DISPLAY variable is set properly:

$ echo $DISPLAY /private/tmp/com.apple.launchd.mfXFpzZ0gC/org.macosforge.xquartz:0

And X11 forwarding in ssh works as well.

`brew install --cask xquartz` – Maziyar Feb 09 '21 at 09:01 — Maziyar, Feb 09 '21 at 09:01

score 5 · Answer 5 · answered Oct 11 '16 at 13:34

5

Just adding the one line XAuthLocation /usr/X11/bin/xauth to /etc/ssh/ssh_config works on my Mac, running MacOS Sierra, to ssh into a Linux host and be able to run X Windows programs remotely and have them display under XQuartz on my Mac.

answered Oct 11 '16 at 13:34

Peter Edwards

61
5

Naturally you need to restart existing ssh connections. I got stuck for a while that connections with `ControlPersist` needed to shut down completely before this setting took effect — it evidently applies only to master connections, not slave connections. – James May 26 '18 at 13:21

score 5 · Answer 6 · edited Oct 11 '17 at 16:19

5

My solution to this was the following.

(1) Launch xquartz before trying the ssh -X. In the xquartz options, I just enabled 'Open at login', and then it is always running in the background.

(2) Go to the xquartz Preferences menu, and on the Security window, click the box that says "Allow connections from clients".

After doing these things, everything works fine.

edited Oct 11 '17 at 16:19

zabumba

12,172
16
72
129

answered May 05 '17 at 14:47

cslage

51
1
1

score 3 · Answer 7 · answered Nov 25 '16 at 09:30

3

Just upgraded my macbook from El Capitan to Sierra. Simply reinstalling Xquartz has done the trick for me, using ssh -X [linux server]

answered Nov 25 '16 at 09:30

peter

31
1

This is the thing to try first. Worked for me. – TomKraljevic Apr 22 '17 at 01:12

score 1 · Answer 8 · answered Sep 02 '17 at 18:22

1

I spent the whole day looking for solution only to realize that the recent Sierra does not ship with XQuartz installed https://support.apple.com/en-gb/HT201341. Upon install (https://www.xquartz.org/) all works.

answered Sep 02 '17 at 18:22

user8552682

11
1

score 1 · Answer 9 · answered Dec 01 '17 at 16:38

1

If Quartz is installed, all that is needed is to add the line "X11Trusted yes" under "Host *" in the /etc/ssh/ssh_config file.

answered Dec 01 '17 at 16:38

Jim Ramsey

11
1

score 0 · Answer 10 · answered Sep 20 '18 at 03:03

0

restarting XQuartz worked for me.

answered Sep 20 '18 at 03:03

mike

1

score 0 · Answer 11 · answered Apr 05 '22 at 02:11

0

In my case, adding XAuthLocation /opt/X11/bin/xauth to /etc/ssh/sshd_config (note that it's not /etc/ssh/ssh_config) on macOS host worked after installing XQaurtz via brew install --cask xquartz as XQaurtz provide xauth binary

answered Apr 05 '22 at 02:11

Heechul Ryu

381
4
6

Can't run "ssh -X" on MacOS Sierra

11 Answers11