RE: SSH X11 Setting the Display Variable

I assume that the pam_xauth module that Mr. Nelson brought up requires "UsePAM yes" in the sshd_config file that is loaded by sshd. I added it and got no where. Before enabling PAM, through more research, I found a solution. The solution seems to be the sux command. It seems to be designed for exactly that purpose and I confirmed that it works. It has several options and I am not sure if it takes all su options or own its own, but the basics are below.
sux works like su sux - works like su -l
Of course the exception is that using sux keeps the DISPLAY settings and transfers the X credentials to the su user. It works with the script below that Mr. Llewellyn provided for my special situation where andLinux set the DISPLAY variable in /etc/profile. Locally DISPLAY= and su works with that. Remotely vi ssh access DISPLAY= and sux keeps that across users when using the - option which loads the new users environment variables.
if [ -z "$DISPLAY" ]; then
export DISPLAY=

Date: Fri, 29 May 2009 16:23:35 -0500
From: dnelson@xxxxxxxxxxxxxxx
To: daniel@xxxxxxxxxxxxxxx
CC: novashadow@xxxxxxx; secureshell@xxxxxxxxxxxxxxxxx
Subject: Re: SSH X11 Setting the Display Variable

In the last episode (May 29), Daniel Llewellyn said:
On Fri, May 29, 2009 at 05:17, Chris Mirchandani wrote:
OK, I found one hole in this script. If I ssh in as any user, the script does what it is supposedto do and the DISPLAY variable value is left as set by ssh. However, if I su -l to another userDISPLAY= If I su to the same user without -l the DISPLAY variable value is leftas set by ssh when the initial user was logged in. Any ideas and/or suggestions?

I wouldn't have said that was a hole "per se", more a "feature" with the
way that `su -l` is designed to work. The point of the -l switch is that
the environment is set from a clean slate when entering the new user
context. This means that any pre-existing DISPLAY variable will be
blanked out along with the rest of the new shell's environment. Then
/etc/profile is run through to set up the initial environment for said new
shell, which will detect the lack of DISPLAY variable and set up the
default (

That depends; some systems have a pam_xauth module that preserves $DISPLAY,
copies your current xauth key to a file readable by target user, and points
$XAUTHORITY at the temp file. Handy when you're su'ing to root to run a
graphical installer.

Dan Nelson

Date: Fri, 29 May 2009 10:24:03 -0600
Subject: Re: SSH X11 Setting the Display Variable
To: novashadow@xxxxxxx
From: remo-dated-1244046244.fd158e@xxxxxxxxxx

This is normal part of security. I had the same problem while back. But I
cannot remember what I did to fix it.


Hotmail® goes with you.

Relevant Pages

  • RE: SSH X11 Setting the Display Variable
    ... my email client is working hard to make my emails unreadable. ... sux - works like su -l ... SSH X11 Setting the Display Variable ... blanked out along with the rest of the new shell's environment. ...
  • Re: SuSE 9.1 Remote Admin with X-term from Mac OS X
    ... > If you try the above with su instead of sux, ... information and environment. ... sux - means "Switch user ... All three methods successfully launch yast2 with GUI in an x-term on my ...