'RE: X11 forwarding and DISPLAY variable'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       secure-shell
Subject:    RE: X11 forwarding and DISPLAY variable
From:       "Carlson, Scott" <Scott.Carlson () schwab ! com>
Date:       2005-10-19 19:30:10
Message-ID: C4689EC6FE4CDA4FB7F29328DEE46EF102E10594 () nex2004cdc ! us ! global ! schwab ! com
[Download RAW message or body]


Also, so here's another hint that I just recently discovered.  If you
want to still have your DISPLAY work after you SSH somewhere and then
"su -" to another user, you'll need to manipulate the MIT-MAGIC-COOKIE
yourself.

Here's some script code that we use to do it for one of our little
custom apps.  It's obviously isn't the ONLY way to do it, but it works
for our needs.  This was specifically for a solaris host running Openssh
3.7


$ cat start_autogui
#/bin/sh

#  Get MIT Magic Cookie
# Get local hostname to be used in MIT Magic cookie
HOST=`hostname`
TYPE="unix"

# Get display passed in by the Xforwarding stuff you previously set up
#  I also changed my X config to start the display at 50 so that I
wouldn't
# conflict with other things running X on this box
#     GatewayPorts yes
#     X11DisplayOffset 50

DISP=`env | grep DISPLAY|cut -f2 -d:|cut -f1 -d.`

# Build the X-Display line to match the MIT-MAGIC-COOKIE in xauth
XDISP="$HOST""/""$TYPE"":""$DISP"

XCOOK=`/usr/openwin/bin/xauth list | grep ^$XDISP`

#echo $XCOOK

#  Become <user>
# Put MIT Magic Cookie in XAuthority
#  Run the  GUI
#  has to be done all as one command otherwise the shell hangs wrong
#

echo "/usr/openwin/bin/xauth add $XCOOK"
sudo su - <userid> -c "\
        (/usr/openwin/bin/xauth add $XCOOK; \
         export DISPLAY=localhost:$DISP.0; \
         autosc)"

#  AFter the GUI Exists, clean up the Cookie

/usr/openwin/bin/xauth remove $XDISP

Thanks

Scott Carlson
 

-----Original Message-----
From: Derek Martin [mailto:code@pizzashack.org] 
Sent: Friday, October 14, 2005 11:55 AM
To: Kelly Lucas
Cc: Bernd Prager; secureshell@securityfocus.com
Subject: Re: X11 forwarding and DISPLAY variable

On Thu, Oct 13, 2005 at 09:57:35AM -0700, Kelly Lucas wrote:
> On the machine where you want to display X, as the user you logged in 
> as, type:
> 
> xhost +

No no no no no no no!  You don't need to do this with OpenSSH, EVER!
SSH uses the much better MIT-MAGIC-COOKIE method of authenticating X
protocol connections, and does not need to muck with host-based X
authentication.

> This will give permission to remote clients to display on it.

Yes, it will give permission to ALL remote clients to access your
desktop, which is most certainly not what you want.

> When you SSH, try using:
> 
> ssh -X <hostname>

This is all you need.  If this solves the problem, you can do it
automatically by putting

  ForwardX11=yes

in your /etc/ssh/ssh_config file, or (if you don't have root access to
your machine) in your personal $HOME/.ssh/config file.

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic