[SOLVED] X11 auth merging in Solaris. How to automate ?

abhisheks77 · 04-25-2014, 12:30 PM

Hello,
I have a Solaris-10 non global zone. I am using MobaXterm. I login on box with root and then "su - caddrd" and then "/usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin". This is supposed to open a GUI console, but it is failing and I am not able to figure out. These are steps

Code:

ssh root@server1
/root# /usr/openwin/bin/xauth list
tsapiq05-zcadq01/unix:10  MIT-MAGIC-COOKIE-1  40d89c398dd5a69ecfba8f0bd853ec02
tsapiq05-zcadq01/unix:11  MIT-MAGIC-COOKIE-1  03cc68b63e22985c68b484ffa8408baf
su - caddrd
-bash-3.2$ /usr/openwin/bin/xauth add prod-appstess/unix:10  MIT-MAGIC-COOKIE-1  40d89c398dd5a69ecfba8f0bd853ec02
-bash-3.2$ /usr/openwin/bin/xauth add prod-appstess/unix:11  MIT-MAGIC-COOKIE-1  03cc68b63e22985c68b484ffa8408baf
-bash-3.2$ /usr/openwin/bin/xauth list
prod-appstess/unix:10  MIT-MAGIC-COOKIE-1  40d89c398dd5a69ecfba8f0bd853ec02
prod-appstess/unix:11  MIT-MAGIC-COOKIE-1  03cc68b63e22985c68b484ffa8408baf
(Copy same keys for cadwebppc account also)
/usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin

Here xauth merge should work. But each time, I add keys via xauth, it will work. I will log out and next time, it will again stops. Seems like, it generates new cookies every time. I am not able to figure out, how should I automate it.

shivaa · 04-27-2014, 12:45 PM

Can you share output of:

Code:

# echo $DISPLAY

Check if DISPLAY variable is set properly. Then also invoke cmd:

Code:

# xhost +<workstation_hostname>

And try to launch GUI agian.

abhisheks77 · 04-27-2014, 05:42 PM

GUI works when I execute firefox or any other GUI based tool, but as stated above it is not happening when I do it with sudo. I tried, but it again failed.

Quote:

-bash-3.2$ /usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
-bash-3.2$ echo $DISPLAY
localhost:10.0

jpollard · 04-28-2014, 05:04 PM

That would be because the account "cadwebppc" does not have the authorization keys.

Instead of going through sudo, why not just ssh cadwebppc@<server> and run the application:

Code:

$ ssh cadwebppc@<server> /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin

If you absolutely MUST use sudo (it happens) try

Code:

$ ssh yourself@<server>
$ xauth extract $DISPLAY] | sudo -u cadwebppc <script to start app>

where the <script to start app> has something like:

Code:

xauth merge -
/cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin

This would cause the stdin for the script to read the authorization before starting the script.

I'm assuming here that the DISPLAY environment variable is passed by sudo... (it looks like it is based on your error messages).

abhisheks77 · 04-28-2014, 05:13 PM

jpollard, due to security purpose, cadwebppc is not allowed to login directly on server. caddrd is allowed to run UserAdmin program as cadwebppc user and this access is given in /etc/sudoers.
And even caddrd is also not allowed to have password of cadwebppc. caddrd is allowed to run just that command.

jpollard · 04-28-2014, 05:16 PM

Sorry - I didn't get my post updated fast enough - I did realize that possibility after I posted, so I added some to it.

abhisheks77 · 04-28-2014, 05:30 PM

Seems like, I missed to understand your suggestion. I tried this

Quote:

-bash-3.2$ id
uid=57135(caddrd) gid=57135(devgroup)
-bash-3.2$ /usr/openwin/bin/xauth extract $DISPLAY | /usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
/usr/openwin/bin/xauth: (argv):1: bad "extract" command line
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
-bash-3.2$
-bash-3.2$ /usr/openwin/bin/xauth extract $DISPLAY | /usr/local/bin/sudo -u cadwebppc /usr/openwin/bin/xauth merge - /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
/usr/openwin/bin/xauth: (argv):1: bad "extract" command line
Password:

Display variables are coming from .profile, which is placed for caddrd and cadwebppc
Server name - tsapiq05-zcadq01
This user will login to server - caddrd
caddrd will run command as cadwebppc user
Command to run - /usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin

jpollard · 04-29-2014, 04:47 AM

Sorry, double checking the xauth command I left out a "-"...

