HPE Community
Operating System - HP-UX
1834931 Members
3166 Online
110071 Solutions
New Discussion

ssh, X-windows and su to root

 
Gord Moore
Frequent Advisor

‎06-26-2002 11:43 AM

‎06-26-2002 11:43 AM

ssh, X-windows and su to root

I'm sure I saw something about this in these forums
but I've searched and had no hits. Sorry for asking
again.

The problem is this: I can ssh from my laptop with
X-windows tunneling turned on. I have to log into
my own account because, for security, the setting
for PermitRootLogin is no in sshd_config. I can
run some X-windows programs (xclock, gpm) and
they work fine. But for some I need root access --
such as the full version of sam.
When I su to root the display setting (or is it
SSH2_CLIENT parameter?) doesn't get carried
forward, so any X-windows applicaiton fails.

How can I get this to work
0 Kudos
Reply
16 REPLIES 16
Tom Maloy
Respected Contributor

‎06-26-2002 11:49 AM

‎06-26-2002 11:49 AM

Re: ssh, X-windows and su to root

The simple approach would just be to set and export the DISPLAY variable as root, and then start the X app.

You can put it into root's .profile:

RMT_HOST=$(who -muR | awk '{print $NF}')
export DISPLAY=${RMT_HOST%%}:0.0

HTH

Tom
Carpe diem!
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-26-2002 12:16 PM

‎06-26-2002 12:16 PM

Re: ssh, X-windows and su to root

If you are tunneling, you will have to allow X11 forwarding. This is a parameter that is set in ssh_config, I don't remember if it is in sshd_config as well since I am don't have access to any of my machines currently. But you should be able to find the exact syntax for this from excerpts from the O'Reily Definitive SSH book.

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Christopher McCray_1
Honored Contributor

‎06-26-2002 12:19 PM

‎06-26-2002 12:19 PM

Re: ssh, X-windows and su to root

Hello,

Tom's response is a good one and one that I do as well, only slightly different.

export DISPLAY=`who -mT | awk '{print $9}'`:0.0

Hope this helps

Chris
It wasn't me!!!!
0 Kudos
Reply
Arockia Jegan
Trusted Contributor

‎06-26-2002 12:27 PM

‎06-26-2002 12:27 PM

Re: ssh, X-windows and su to root

As you are able get xclock & gpm by using your user account, the X11 forwarding is setup properly.

You can follow the steps mentioned by Tom and Christopher.

Or simply you can export the display by,

export DISPLAY=:0.0

Then you will be able to access the GUI utilities.
0 Kudos
Reply
Gord Moore
Frequent Advisor

‎06-26-2002 12:54 PM

‎06-26-2002 12:54 PM

Re: ssh, X-windows and su to root

I'll assign points for some interesting answers, but it still doesn't work.

Here's another tidbit. I changed the sshd_config to allow root logins, and X-windows works fine. It just doesn't when I log in as myself, then su to another user.

Here are some values. Maybe you can see something.
From an xterm window on my PC I use: ssh -X -l gmoore1 199.214.58.55
I log in as myself and xclock throws a screen back to my PC.
Some values from printenv:
USER=gmoore1
DISPLAY=199.214.58.55:12.0
SSH2_CLIENT=158.98.219.17 4841 199.214.58.55 22

I find it interesting that the display is set to screen 12 of the node I am on. Also the 158.98... number is my laptop (I think).

So I su - and log in.
No display is set so I use Chirstopher's one liner (Tom's script works well, too). Now the display is:
158.98.219.147:0.0

xclock tries to start, but pauses for 30 seconds or so and gives this:
Error: can't open display: 158.98.219.147:0.0
Error: Couldn't find per display information.

So, what's a "per display"
0 Kudos
Reply
Mark Fenton
Esteemed Contributor

‎06-26-2002 01:12 PM

‎06-26-2002 01:12 PM

Re: ssh, X-windows and su to root

Might be an issue with SSH -- I find that I cannot su to root and then have the display forwarded vi SSH. I get a "cannot open display" error.

SSH tunneling uses an offset, configureable in the ssh client, from the base display. Yours appears to be set to 12.
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-26-2002 01:31 PM

‎06-26-2002 01:31 PM

Re: ssh, X-windows and su to root

most x type apps will accept an input of -display :12 , that may be par t of what you need as Mark pointed out
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Arockia Jegan
Trusted Contributor

‎06-26-2002 01:32 PM

‎06-26-2002 01:32 PM

Re: ssh, X-windows and su to root

Hi,

Are you using OpenSSH_3.1p1?

