Help with X11 and X11 Forwarding

Hello,
I’m trying to get x11 forwarding, via SSH, working but it seems that Bluefin is missing packages or essential configuration for this to work.

I regularly use SSH from my Bluefin Linux Laptop to servers, and even dev environments, where x11 forwarding is essential for managing legacy applications/services. Previously using Kinoite (KDE SilverBlue) this was a non-issue and worked out of the box. I just can’t seem to get anything X11 working here.

So when using SSH with X11 forwarding from the native terminal I get output like this without an .Xauthority file and with one.

Warning: No xauth data; using fake authentication data for X11 forwarding.
$ xclock
Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: localhost:10.0

So I figured if the host system was missing the required libraries I would just install a distrobox and test running x11 applications there. But from a Fedora 41 distrobox I can’t run any x11 applications at all.

$ xclock
Authorization required, but no authorization protocol specified

Error: Can't open display: :0

So here I figured mabey I needed an actual key in the .Xauthority file. So I generated one, but still failure.

$ xauth add ${HOSTNAME}/unix:0 . $(xxd -l 16 -p /dev/urandom)
$ xclock
Invalid MIT-MAGIC-COOKIE-1 key
Error: Can't open display: :0

I’m not sure where to go from here. Any ideas?

Can’t be totally sure but I think Fedora dropped the X11 packages in F41.

I think they are still available as packages (not sure if they are even in Fedora repos anymore or if you need a external copr repo for them).

Not sure about that but F41 in distrobox had all the required X11 packages in it’s default repos. Just a quick DNF install got everything.

dnf install "@base-x" xauth xclock openssh

Here’s the create command I used with distrobox:

distrobox create --name devbox-f41 --image quay.io/fedora/fedora-toolbox:41 --init

Fedora’s KDE and GNOME images dropped support for X11 is what inffy was referring to. Since Bluefin, Aurora, and Bazzite use both of these DEs then there is no more support for Xorg at this point. i have no idea if you can do all of this inside of a container like this and it seems like a lot of trouble… if you really need to do this then i’m not sure how to do this on GNOME. I know KDE requires rpm-ostree install plasma-workspace-x11 but this package is going away in Fedora 42 if I remember correctly anyways. essentially you most likely need the windowing session to be on your host somehow… would look into how to do this for gnome.

X11 forwarding should work out of the box. It will run your X app in Xwayland since the X11 session is no longer supported in Fedora.

Your .Xauthority is not in home. It’s /run/user/$ID/.mutter-Xwaylandauth.${RANDOM}

You should be able to get this path by echoing $XAUTHORITY.

This is managed by gnomes startup session. This will be setup even without xauth installed.

1 Like

Thanks for pointing this out as it helped me make some progress on this!!

So for distrobox it wasn’t setting the $XAUTHORITY environment variable. Setting it by hand allowed X applications to correctly work and SSH to the remote machine with X11 forwarding also worked. Now I just need to automated this in my bashrc dotfiles to auto detect and set that variable for mutter environments.

Now for the native environment I traced things down to this error:

debug1: No xauth program.
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.

So under the assumption that xauth is a hard requirement for SSH client X11 forwarding I went and installed this with pixi.

pixi global install xorg-xauth

and then updated my ~/.ssh/config with

XAuthLocation /var/home/nicholas/.pixi/bin/xauth

Now X11 forwarding is working without issue. I’m ok with this workaround for my own workflows. I work mostly in the systems admin, and high performance computing, spaces so this may not be common for regular people and/or developers.

So, it appears that some images do not have xauth and others do. I’ve created a PR to our base images to ensure that the package gets installed.

I’m actually unsure if this was purposeful on Fedora’s part or not since xauth is still in several of the F42 images.

Hopefully this is merged so you do not need to add these workarounds since I think X forwarding should work out of the box.

Awesome! Thanks for looking at this!!

This will be in the next set of builds:

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.