[TriLUG] Xwindows question (using ssh-tunneled X from an account other than the one used for login)

Heath Roberts htroberts at gmail.com
Thu Nov 1 16:38:42 EDT 2012 

I'm ssh'ing into a linux box and tunneling X inside the ssh connection.

I log in as "htr". I have then su to another account. I'm not allowed to
use su directly--I have to call a tool that does it for me. It runs the
equivalent of "su - appaccount".

So all my X cookies are in ~htr/.Xauthority, which appaccount has no access
to. I'd like a nice automagical way to give the cookies to appaccount, and
to correctly propagate the display variable from htr to appaccount, but
without direct access to appaccount, there seems to be no clean way to do
this.

I've googled and discovered that I can do this:

htr at host:/tmp> echo $DISPLAY
localhost:10.0

htr at host:/tmp> xauth list
hostname/unix:15  MIT-MAGIC-COOKIE-1  ff5964001af2ed3ed487facc7501f7c9
hostname/unix:16  MIT-MAGIC-COOKIE-1  e41ee722f9faaa3958512270930436a0
hostname/unix:10  MIT-MAGIC-COOKIE-1  5666611023506ef14b4fb7b82f83e597

htr25349 at us2us00020:/tmp> xauth nlist "us2us00020/unix:10"
0100 000a 75733275733030303230 0002 3130 0012
4d49542d4d414749432d434f4f4b49452d31 0010 5666611023506ef14b4fb7b82f83e597

[become 'appaccount']

-bash-3.2$ export DISPLAY=localhost:10.0
-bash-3.2$ xauth nmerge -
xauth:  creating new authority file /local/home/rsaadmin/.Xauthority
0100 000a 75733275733030303230 0002 3130 0012
4d49542d4d414749432d434f4f4b49452d31 0010 5666611023506ef14b4fb7b82f83e597
-bash-3.2$ xauth list
hostname/unix:10  MIT-MAGIC-COOKIE-1  5666611023506ef14b4fb7b82f83e597

and can then run X apps as 'appaccount' and have them display on the (X)
server where I started the ssh connection.



My first question: is there a convenient & still reasonably secure way to
get my cookies & DISPLAY from the login account to the application account?

Second question: if there's no great way to do that, why does "xauth list"
show a different name for my display from the $DISPLAY that putty sets for
me in my shell? Several of the how-tos I've read suggest doing an xauth
nlist "$DISPLAY". This would be convenient--xauth lists a lot of cookies
for me, but the suggested syntax doesn't work, since $DISPLAY doesn't match
up with what xauth has for the display name.

Thanks,
Heath

-- 
Heath Roberts
htroberts at gmail.com

More information about the TriLUG mailing list