Boredworkers.com

From the title, you must be thinking WTF? Believe me, it’s not all that uncommon once you understand the scenario…

The Problem
You have a secure server. You need run an X-terminal from the command line console as a user other than yourself. You only have ’sudo su’ permission to the other user but not the actual user login credentials. One common scenario where you’ll hit this problem is if you’re trying to deploy a piece of software as root via X-Terminal and you have to su over. I know I’ve hit this often enough. So what do we do?

Solution: SSH X-11 Forwarding
You’ll need:

• an SSH client (PuTTY works)
• X-Terminal client (Hummingbird Exceed works)

Steps:

1. Run Exceed
2. Open a new SSH session with PuTTY. Before creating the session, set the following options under “Connection > SSH > X11″:
   1. Check the “Enable X11 forwarding” option, and
   2. set “X display location” to “localhost:0″
3. Run the ssh session
4. To test: $ xclock &

That’s just the first step. Now that you’ve enabled X11 forwarding, clock should appear on your desktop. If not, then something’s wrong with your setting. The next step is to switch users using the “su” command. Once you’ve done this and you try to run xclock, you’ll notice something’s amiss. The clock doesn’t appear anymore. Instead, you get a string of errors on your terminal. Example:

$ sudo su - root
Password:
[root@serverX ~]# xclock
Xlib: connection to "localhost:13.0" refused by server
Xlib: PuTTY X11 proxy: wrong authentication protocol attempted
Error: Can't open display: localhost:13.0
[root@serverX ~]#

Hmm… something’s wrong. The X11 forwarding is no longer working. At this point, you’re probably scratching your head, searching the net and trying to find some logical explanation. Which was probably what brought you to this article. Don’t worry, it’s not rocket science and there’s a simple solution. The problem is really that you have permission for X11 forwarding on the original terminal that you logged into. When you su’ed, the terminal changed and it’s not tunneled across. You need to temporarily transfer the permission to the current terminal as follows:

[root@serverX ~]# exit
$ xauth list
serverX/unix:13 MIT-MAGIC-COOKIE-1 49694fb33604c92be03c36200cc81c19
$ sudo su - root
Password:
[root@serverX ~]# xauth add serverX/unix:13 MIT-MAGIC-COOKIE-1 49694fb33604c92be03c36200cc81c19
[root@serverX ~]# xclock
[root@serverX ~]#

And voila. Suddenly the clock’s there again. When running the xauth list command, you may see more than one entry. Locate the entry that’s relevant to your current terminal. In the example above, we get the authentication error on localhost:13.0, so we’ll want to locate and transfer the permission from terminal 13.

So the next time you’re caught in this situation with an “Xlib: PuTTY X11 proxy: wrong authentication protocol attempted” error, don’t panic. You’ve probably su’ed to another user and just need to transfer the permission so you can chug along with whatever it was you were trying to do.