# ssh X11 forwarding w/root problem

## rogue

I have 2 gentoo boxes (grendel and hrothgar) and I want to be able to use X apps from one box on the other.  I already have this working fine for the most part.  I can ssh to hrothgar from grendel as a user and it will forward the X connection fine.  The problem comes, however, if on hrothgar I then "su -" and switch to root. As root, I can no longer run any X apps and I get the error:

```
X11 connection rejected because of wrong authentication.

X connection to localhost:11.0 broken (explicit kill or server shutdown).
```

I think it  might be because root doesn't have a .Xauthority file, but I'm not sure.  Searching the forums didn't seem to help because most posts are concerned with just getting ssh X11 forwarding working the way I already have it working. 

Anyone have any ideas?

----------

## sschlueter

You can either log in as root directly, or if you don't want to be able to do this, you can log in as a user via ssh -X <user>@<server> and then ssh -X root@localhost. So root must be able lo log in from localhost but not from other hosts. If you like this nested-ssh-solution, you have to set up your sshd like this:

in /etc/ssh/sshd_config

```

PermitRootLogin yes

AllowUsers <user> <user2> root@127.0.0.1

```

PS.

I'm not sure why but the pam_xauth module doesn't work in this case.

----------

## rogue

thanks.

pain in the ass that i can't just su from an existing ssh session, but i guess i don't need to be root often enough on that box so the extra hassle of opening another ssh session isn't too much of a big deal.

----------

## christsong84

 *rogue wrote:*   

> thanks.
> 
> pain in the ass that i can't just su from an existing ssh session, but i guess i don't need to be root often enough on that box so the extra hassle of opening another ssh session isn't too much of a big deal.

 

as long as your user is part of the wheel group, you should technically be able to su just fine in ssh...at least I've had no problems.  Everything I can do on the box itself I can do through ssh...just a thought.

----------

## rogue

 *christsong84 wrote:*   

> as long as your user is part of the wheel group, you should technically be able to su just fine in ssh...at least I've had no problems.  Everything I can do on the box itself I can do through ssh...just a thought.

 

my problem isn't being able to be root..that works fine..i can switch users at will.

the problem is, as root, i am not able to have X applications forwarded through a connection that was initiated by a non-root user.

for example:

```
[02:44:05] rbattle@grendel rbattle $ ssh rbattle@hrothgar

Last login: Wed Sep 10 21:02:27 2003 from 192.168.0.114

[02:44:15] rbattle@hrothgar rbattle $ xload &

[1] 19415

[02:44:25] rbattle@hrothgar rbattle $ su -

Password: 

[02:44:28] hrothgar root # xload

X11 connection rejected because of wrong authentication.

X connection to localhost:10.0 broken (explicit kill or server shutdown).

[02:44:29] hrothgar root # 
```

----------

## m4chine

I get the same error. I have been shelling into my server for a while, and running xmms through xforwarding on my laptop so i get display on it instead. Something must have changed and now i cannt xforward.

```
sniped@mainframe sniped $ xmms

debug1: client_input_channel_open: ctype x11 rchan 2 win 65536 max 16384

debug1: client_request_x11: request from 127.0.0.1 38133

debug1: channel 1: new [x11]

debug1: confirm x11

X11 connection rejected because of wrong authentication.

debug1: channel 1: free: x11, nchannels 2

Gdk-ERROR **: X connection to localhost:10.0 broken (explicit kill or server shutdown).
```

wierd, any suggestions welcomed.

----------

## m4chine

Solved* the problem was that i wasnt forcefully useing ssh2 protocol on my client. My server was only allowing ssh2 due to security reasons, and my laptop was trying to use ssh1. Change whatever Protocol is set to in /etc/ssh/ssh_config to "Protocol 2". Again, this is on the client side.

----------

## Shiner_Man

I'm having the same issue here:

```
[vince@home ~]# ssh vince@degoba

Password: 

vince@Degoba vince $ su

Password: 

root@Degoba vince # gtk-iptables 

X11 connection rejected because of wrong authentication.

Gdk-ERROR **: X connection to localhost:10.0 broken (explicit kill or server shutdown).

root@Degoba vince # 

```

I tried changing /etc/ssh/ssh_config to make sure protocol 2 was specified but that didn't work:

```

# Host *

#   ForwardAgent no

     ForwardX11 yes

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

     Protocol 2

#   Cipher 3des

#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

#   EscapeChar ~

```

Any ideas as to why I can't forward X applications as root?

----------

## Regor

Give something like this a shot. This is taken from the /root/.bashrc of the machine I ssh into.

```
if [ -f ~USER/.Xauthority ]

then

  export XAUTHORITY=~USER/.Xauthority

  export DISPLAY=localhost:10.0

fi
```

Substitute both instances of "USER" with the username you ssh into.

----------

## orionrobots

I wander if that script could be done in such a way that when a user(with the correct wheel authority) su'd in as root, the XUATHORITY was passed along with DISPLAY(which is already passed through).

Is there an arg to the su command to do this?

I know that the curent environment is passed through, but if you specify '-' then the root environment will replace it.

For now - I am happy to use Regors script - it works well enough..

----------

## dju`

i would also be interested about a way to automatically set XAUTHORITY right.

----------

## Regor

Not too long ago, I learned about x11-misc/sux, which - despite its name - most definately does not suck! It's an su wrapper that takes care of all the X authentication transfer for you. Check it out!

----------

## abeowitz

step back on your PAM version.  I emerged pam-0.77-r2.ebuild and did the etc-update and things work normally again.

----------

## L.U.

Hello, I know next to nothing about this particular topic, and may just be wasting space here however; I saw this topic earlier today and I wandered if it might not be related.

https://forums.gentoo.org/viewtopic.php?t=249744

----------

