Transfer your X11 (graphic) session to another user with xauth

Written by - 0 comments

Published on November 20th 2019 - Listed in Linux


Using graphical programs via a remote ssh connection is easy. As long as both the clients and the ssh server accept XForwarding. On server side this can be configured in /etc/ssh/sshd_config and verified in the active sshd settings:

root@server:~# sshd -T |grep -i X11Forwarding
x11forwarding yes

On the client side, this setting can either be added in /etc/ssh/ssh_config (ForwardX11 and ForwardX11Trusted) or enabled when connecting to the remote server using the -X parameter:

ckadm@mintp ~ $ ssh server.example.com -X

A simple command which launches the graphical program opens the GUI right on the client computer:

ckadm@server:~$ jmeter &
[1] 22278
ckadm@server:~$ Nov 20, 2019 5:30:48 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.jmeter.gui.MainFrame (file:/usr/share/jmeter/lib/ext/ApacheJMeter_core.jar) to field sun.awt.X11.XToolkit.awtAppClassName
WARNING: Please consider reporting this to the maintainers of org.apache.jmeter.gui.MainFrame
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

And voilĂ , the jmeter GUI shows up:

Jmeter GUI via remote X session

Much faster and cooler than RDP or VNC, right?

However sometimes the programs need to be opened as another user. For example gparted needs to be run as root or, in this particular scenario, I needed to run jmeter as root. But switching to root and then launching jmeter GUI results in the following error:

ckadm@server:~$ su -
Password:
root@server:~# jmeter &
[1] 23414
root@server:~# X11 connection rejected because of wrong authentication.
An error occurred: Can't connect to X11 window server using 'localhost:11.0' as the value of the DISPLAY variable.

[1]+  Exit 1                  jmeter

Because the session was switched over to root, the X session is still bound to my personal user ckadm. This is basically a security barrier, otherwise (graphical) sessions could be stolen from other logged in users. But there's a way to transfer the X session to another user - if the X authentication is forwarded. For this to work the xauth package and command must be installed.

With xauth list the X authenticated sessions and their relevant authentication cookie can be listed:

ckadm@server:~$ xauth list
server/unix:12  MIT-MAGIC-COOKIE-1  0aee3a02d1ef71586b4ba3e06db2125b
server/unix:13  MIT-MAGIC-COOKIE-1  761997e37764bdd9620969b3d514f45b
server/unix:10  MIT-MAGIC-COOKIE-1  a3cfdafa16b89059b1c87969a4999379
server/unix:11  MIT-MAGIC-COOKIE-1  036ddd844a73954be8e53c83cbb3cf03
server/unix:12  MIT-MAGIC-COOKIE-1  1935f63c70bb51e6b6bcb26c0663161e

If you're logged in multiple times, multiple lines can be shown. Note that these cookies can only be seen by the logged in user, no other users have access to this (unless the permissions on ~/.Xauthority are wrong).

Using this information, the magic cookie can now be used (added) by another user:

ckadm@server:~$ su -
Password:
root@server:~# xauth add server/unix:12  MIT-MAGIC-COOKIE-1  1935f63c70bb51e6b6bcb26c0663161e
xauth:  file /root/.Xauthority does not exist

If that was the first time the root user gets a X session, the file /root/.Xauthority will be created (hence the warning in the output).

And jmeter GUI can now be launched as root and is shown on my client desktop:

root@server:~# jmeter &
[1] 25723
root@server:~# WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.jmeter.gui.MainFrame (file:/usr/share/jmeter/lib/ext/ApacheJMeter_core.jar) to field sun.awt.X11.XToolkit.awtAppClassName
WARNING: Please consider reporting this to the maintainers of org.apache.jmeter.gui.MainFrame
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.