# X11 forwarding fails when SSH using key auth and afs home

## Oo.et.oO

Hi.  

if it's at all possible i always ssh into remote servers using key authentication.

but on some servers this can present a problem.  on these my remote home dir is usually hosted on afs.

my local home is not, but i have the same afs directories mounted elsewhere and i manually klog to get tokens.

when i login to these remote hosts, however, my token obviously isn't forwarded, as i get lots of permissions errors before i klog manually on the other end.

this creates problems with Xauth:

```
/usr/bin/xauth:  timeout in locking authority file /afs/mycell/u/myuserid/.Xauthority
```

i have tried sshing in using -1 and -2 but neither worked.  i could fool around with forwarding my afs token.  but is there a better way?

basically i just want to get X11 forwarding to work, and i can't.  even if i manually set the DISPLAY and xhost+ on local end.

forcing keyboard/password authentication works, in this case.  but in some that won't work as the passwd file doesn't get updated enough (to have my current afs passwd in there and i can't login interactively).  i can force password auth on by doing:  

```
ssh -o PreferredAuthentications=keyboard-interactive,password server
```

thanks!

----------

## Oo.et.oO

argh.  i still have this problem.  actually i googled for a solution and ran across my own post!

anyone have any ideas??

----------

## Hu

What if you login once with master mode disabled and X11 forwarding disabled then, without closing that connection, log in again with X11 forwarding?  That would hopefully allow you to setup whatever tokens are needed using your first shell, then the X11 forwarding would be able to access the remote Xauthority in a timely manner.

----------

## depontius

Simple, but unfortunate - ssh does not pass afs or kerberos tokens.  If you use password authentication and the right PAM setup, then it has its grubby mitts on a password that it can attempt to authenticate with afs/kerberos and can get a token.  That makes it look transparent to you, even if it isn't really that way under the covers.  But if you use key authentication, though you get box-level access, you have no token.  Your X problems are simply an artifact of whether or not you have a token.

----------

