Discussion:
SSH X11 Setting the Display Variable
(too old to reply)
Chris Mirchandani
16 years ago
Permalink
Is there a way to have the DISPLAY variable set the way that sshd sets it w=
hen a clientconnects with either -X or -Y option=2C but after the shell loa=
ds? It would be best of thiscould only be done if the shell was started by =
an ssh session that used the -X or -Y option.
The specific ssh version in question is listed below=2C but I would like to=
have solutions fornewer versions of ssh as well.
OpenSSH_4.6p1 Debian-5ubuntu0.6=2C OpenSSL 0.9.8e 23 Feb 2007

This is the situation. I am running a coLinux based distro named andLinux=
=2C which basicallyis Ubuntu 7.04 running parallel with Windows. It has thi=
s "hack" that allows X forwardingover a virtual network interface that prov=
ides inter OS network between Windows and Linux.The X forwarding is used to=
load Linux X apps=2C Xfce based in this case=2C in Windows usingXming. To =
make this work=2C the following line is in /etc/profile.=20
export DISPLAY=3D192.168.11.1:0.0

Early on=2C I found that this prevented X forwarding to work when I sshed t=
o andLinux via theopen network interface=2C the interface used to access ot=
her computers on my network andthe internet through my firewall. I got arou=
nd this by adding the following to ~/.profile
export DISPLAY=3Dlocalhost:10.0

This has 2 issues. The first is that I have to add this for each user. In t=
his case that is nobiggie=2C but it would be great if I could override this=
for all users always. The second is oneI found today and that is because I=
have statically set this variable all ssh sessions use 10and that means th=
at no-matter which ssh session I try to X forward in=2C the X app is sent =
tothe computer that crated the first ssh session that successfully had X fo=
rwarding set. Therub is that since andLinux "needs" the specific $DISPLAY s=
etting set in /etc/profile=2C it isinherited by all shell sessions and it g=
ets set after sshd sets this variable. This is a problemfor me as I may be =
connected from several places with x forwarding enabled. I know I canmanual=
ly set this=2C but that has 2 issues.
1) I have to set it every time.
2) The bigger issue is=2C I learn nothing by doing that.
So if I were to break down the parts of the $DISPLAY variable in to the fol=
lowing.
DISPLAY=3Dx:y.z
and
DISPLAY=3Dlocalhost:10.0

then
x =3D localhosty =3D 10z =3D 0
So I want to be able to set it so that $DISPLAY is set with a different y f=
or each session thatsuccessfully creates an X forwarding session.
Any ideas or hints?
In case it helps.
uname -aLinux andLinux 2.6.22.18-co-0.7.3 #1 PREEMPT Wed Apr 16 18:50:10 UT=
C 2008 i686 GNU/Linux

# cat /etc/debian_version lenny/sid
# cat /etc/issue Ubuntu 7.10 \n \l
I have a new version of this andLinux=2C details below.


Thanks=2C
Chris

_________________________________________________________________
Hotmail=AE has a new way to see what's up with your friends.
http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=3DTXT_TAGLM_WL_HM_Tut=
orial_WhatsNew1_052009=
Daniel Llewellyn
16 years ago
Permalink
... To make this work, the following line is in /etc/profile.
export DISPLAY=3D192.168.11.1:0.0
... I got around this by adding the following to ~/.profile
export DISPLAY=3Dlocalhost:10.0
how about in /etc/profile setting the following:?

----
if [ -z "$DISPLAY" ]; then export DISPLAY=3D192.168.11.1:0.0; fi
----

the above tests for emptyness of the $DISPLAY variable, and sets it to
the predefined setting (192.168.11.1:0.0) if it hasn't already been
set by sshd. (I hope)

--
Regards,
=C2=A0 =C2=A0Daniel Llewellyn
Chris Mirchandani
16 years ago
Permalink
OK=2C I found one hole in this script. If I ssh in as any user=2C the scrip=
t does what it is supposedto do and the DISPLAY variable value is left as s=
et by ssh. However=2C if I su -l to another userDISPLAY=3D192.168.11.1:0.0.=
If I su to the same user without -l the DISPLAY variable value is leftas s=
et by ssh when the initial user was logged in. Any ideas and/or suggestions=
?

