Recently, we encountered a problem with forwarded X11 sessions when the
user ssh's through multiple systems. This was first spotted with 5.0p1
but is also reproducible with 5.1p1. The problem does not occur with

The scenario is this: ssh from HostA to HostB requesting X11 forwarding
and then likewise from HostB to HostC. If you request a trusted cookie
when connecting to HostC, then X11 forwarding works fine. However, if
you use an untrusted cookie, it fails.

X11 forwarding from HostB works fine regardless of the type of cookie
used. Also, the problem seems to be independent of the version of
OpenSSH running on HostC.

The ssh client on HostB appears to generate an untrusted cookie
successuflly. The -vv output confirms that it tries to generate an
untrusted cookie and there are no warnings indicating that ssh is
falling back to fake authentication.

The error encountered is a fairly generic one:

seven.imorgan> xclock
X11 connection rejected because of wrong authentication.
X connection to localhost:29.0 broken (explicit kill or server

Has anyone else seen a similar problem or is it reproducible at other


Iain Morgan
openssh-unix-dev mailing list