How to configure X11 forwarding for sudo and root users in SSH

X11 forwarding allows you to run graphical applications on a remote server and view them on your local machine. This is done through an SSH connection, which requires proper configuration to work. When performing administrative tasks and switching to a root or another user using sudo or su, you might encounter issues like “Can't open display” or “X11 connection rejected because of wrong authentication.” These errors happen because the necessary environment variables and authentication files are not set up automatically for the new user.

$ sudo xclock
[sudo] password for user: 
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:10.0

The DISPLAY environment variable and .Xauthority file are crucial for successful X11 forwarding. These settings are automatically configured for the user who initiates the SSH session, but they do not carry over when you switch users. This lack of proper configuration prevents graphical applications from being displayed on your local machine.

To resolve this, you need to manually configure the DISPLAY variable and .Xauthority file for the user you switch to. This ensures that the authentication and display settings are correctly applied, allowing X11 forwarding to work even after user switching.

Steps to use SSH X11-Forwarding for sudo or su:

Make sure you're already able to run graphical program via SSH X tunneling as normal user.

Related: How to run a GUI application over SSH with X11 forwarding

Establish an SSH connection with X11 forwarding enabled.

$ ssh -X remote-host
user@remote-host's password: 
Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-26-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 updates can be installed immediately.
0 of these updates are security updates.

Last login: Sun Nov  1 21:17:13 2020 from 192.168.111.27

Verify that you can run a graphical program as the current user.
```
$ xclock
```

Retrieve the X authorization entry for the current display.

$ xauth list $DISPLAY
host/unix:10  MIT-MAGIC-COOKIE-1  742d024faeb3d29a15ff06f1b8c3b21e

This info is stored in ~/.Xauthority file.

$ cat ~/.Xauthority 
host10MIT-MAGIC-COOKIE-1t-O��Қ��ò

Note the value of the DISPLAY environment variable.
```
$ echo $DISPLAY
localhost:10.0
```
Switch to the root user or another user using sudo or su.
```
$ sudo su -
[sudo] password for user: 
root@host:~#
```

Add the X authorization entry to the .Xauthority file for the new user.

# xauth add host/unix:10  MIT-MAGIC-COOKIE-1  742d024faeb3d29a15ff06f1b8c3b21e

Check .Xauthority file to confirm.

# cat ~/.Xauthority 
host10MIT-MAGIC-COOKIE-1t-O��Қ��ò

Set the DISPLAY environment variable for the new user.
```
# export DISPLAY=localhost:10.0
```
Run a graphical program as the root user or the switched user to verify.
```
# xclock
```

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.