From OpenSSH_3.1p1 X11UseLocalhost is enabled.

Add the follwoing line in sshd_config. Restart the sshd daemon and file and try it out

X11UseLocalhost no
0 Kudos
Reply
linuxfan
Honored Contributor

‎06-26-2002 01:59 PM

‎06-26-2002 01:59 PM

Re: ssh, X-windows and su to root

Hi,

The :12.0 you are seeing for the DISPLAY can be modified by modifying the parameter X11DisplayOffset in your sshd_config file (don't forget to restart your ssh daemons).

You can use one of the methods already suggested export DISPLAY=`who -mT | awk '{print $9}'`:12.0

(note the 12 at the end)

or specify the option X11UseLocalhost in your sshd_config file
X11UseLocalhost no
this should take care of your display issue.

Not sure if you already checked out the FAQ
http://www.openssh.com/faq.html


-HTH
Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
linuxfan
Honored Contributor

‎06-26-2002 04:07 PM

‎06-26-2002 04:07 PM

Re: ssh, X-windows and su to root

Hi Gord,

I reread your question.

This is from the man page of ssh

/Begin/
The DISPLAY variable indicates the location of the X11 server.
It is automatically set by ssh to point to a value of the form
``hostname:n'' where hostname indicates the host where the shell
runs, and n is an integer >= 1. ssh uses this special value to
forward X11 connections over the secure channel. The user should
normally not set DISPLAY explicitly, as that will render the X11
connection insecure (and will require the user to manually copy
any required authorization cookies).

/End/

I would recommend using the X11UseLocalhost no option on hp for the user.

And as far as setting the display for any user when you su to that user (when you su to root from a regular user).

Check this out.
http://www.tldp.org/HOWTO/mini/Remote-X-Apps-7.html

-HTH
Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
Gord Moore
Frequent Advisor

‎06-27-2002 07:12 AM

‎06-27-2002 07:12 AM

Re: ssh, X-windows and su to root

Wow, lots of information here. I will check out the steps in the mini-HowTo and see if that works. I will also look at the LocalHost settings.

No, I am not using OpenSSH. It is true F-Secure ssh, but now that HP is distributing OpenSSH for free, we may change.

Thanks for your help. I'll let you know when I have digested all your advice.
0 Kudos
Reply
George Abraham_1
Regular Advisor

‎06-27-2002 07:32 AM

‎06-27-2002 07:32 AM

Re: ssh, X-windows and su to root


Hai

You right there. HP is bundling SSH so you can move from F-secure ..

See the link for HP OpenSSl

http://www.docs.hp.com/hpux/onlinedocs/T1471-90001/T1471-90001.html


regards
George
keep smiling
0 Kudos
Reply
Gord Moore
Frequent Advisor

‎06-27-2002 12:37 PM

‎06-27-2002 12:37 PM

Re: ssh, X-windows and su to root

Unfortunately F-secure's SSH doesn't accept the X11UseLocal Host parameter. It may be there under some other name, but I couldn't find it.

After reading through the miniHowTo that Ramesh mentioned I tried the shell script xroot (with a slight modification for HP-UX) and it worked!

So the short answer is that you need to change both the DISPLAY and the XAUTHORITY settings when you su to another user.

Thanks to all.
0 Kudos
Reply
linuxfan
Honored Contributor

‎06-27-2002 02:25 PM

‎06-27-2002 02:25 PM

Re: ssh, X-windows and su to root

Hi Gord,

The whole reason you are pointing root's XAUTHORITY to the user's is to avoid setting the DISPLAY.

Did root's display not work unless you specifically set the DISPLAY parameter?

-Ramesh
They think they know but don't. At least I know I don't know - Socrates
0 Kudos
Reply
Jordan Bean
Honored Contributor

‎07-02-2002 12:47 PM

‎07-02-2002 12:47 PM

Re: ssh, X-windows and su to root

To preserve my original environment, I use sudo -s.

However, when forced to use `su [-] root`, I always have to set at least HOME to my home directory and DISPLAY to the appropriate tunnel.

export DISPLAY=:10.0
export HOME=/home/me

Nothing else should be required.
0 Kudos
Reply
Sean Xu_1
New Member

‎09-12-2002 08:45 AM

‎09-12-2002 08:45 AM

Re: ssh, X-windows and su to root

you can't use su in ssh; otherwise, you'll lose env settings to secure your X11 tunnel. To set DISPLAY insecure the tunnel (for new x processes) also.

change PermitRootLogin to yes and use ssh -X -l root; otherwise with no and su only makes your tunnel more insecure.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.