Thanks=2C
Chris

----------------------------------------
...
_________________________________________________________________
Windows Live=99: Keep your life in sync.
http://windowslive.com/explore?ocid=3DTXT_TAGLM_BR_life_in_synch_052009=
Daniel Llewellyn
16 years ago
Permalink
OK, I found one hole in this script. If I ssh in as any user, the script =
does what it is supposedto do and the DISPLAY variable value is left as set=
by ssh. However, if I su -l to another userDISPLAY=3D192.168.11.1:0.0. If =
I su to the same user without -l the DISPLAY variable value is leftas set b=
y ssh when the initial user was logged in. Any ideas and/or suggestions?

I wouldn't have said that was a hole "per se", more a "feature" with
the way that `su -l` is designed to work. The point of the -l switch
is that the environment is set from a clean slate when entering the
new user context. This means that any pre-existing DISPLAY variable
will be blanked out along with the rest of the new shell's
environment. Then /etc/profile is run through to set up the initial
environment for said new shell, which will detect the lack of DISPLAY
variable and set up the default (192.168.11.1:0.0).

--=20
Regards,
Daniel Llewellyn
Chris Mirchandani
16 years ago
Permalink
Greetings=2C
I assume that the pam_xauth module that Mr. Nelson brought up requires "Use=
PAM yes" in the sshd_config file that is loaded by sshd. I added it and got=
no where. Before enabling PAM=2C through more research=2C I found a soluti=
on. The solution seems to be the sux command. It seems to be designed for e=
xactly that purpose and I confirmed that it works. It has several options a=
nd I am not sure if it takes all su options or own its own=2C but the basic=
s are below.
sux works like su sux - works like su -l=20
Of course the exception is that using sux keeps the DISPLAY settings and tr=
ansfers the X credentials to the su user. It works with the script below th=
at Mr. Llewellyn provided for my special situation where andLinux set the D=
ISPLAY variable in /etc/profile. Locally DISPLAY=3D192.168.11.1:0.0 and su =
works with that. Remotely vi ssh access DISPLAY=3D and sux keeps that acros=
s users when using the - option which loads the new users environment varia=
bles.
if [ -z "$DISPLAY" ]=3B then
export DISPLAY=3D192.168.11.1:0.0
fi


----------------------------------------
Date: Fri=2C 29 May 2009 16:23:35 -0500
Subject: Re: SSH X11 Setting the Display Variable
OK=2C I found one hole in this script. If I ssh in as any user=2C the s=
cript does what it is supposedto do and the DISPLAY variable value is left =
as set by ssh. However=2C if I su -l to another userDISPLAY=3D192.168.11.1:=
0.0. If I su to the same user without -l the DISPLAY variable value is left=
as set by ssh when the initial user was logged in. Any ideas and/or suggest=
ions?
I wouldn't have said that was a hole "per se"=2C more a "feature" with t=
he
way that `su -l` is designed to work. The point of the -l switch is that
the environment is set from a clean slate when entering the new user
context. This means that any pre-existing DISPLAY variable will be
blanked out along with the rest of the new shell's environment. Then
/etc/profile is run through to set up the initial environment for said n=
ew
shell=2C which will detect the lack of DISPLAY variable and set up the
default (192.168.11.1:0.0).
That depends=3B some systems have a pam_xauth module that preserves $DISP=
LAY=2C
copies your current xauth key to a file readable by target user=2C and po=
ints
$XAUTHORITY at the temp file. Handy when you're su'ing to root to run a
graphical installer.
--
Dan Nelson
----------------------------------------
Date: Fri=2C 29 May 2009 10:24:03 -0600
Subject: Re: SSH X11 Setting the Display Variable
This is normal part of security. I had the same problem while back. But I
cannot remember what I did to fix it.
ciao
_________________________________________________________________
Hotmail=AE goes with you.=20
http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=3DTXT_TAGLM_WL_HM_Tutor=
ial_Mobile1_052009=
Chris Mirchandani
16 years ago
Permalink
OK wow=2C my email client is working hard to make my emails unreadable. Her=
e it is again=2Cwith some added detail.
I assume that the pam_xauth module that Mr. Nelson brought up requires "Use=
PAM yes"in the sshd_config file that is loaded by sshd. I added pam_xauth a=
nd got no where.Before enabling PAM=2C through more research=2C I found a s=
olution. The sux command is asolution. It seems to be designed for exactly =
this purpose=2C keeping x credentials fora user when you su to load that us=
er=2C and I confirmed that it works. It has several options and I am not su=
re if it takes all su options or only its own=2C but it seemslike it has mo=
st of the same options as su. The basics are below.
sux works like su=20

