[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SSH X11 Setting the Display Variable



OK wow, my email client is working hard to make my emails unreadable. Here it is again,with some added detail.
I assume that the pam_xauth module that Mr. Nelson brought up requires "UsePAM yes"in the sshd_config file that is loaded by sshd. I added pam_xauth and got no where.Before enabling PAM, through more research, I found a solution. The sux command is asolution. It seems to be designed for exactly this purpose, keeping x credentials fora user when you su to load that user, and I confirmed that it works. It has several options and I am not sure if it takes all su options or only its own, but it seemslike it has most of the same options as su. The basics are below.
sux  works like su 

sux -  works like su -l 
Of course the exception is that using sux keeps the DISPLAY settings and transfersthe X credentials to the su user. It works with the script below that Mr. Llewellynprovided for my special situation where andLinux sets the DISPLAY variable in/etc/profile. Locally DISPLAY=192.168.11.1:0.0 and su works with that as expected.Remotely vi ssh access DISPLAY= and sux keeps that across users whenusing the - option which loads the new users environment variables.
# This script lets andLinux set the DISPLAY variable locally and ssh set it when# this copy of Linux is access via ssh with -X or -Y.
if [ -z "$DISPLAY" ]; then
export DISPLAY=192.168.11.1:0.0
fi
----------------------------------------
> From: novashadow@xxxxxxx
> To: dnelson@xxxxxxxxxxxxxxx; daniel@xxxxxxxxxxxxxxx; remo-dated-1244046244.fd158e@xxxxxxxxxx
> CC: secureshell@xxxxxxxxxxxxxxxxx
> Subject: RE: SSH X11 Setting the Display Variable
> Date: Sat, 30 May 2009 02:19:03 -0400
>
>
> Greetings,
> I assume that the pam_xauth module that Mr. Nelson brought up requires "UsePAM yes" in the sshd_config file that is loaded by sshd. I added it and got no where. Before enabling PAM, through more research, I found a solution. The solution seems to be the sux command. It seems to be designed for exactly that purpose and I confirmed that it works. It has several options and I am not sure if it takes all su options or own its own, but the basics are below.
> sux works like su sux - works like su -l
> Of course the exception is that using sux keeps the DISPLAY settings and transfers the X credentials to the su user. It works with the script below that Mr. Llewellyn provided for my special situation where andLinux set the DISPLAY variable in /etc/profile. Locally DISPLAY=192.168.11.1:0.0 and su works with that. Remotely vi ssh access DISPLAY= and sux keeps that across users when using the - option which loads the new users environment variables.
> if [ -z "$DISPLAY" ]; then
> export DISPLAY=192.168.11.1:0.0
> fi
>
>
> ----------------------------------------
>> Date: Fri, 29 May 2009 16:23:35 -0500
>> From: dnelson@xxxxxxxxxxxxxxx
>> To: daniel@xxxxxxxxxxxxxxx
>> CC: novashadow@xxxxxxx; secureshell@xxxxxxxxxxxxxxxxx
>> Subject: Re: SSH X11 Setting the Display Variable
>>
>> In the last episode (May 29), Daniel Llewellyn said:
>>> On Fri, May 29, 2009 at 05:17, Chris Mirchandani wrote:
>>>> OK, I found one hole in this script. If I ssh in as any user, the script does what it is supposedto do and the DISPLAY variable value is left as set by ssh. However, if I su -l to another userDISPLAY=192.168.11.1:0.0. If I su to the same user without -l the DISPLAY variable value is leftas set by ssh when the initial user was logged in. Any ideas and/or suggestions?
>>>
>>> I wouldn't have said that was a hole "per se", more a "feature" with the
>>> way that `su -l` is designed to work. The point of the -l switch is that
>>> the environment is set from a clean slate when entering the new user
>>> context. This means that any pre-existing DISPLAY variable will be
>>> blanked out along with the rest of the new shell's environment. Then
>>> /etc/profile is run through to set up the initial environment for said new
>>> shell, which will detect the lack of DISPLAY variable and set up the
>>> default (192.168.11.1:0.0).
>>
>> That depends; some systems have a pam_xauth module that preserves $DISPLAY,
>> copies your current xauth key to a file readable by target user, and points
>> $XAUTHORITY at the temp file. Handy when you're su'ing to root to run a
>> graphical installer.
>>
>> --
>> Dan Nelson
>> dnelson@xxxxxxxxxxxxxxx
>
> ----------------------------------------
>> Date: Fri, 29 May 2009 10:24:03 -0600
>> Subject: Re: SSH X11 Setting the Display Variable
>> To: novashadow@xxxxxxx
>> From: remo-dated-1244046244.fd158e@xxxxxxxxxx
>>
>> This is normal part of security. I had the same problem while back. But I
>> cannot remember what I did to fix it.
>>
>> ciao
>
> _________________________________________________________________
> Hotmail® goes with you.
> http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=TXT_TAGLM_WL_HM_Tutorial_Mobile1_052009

_________________________________________________________________
Insert movie times and more without leaving Hotmail®.
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd1_052009

[Index of Archives]     [Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux