IBM Support

AIX X11: SSH X11 Forwarding does not work if su user

Question & Answer


Question

I enabled X11 forwarding with SSH, but when I do su to another user, the display cannot be opened. Why did this stop working after the su?

Cause

The DISPLAY authorizations set up for the first user 'userA' must be shared with the second user 'userB'

Answer

In the following example, userA uses ssh -X then su to become userB.

1) Connect with X11 forwarding (this syntax is the same as using PuTTY ssh with X11 forwarding).

# ssh -X userA@server.hostname
userA>$ echo $DISPLAY
localhost:10.0

This sets up DISPLAY authorizations for userA in ~/.Xauthority.

2) List these credentials.

userA>$ xauth list
<server.hostname>/unix:10 MIT-MAGIC-COOKIE-1 <cookie_number>
For example:
exampleHost.example.com/unix:10  MIT-MAGIC-COOKIE-1  21754072466f4b3a6bc5d444105b07cc

NOTE: the internal display is unix:10, which translates to 'localhost' in DISPLAY resolution.

In this example, we call this 'userA_COOKIE_STRING'.

3) Now call sudo su to become userB.

userA>$ sudo su - userB
userB>$ echo $DISPLAY
<blank>

The DISPLAY is not set for the new user, because su does not forward X11. The DISPLAY would need to be set to localhost:10 (userA's session)

userB>$ export DISPLAY=localhost:10
4) Now you must share userA credentials (userA_COOKIE_STRING) with userB by adding the value:
userB>$ xauth add $userA_COOKIE_STRING
For example:
userB>$ xauth add exampleHost.example.com/unix:10  MIT-MAGIC-COOKIE-1  21754072466f4b3a6bc5d444105b07cc
 

The method to share the credentials is a decision made by the administrator. IBM AIX Support does not have a supported, or recommended method, since sharing credentials might weaken security measures. There are many documented methods online. 

Here is a sample method:

userA>$ xauth list unix:10 > /tmp/userA_COOKIE_STRING
Tip: Depending the umask, userA might need to chmod to allow read access for userB.
userA>$ chmod 644 /tmp/userA_COOKIE_STRING
userA>$ sudo su - userB
userB>$ export DISPLAY=localhost:10
userB>$ xauth add $(cat /tmp/userA_COOKIE_STRING)
1356-364 xauth: creating new authority file /home/userB/.Xauthority
userB>$ xhost
access control enabled, only authorized clients can connect
INET:93.184.215.14
LOCAL: INET:localhost
Note: The userA should remove the temporary /tmp/userA_COOKIE_STRING file after the .Xauthority is updated.
userA>$ rm /tmp/userA_COOKIE_STRING
SUPPORT

If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1.  Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4.  Provide a clear, concise description of the issue.

5.  If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"X11 SSH","Platform":[{"code":"PF002","label":"AIX"}],"Version":"6.1;7.1;7.2","Edition":"Standard","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
10 September 2024

UID

ibm16333117

Page Feedback