X11 connection rejected because of wrong authentication after sudo to another user

Cause:

X win cookie not carried over after sudo login as another user.

Solutions One:

1. Login as first user (user1).
2. Run 'echo $DISPLAY'

  1.  
  2. bash-3.00$ echo $DISPLAY
  3. localhost:10.0
  4.  

2. Run 'xauth list'

xauth list
box.my.com/unix:10  MIT-MAGIC-COOKIE-1  4f76c629f8cdbf26ce4ae646cc24448c
box.my.com/unix:11  MIT-MAGIC-COOKIE-1  1acd10ab0fd098a86aba7aa691d7c067
box.my.com/unix:12  MIT-MAGIC-COOKIE-1  e007ee6844c417a6b866d66c7bbcbc7d

For Solaris 10, xauth is in the /usr/openwin/bin directory.
3. sudo to second user (user2) with command like

  1. sudo su - user2

4. Set $DISPLAY env to the same as user1's.

  1.  
  2. DISPLAY=localhost:10.0; export DISPLAY
  3.  

5. Run "xauth add" and append the entry from user1's "xauth list" that matches the display number. For example, user1 $DISPLAY is localhost:10.0, so we'll append box.my.com/unix:10 entry.

xauth add box.my.com/unix:10  MIT-MAGIC-COOKIE-1  4f76c629f8cdbf26ce4ae646cc24448c

6. Test with xclock:

  1.  
  2. xclock
  3.  

Automate Solution One

Solution one can be automated by two scripts, one on user1 side and another user2.
1. Create a shell script, named sudouser2, on user1 side.

  1.  
  2. #!/usr/bin/bash
  3.  
  4. # Remember DISPLAY
  5. echo $DISPLAY > /tmp/.echoUser1DISPLAY.txt
  6. chmod a+r /tmp/.echoUser1DISPLAY.txt
  7.  
  8. # Remember cookie
  9. xauth list|grep `echo $DISPLAY |cut -c10-12` > /tmp/.parseUser1Xauth.txt
  10. chmod a+r /tmp/.parseUser1Xauth.txt
  11.  
  12. sudo su - user2
  13.  

2. Give sudouser2 execute permission.

  1.  
  2. chmod u+x dusouser2
  3.  

3. Run ./sudouser2 to sudo into user2

  1.  
  2. ./sudouser2
  3.  

4. Create a shell script, name setxwin , on user2 side.

  1.  
  2. xauth add `cat /tmp/.parseUser1Xauth.txt`
  3. export DISPLAY=`cat /tmp/.echoUser1DISPLAY.txt`
  4.  

5. Run . ./setxwin on user2 shell. Optionally, included setxwin in shell start script such as .profile file.

  1.  
  2. . ./setxwin
  3.  

6. Test with xclock:

  1.  
  2. xclock
  3.  

Solution Two:

Add to /etc/sudoers file

Defaults env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
This entry was posted in unix. Bookmark the permalink.

24 Responses to X11 connection rejected because of wrong authentication after sudo to another user

  1. Pingback: Delicious Bookmarks for March 3rd from 00:52 to 12:48 « Lâmôlabs

  2. Pingback: X11 connection rejected because of wrong authentication after sudo to another user « Ahishinko's Blog

  3. Shilpa Sathya says:

    Brilliant man! Found this link after 3 hours of searching. The step I was missing was the “xauth add” with the same items as mentioned in root.

    Thanks a ton!

  4. Raquel says:

    I did all the procedures, but still the same error… =/

  5. Deezer says:

    Defaults env_keep += “DISPLAY XAUTHORIZATION XAUTHORITY”

    Does not work on Red Hat Linux. It does copy the display variable, but it does not move the Xauthority cookie over, so a script or manual steps is still required. Does anyone know how to do this without having to write a script or using manual steps? It seems like there must be a way…

  6. Peter Flynn says:

    I don’t need this if I just log into another machine with ssh -X, but if I then sudo su – to work as root, I can’t find the right incantation to make xauth allow me to run X programs from the su job.

  7. Madhu says:

    Just wanted to thank you, it helped me!

  8. John says:

    # fetch the user
    while getopts :u: u
    do
    [ ${u} = u ] && sudo_user=$OPTARG
    done

    [ -z ${sudo_user} ] && exit 1

    # Remember cookie
    if [ “${DISPLAY}X” != “X” ]
    then
    DISP_ID=$(echo $DISPLAY |cut -d’:’ -f 2 |cut -d ‘.’ -f 1)
    HOST=$(hostname -f)
    echo “/usr/bin/xauth extract – ${HOST}/unix:${DISP_ID} | /usr/bin/sudo -u ${sudo_user} /usr/bin/xauth merge -”
    fi
    echo “/usr/bin/sudo $@”

  9. John says:

    # fetch the user
    while getopts :u: u
    do
    [ ${u} = u ] && sudo_user=$OPTARG
    done

    [ -z ${sudo_user} ] && exit 1

    # Remember cookie
    if [ “${DISPLAY}X” != “X” ]
    then
    DISP_ID=$(echo $DISPLAY |cut -d’:’ -f 2 |cut -d ‘.’ -f 1)
    HOST=$(hostname -f)
    /usr/bin/xauth extract – ${HOST}/unix:${DISP_ID} | /usr/bin/sudo -u ${sudo_user} /usr/bin/xauth merge –
    fi
    /usr/bin/sudo $@

  10. Mektub says:

    Many many thanks. Was looking for this a long time.

    Mektub

  11. Allen says:

    Many thanks!!!

  12. Anonymous says:

    THANK YOU!!!

  13. Samuele Bulloni says:

    You should use gksudo, it keeps the magic cookie, sudo or su reset everithing…

  14. Robert says:

    Simply elegant. Thank you!

  15. Anonymous says:

    wow it worked man – I was bloody so frustrated to get this fixed .. GOD BLESS Ya buddy !

  16. Pingback: Free X windows emulator for running Oracle Installer | Andrew Fraser DBA

  17. Gina says:

    Three words…You da Man. Saved me. Thanks!!

  18. anonymous says:

    THANKS FOR POSTING! It helped me!

  19. Juan says:

    An easier solution:
    1.- ssh user@host
    2.- $ sudo su
    3.- # xauth merge /home//.Xauthority
    That’s all
    Of course $DISPLAY variable must be set
    Regards

  20. Naim says:

    Dude.. damn, I’ve been cracking at it all day, saw similar solutions as well, but for some reasons only yours worked.

    I can’t thank you enough !

  21. Pingback: » Linux: “su” with error “X11 connection rejected because of wrong authentication.”

  22. Pingback: X11 Auth | Andreas' Blog

  23. Daniel says:

    Thanks a lot, it worked. I was trying to add it manually to the .Xauthority file of the affected user, but running the xauth command did the trick.

    Regards.

Leave a Reply

Your email address will not be published. Required fields are marked *


*