Wednesday, March 29, 2023

Tunneling X11 over SSH as a different user


X11 tunneling over SSH is pretty straightforward as long as you don't need to su to another user on the target system. When you have to do that, it gets a little tricky, and that's the reason for this post.


In my case, I'm usually starting the process from a Windows server with Putty, so that's the basis for this solution. I have tested this with both xming and Moba Xterm on Windows. So before connecting to a remove server, make sure that your Windows X server is running and Putty is configured to allow X11 forwarding:

Ensure X11 tunneling is configured for your session:


Open the session (connect to the remove system) and ensure that your xauth exists and your local display is set so you can get your MIT-MAGIC-COOKIE:

[franktate@linux1 ~]$ echo $DISPLAY


[franktate@linux1 ~]$ xauth list | grep :10  MIT-MAGIC-COOKIE-1  a229706ccb496af61501ea25a9548851

[franktate@linux1 ~]$


Note how your display number is used to identify the appropriate MIT-MAGIC-COOKIE


Ensure that an X application can connect to your Windows X server by running xterm or some other application.

Switch users and set the MIT-MAGIC-COOKIE:

[franktate@linux1 ~]$ su - db2inst1


-bash: TMOUT: readonly variable

[db2inst1@linux1 ~]$ xauth add  MIT-MAGIC-COOKIE-1  a229706ccb496af61501ea25a9548851

[db2inst1@linux1 ~]$


Run xterm or some other X application to be sure X is tunneled correctly. Assuming that works, now connect from the first machine to another.


SSH to the next hop host  and get your MIT-MAGIC-COOKIE


[db2inst1@linux1 ~]$ ssh -Y frank2@linux2

frank2@linux2's password:

Last failed login: Sat Feb 23 16:17:29 EST 2019 on pts/0

[frank2@linux2 ~]$ echo $DISPLAY


[frank2@linux2 ~]$ xauth list | grep :10  MIT-MAGIC-COOKIE-1  2d31b43034bfc9da1c0d2848c1b718d8

[frank2@linux2 ~]$


Run xterm or some other X application to be sure X is tunneled correctly.

Switch users and set the MIT-MAGIC-COOKIE


[frank2@linux2 ~]$ su - db2inst1


[db2inst1@linux2 ~]$ xauth add  MIT-MAGIC-COOKIE-1  2d31b43034bfc9da1c0d2848c1b718d8


Run an X application like xterm to validate that it's working.


No comments: