{"id":729,"date":"2012-06-23T20:11:45","date_gmt":"2012-06-23T20:11:45","guid":{"rendered":"http:\/\/joelinoff.com\/blog\/?p=729"},"modified":"2013-10-29T00:54:06","modified_gmt":"2013-10-29T00:54:06","slug":"make-x11-programs-work-in-an-ssh-sudo-session","status":"publish","type":"post","link":"https:\/\/joelinoff.com\/blog\/?p=729","title":{"rendered":"Make X11 programs work in an ssh sudo session"},"content":{"rendered":"

Have you ever needed to run an X11 based program like emacs or firefox in a sudo session and received one of the following errors?
\n[crayon lang=”bash” toolbar=”always” title=”X11 Startup Error”]
\n% firefox
\nX11 connection rejected because of wrong authentication.
\nError: cannot open display: localhost:10.0
\n[\/crayon]
\nThis blog describes how to fix the problem.
\n
\nI needed to solve this problem because there are a number of hosts on my network that do not allow root logins for security reasons. As a result I have to log into these hosts as a non-root user and then create a sudo session to perform administrative functions. Furthermore, I often do this remotely via XRDP, VNC or FreeNX through an ssh tunnel (or VPN) so there can be multiple credentials set.<\/p>\n

To run an X11 based tool, I need to set the proper X credentials in the sudo session. I used to do this manually by manually looking up the xauth list<\/code> for the original login and then adding them using xauth add<\/code> in the sudo session but I recently figured out how to make it work with a single command. <\/p>\n

1 Steps<\/h1>\n

The basic steps are:<\/p>\n

    \n
  1. Login into the remote host. Make sure that X11 forwarding is enabled. I tend to use trusted forwarding which is why you see -Y instead of -X.
    ssh -Y user<\/em>@host<\/em><\/code><\/li>\n
  2. Create the sudo session by logging in with
    sudo user <\/em>-<\/code><\/li>\n
  3. Grab the X credentials for the original user. There can be many of them which is why the next step filters out the one we want.
    su - user<\/em> -c \"xauth list\"<\/code><\/li>\n
  4. Filter out the credential that we want using grep by looking for matches based on the DISPLAY environment variable. The extracted string used in the grep pattern match will be something like :10<\/code>.
    grep `echo $DISPLAY |\\
    \n     cut -d ':' -f 2 |\\
    \n     cut -d '.' -f 1 |\\
    \n     sed -e s\/^\/:\/`<\/code><\/li>\n
  5. Enable the credentials for this session using the xauth add command. The xargs command says to take the first 3 arguments and pass them to the xauth add command.
    xargs -n 3 xauth add<\/code><\/li>\n<\/ol>\n

    Another option suggested by “scott e” on 2013-10-28 is to use the command “xauth -f ~user<\/i>\/.Xauthority<\/code>” command which simplifies things. Here are the steps based on the new idiom:<\/p>\n

      \n
    1. Login into the remote host. Make sure that X11 forwarding is enabled. I tend to use trusted forwarding which is why you see -Y instead of -X.
      ssh -Y user<\/em>@host<\/em><\/code><\/li>\n
    2. Create the sudo session by logging in with
      sudo user <\/em>-<\/code><\/li>\n
    3. Enable the credentials for this session using the “xauth -f ~user<\/i>\/.Xauthority<\/code>” command. <\/i>\n<\/ol>\n<\/ol>\n

      2 Example<\/h1>\n

      Here is an example that shows how it works.
      \n[crayon lang=”sh” toolbar=”always” title=”Enable X11 in a sudo session”]
      \n% ssh -Y -A -t -C -o CompressionLevel=9 admin@thehost
      \nadmin@thehost’s password:
      \n[admin@thehost ~]$ sudo su –
      \n[sudo] password for admin:
      \n[root@thehost ~]$ su – admin -c ‘xauth list’ |\\
      \n grep `echo $DISPLAY |\\
      \n cut -d ‘:’ -f 2 |\\
      \n cut -d ‘.’ -f 1 |\\
      \n sed -e s\/^\/:\/` |\\
      \n xargs -n 3 xauth add
      \n[root@thehost ~]$ emacs &
      \n[\/crayon]
      \nNote that I used compression level 7 because this example was taken from a remote session where I experimentally determined that it improved performance. Before setting a compression level, you should verify that it really does improve performance. Often it doesn’t help.<\/p>\n

      Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"

      Have you ever needed to run an X11 based program like emacs or firefox in a sudo session and received one of the following errors? [crayon lang=”bash” toolbar=”always” title=”X11 Startup Error”] % firefox X11 connection rejected because of wrong authentication. Error: cannot open display: localhost:10.0 [\/crayon] This blog describes how to fix the problem.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[15,16],"tags":[],"_links":{"self":[{"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/729"}],"collection":[{"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=729"}],"version-history":[{"count":51,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/729\/revisions"}],"predecessor-version":[{"id":1021,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/729\/revisions\/1021"}],"wp:attachment":[{"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/joelinoff.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}