sux - works like su -l=20
Of course the exception is that using sux keeps the DISPLAY settings and tr=
ansfersthe X credentials to the su user. It works with the script below tha=
t Mr. Llewellynprovided for my special situation where andLinux sets the DI=
SPLAY variable in/etc/profile. Locally DISPLAY=3D192.168.11.1:0.0 and su wo=
rks with that as expected.Remotely vi ssh access DISPLAY=3D and sux keeps t=
hat across users whenusing the - option which loads the new users environme=
nt variables.
# This script lets andLinux set the DISPLAY variable locally and ssh set it=
when# this copy of Linux is access via ssh with -X or -Y.
if [ -z "$DISPLAY" ]=3B then
export DISPLAY=3D192.168.11.1:0.0
fi
----------------------------------------
Subject: RE: SSH X11 Setting the Display Variable
Date: Sat=2C 30 May 2009 02:19:03 -0400
Greetings=2C
I assume that the pam_xauth module that Mr. Nelson brought up requires "U=
sePAM yes" in the sshd_config file that is loaded by sshd. I added it and g=
ot no where. Before enabling PAM=2C through more research=2C I found a solu=
tion. The solution seems to be the sux command. It seems to be designed for=
exactly that purpose and I confirmed that it works. It has several options=
and I am not sure if it takes all su options or own its own=2C but the bas=
ics are below.
sux works like su sux - works like su -l
Of course the exception is that using sux keeps the DISPLAY settings and =
transfers the X credentials to the su user. It works with the script below =
that Mr. Llewellyn provided for my special situation where andLinux set the=
DISPLAY variable in /etc/profile. Locally DISPLAY=3D192.168.11.1:0.0 and s=
u works with that. Remotely vi ssh access DISPLAY=3D and sux keeps that acr=
oss users when using the - option which loads the new users environment var=
iables.
if [ -z "$DISPLAY" ]=3B then
export DISPLAY=3D192.168.11.1:0.0
fi
----------------------------------------
Date: Fri=2C 29 May 2009 16:23:35 -0500
Subject: Re: SSH X11 Setting the Display Variable
OK=2C I found one hole in this script. If I ssh in as any user=2C the =
script does what it is supposedto do and the DISPLAY variable value is left=
as set by ssh. However=2C if I su -l to another userDISPLAY=3D192.168.11.1=
:0.0. If I su to the same user without -l the DISPLAY variable value is lef=
tas set by ssh when the initial user was logged in. Any ideas and/or sugges=
tions?
I wouldn't have said that was a hole "per se"=2C more a "feature" with =
the
way that `su -l` is designed to work. The point of the -l switch is tha=
t
the environment is set from a clean slate when entering the new user
context. This means that any pre-existing DISPLAY variable will be
blanked out along with the rest of the new shell's environment. Then
/etc/profile is run through to set up the initial environment for said =
new
shell=2C which will detect the lack of DISPLAY variable and set up the
default (192.168.11.1:0.0).
That depends=3B some systems have a pam_xauth module that preserves $DIS=
PLAY=2C
copies your current xauth key to a file readable by target user=2C and p=
oints
$XAUTHORITY at the temp file. Handy when you're su'ing to root to run a
graphical installer.
--
Dan Nelson
----------------------------------------
Date: Fri=2C 29 May 2009 10:24:03 -0600
Subject: Re: SSH X11 Setting the Display Variable
This is normal part of security. I had the same problem while back. But =
I
cannot remember what I did to fix it.
ciao
_________________________________________________________________
Hotmail=AE goes with you.
http://windowslive.com/Tutorial/Hotmail/Mobile?ocid=3DTXT_TAGLM_WL_HM_Tut=
orial_Mobile1_052009

_________________________________________________________________
Insert movie times and more without leaving Hotmail=AE.
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=3DTXT_TAGLM_WL_HM_Tut=
orial_QuickAdd1_052009=
Dan Nelson
16 years ago
Permalink
...
That depends; some systems have a pam_xauth module that preserves $DISPLAY,
copies your current xauth key to a file readable by target user, and points
$XAUTHORITY at the temp file. Handy when you're su'ing to root to run a
graphical installer.
--
Dan Nelson
***@allantgroup.com
Loading...