X11 forwarding allows you to run graphical applications on a remote server and view them on your local machine. This is done through an SSH connection, which requires proper configuration to work. When performing administrative tasks and switching to a root or another user using sudo or su, you might encounter issues like “Can't open display” or “X11 connection rejected because of wrong authentication.” These errors happen because the necessary environment variables and authentication files are not set up automatically for the new user.
$ sudo xclock [sudo] password for user: X11 connection rejected because of wrong authentication. Error: Can't open display: localhost:10.0
The DISPLAY environment variable and .Xauthority file are crucial for successful X11 forwarding. These settings are automatically configured for the user who initiates the SSH session, but they do not carry over when you switch users. This lack of proper configuration prevents graphical applications from being displayed on your local machine.
To resolve this, you need to manually configure the DISPLAY variable and .Xauthority file for the user you switch to. This ensures that the authentication and display settings are correctly applied, allowing X11 forwarding to work even after user switching.
Steps to use SSH X11-Forwarding for sudo or su:
- Make sure you're already able to run graphical program via SSH X tunneling as normal user.
- Establish an SSH connection with X11 forwarding enabled.
$ ssh -X remote-host user@remote-host's password: Welcome to Ubuntu 20.10 (GNU/Linux 5.8.0-26-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 updates can be installed immediately. 0 of these updates are security updates. Last login: Sun Nov 1 21:17:13 2020 from 192.168.111.27
- Verify that you can run a graphical program as the current user.
$ xclock
- Retrieve the X authorization entry for the current display.
$ xauth list $DISPLAY host/unix:10 MIT-MAGIC-COOKIE-1 742d024faeb3d29a15ff06f1b8c3b21e
This info is stored in ~/.Xauthority file.
$ cat ~/.Xauthority host10MIT-MAGIC-COOKIE-1t-O��Қ��ò
- Note the value of the DISPLAY environment variable.
$ echo $DISPLAY localhost:10.0
- Switch to the root user or another user using sudo or su.
$ sudo su - [sudo] password for user: root@host:~#
- Add the X authorization entry to the .Xauthority file for the new user.
# xauth add host/unix:10 MIT-MAGIC-COOKIE-1 742d024faeb3d29a15ff06f1b8c3b21e
- Check .Xauthority file to confirm.
# cat ~/.Xauthority host10MIT-MAGIC-COOKIE-1t-O��Қ��ò
- Set the DISPLAY environment variable for the new user.
# export DISPLAY=localhost:10.0
- Run a graphical program as the root user or the switched user to verify.
# xclock
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.