Using graphical programs via a remote ssh connection is easy. As long as both the clients and the ssh server accept XForwarding. On server side this can be configured in /etc/ssh/sshd_config and verified in the active sshd settings:
root@server:~# sshd -T |grep -i X11Forwarding
x11forwarding yes
On the client side, this setting can either be added in /etc/ssh/ssh_config (ForwardX11 and ForwardX11Trusted) or enabled when connecting to the remote server using the -X parameter:
ckadm@mintp ~ $ ssh server.example.com -X
A simple command which launches the graphical program opens the GUI right on the client computer:
ckadm@server:~$ jmeter &
[1] 22278
ckadm@server:~$ Nov 20, 2019 5:30:48 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.jmeter.gui.MainFrame (file:/usr/share/jmeter/lib/ext/ApacheJMeter_core.jar) to field sun.awt.X11.XToolkit.awtAppClassName
WARNING: Please consider reporting this to the maintainers of org.apache.jmeter.gui.MainFrame
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
And voilĂ , the jmeter GUI shows up:
Much faster and cooler than RDP or VNC, right?
However sometimes the programs need to be opened as another user. For example gparted needs to be run as root or, in this particular scenario, I needed to run jmeter as root. But switching to root and then launching jmeter GUI results in the following error:
ckadm@server:~$ su -
Password:
root@server:~# jmeter &
[1] 23414
root@server:~# X11 connection rejected because of wrong authentication.
An error occurred: Can't connect to X11 window server using 'localhost:11.0' as the value of the DISPLAY variable.
[1]+ Exit 1 jmeter
Because the session was switched over to root, the X session is still bound to my personal user ckadm. This is basically a security barrier, otherwise (graphical) sessions could be stolen from other logged in users. But there's a way to transfer the X session to another user - if the X authentication is forwarded. For this to work the xauth package and command must be installed.
With xauth list the X authenticated sessions and their relevant authentication cookie can be listed:
ckadm@server:~$ xauth list
server/unix:12 MIT-MAGIC-COOKIE-1 0aee3a02d1ef71586b4ba3e06db2125b
server/unix:13 MIT-MAGIC-COOKIE-1 761997e37764bdd9620969b3d514f45b
server/unix:10 MIT-MAGIC-COOKIE-1 a3cfdafa16b89059b1c87969a4999379
server/unix:11 MIT-MAGIC-COOKIE-1 036ddd844a73954be8e53c83cbb3cf03
server/unix:12 MIT-MAGIC-COOKIE-1 1935f63c70bb51e6b6bcb26c0663161e
If you're logged in multiple times, multiple lines can be shown. Note that these cookies can only be seen by the logged in user, no other users have access to this (unless the permissions on ~/.Xauthority are wrong).
Using this information, the magic cookie can now be used (added) by another user:
ckadm@server:~$ su -
Password:
root@server:~# xauth add server/unix:12 MIT-MAGIC-COOKIE-1 1935f63c70bb51e6b6bcb26c0663161e
xauth: file /root/.Xauthority does not exist
If that was the first time the root user gets a X session, the file /root/.Xauthority will be created (hence the warning in the output).
And jmeter GUI can now be launched as root and is shown on my client desktop:
root@server:~# jmeter &
[1] 25723
root@server:~# WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.jmeter.gui.MainFrame (file:/usr/share/jmeter/lib/ext/ApacheJMeter_core.jar) to field sun.awt.X11.XToolkit.awtAppClassName
WARNING: Please consider reporting this to the maintainers of org.apache.jmeter.gui.MainFrame
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder