Thursday, January 9, 2014

X11 & SSH & SU

The problem of getting a remote GUI on X11 isn't new.
Traditionally people used a combination of $DISPLAY and xhosts.
The main issue is the lack of security which is paramount nowadays.
Then there is a solution with the -X SSH option, which is great.

But what if the remote X11 GUI needed is to be associate with a different account then the one used to establish the SSH connection? The need is rather common with RBAC, where it's frequent to switch to a role for some temporary privilege elevation. It's also rather common when needing to switch to the root account (su -).

Here's one symptom of the difficulty:

adm1@laptop-1$ xauth list
laptop-1/unix:0  MIT-MAGIC-COOKIE-1  17d8871999...

adm1@laptop-1$ echo $DISPLAY
:0.0
 
adm1@laptop-1$ ssh -X desktop-1
Password: ****************
Last login: Thu Jan  9 09:39:03 2014 from 192.168.0.100
Oracle Corporation      SunOS 5.11      11.1    November 2013

adm1@desktop-1:~$ xauth list
desktop-1/unix:11  MIT-MAGIC-COOKIE-1  7436b5eca2... 
 
adm1@desktop-1:~$ echo $DISPLAY
localhost:11.0 
  
adm1@desktop-1:~$ su -
Password: **************** 
  
root@desktop-1:~# nautilus &
[1] 3009

root@desktop-1:~#
(nautilus:3009): Gtk-WARNING **: cannot open display:

[1]+  Exit 1                  nautilus


The solution is to manually set the X11 cookie and $DISPLAY after su.
Right after connecting via ssh -X, take note of the above values.
Then switch user accordingly.

...

adm1@desktop-1:~$ su -
Password: ****************


Manually set the X11 cookie:

root@desktop-1:~# xauth add 
    desktop-1/unix:11  MIT-MAGIC-COOKIE-1  7436b5eca2...
xauth:  file /root/.Xauthority does not exist

root@desktop-1:~$ xauth list
desktop-1/unix:11  MIT-MAGIC-COOKIE-1  7436b5eca2...


Manually set $DISPLAY:

root@desktop-1:~# export DISPLAY=localhost:11.0

root@desktop-1:~# echo $DISPLAY
localhost:11.0


Invoke the GUI application:

root@desktop-1:~# nautilus > /dev/null 2>&1 &
[1] 3025

Use GUI as needed...

root@desktop-1:~#
[1]+  Done               nautilus > /dev/null 2>&1


Right before disconnecting, clean up the X11 cookie:

root@desktop-1:~# xauth remove desktop-1/unix:11

root@desktop-1:~# xauth list

root@desktop-1:~#
^D

adm1@desktop-1:~$
^D

adm1@laptop-1:~$
  
Posted by at
Labels: ,