It should be "xauth extract - $DISPLAY"

And since the DISPLAY environment variable isn't being passed then the script (and command) also gets altered to:

Code:

#!/bin/sh
export DISPLAY=$1
xauth merge -
/cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin

And the sudo command should be

Code:

xauth extract - $DISPLAY | sudo -u cadwebppc <script to start app> $DISPLAY

Now because of the complexity of the sudo command structure, it can be put into a script (easiest) or put into an alias (harder to get the quoting quite right for the expansion of the DISPLAY but not too hard).

It gets a bit harder if the sudo command is not allowed to have parameters as the DISPLAY environment variable value HAS to match what was obtained by ssh when it connects.

Only the first connection made will get 10.0 (assuming the X offset for sshd is 10), but if the port is in use, sshd will try 11, 12, 13... until a port is found.

abhisheks77 · 04-29-2014, 12:26 PM

Seems like, it is not taking "-". I created a file x11_display_file and tried with that.

Quote:

-bash-3.2$ cat x11_display_file
#!/bin/sh
export DISPLAY=$1
/usr/openwin/bin/xauth merge -
/cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
-bash-3.2$ /usr/openwin/bin/xauth extract - $DISPLAY | /usr/local/bin/sudo -u cadwebppc x11_display_file $DISPLAY
No matches found, authority file "-" not written
Password:

jpollard · 04-29-2014, 12:39 PM

What does an "xauth list" show?

And what is shown by "echo $DISPLAY"?

It now sounds like sshd is not configured to forward X11, though you indicated that it did when you ran other applications without the sudo.

The "no matches found" imply you don't have a DISPLAY environment variable defined.

abhisheks77 · 04-29-2014, 01:35 PM

Here is information from all three users.

Quote:

root@tsapiq05-zcadq01:/root# id
uid=0(root) gid=0(root)
root@tsapiq05-zcadq01:/root# /usr/openwin/bin/xauth list
tsapiq05-zcadq01/unix:10 MIT-MAGIC-COOKIE-1 263e9e11846cc923c906772e84e0f9fe
tsapiq05-zcadq01/unix:11 MIT-MAGIC-COOKIE-1 1c8679d7a103a2db229bb705a9a51958
root@tsapiq05-zcadq01:/root# echo $DISPLAY
localhost:10.0
root@tsapiq05-zcadq01:/root# cat .profile | grep DISPLAY
echo "DISPLAY=$DISPLAY"
root@tsapiq05-zcadq01:/root#echo $DISPLAY
localhost:10.0

-bash-3.2$ id
uid=57933(cadwebppc) gid=55614(cad)
-bash-3.2$ /usr/openwin/bin/xauth list
tsapiq05-zcadq01/unix:10 MIT-MAGIC-COOKIE-1 40d89c398dd5a69ecfba8f0bd853ec02
tsapiq05-zcadq01/unix:11 MIT-MAGIC-COOKIE-1 03cc68b63e22985c68b484ffa8408baf
-bash-3.2$ cat .profile
export DISPLAY=localhost:10.0
-bash-3.2$ echo $DISPLAY
localhost:10.0

-bash-3.2$ id
uid=57125(caddrd) gid=57125(devgroup)
-bash-3.2$ /usr/openwin/bin/xauth list
tsapiq05-zcadq01/unix:10 MIT-MAGIC-COOKIE-1 40d89c398dd5a69ecfba8f0bd853ec02
tsapiq05-zcadq01/unix:11 MIT-MAGIC-COOKIE-1 03cc68b63e22985c68b484ffa8408baf
-bash-3.2$ cat .profile | grep DISPLAY
export DISPLAY=localhost:10.0
-bash-3.2$ echo $DISPLAY
localhost:10.0

jpollard · 04-29-2014, 05:40 PM

The DISPLAY envrionment variable should never be set in a .profile file.

Each time ssh connects to a forwarding sshd server, a DISPLAY environment variable is created as needed. It may have the value 10.0, but it can ALSO have the value 11.0 (a second connection). And at the same time, an MIT-MAGIC-COOKIE is generated for authentication. Each connection will create a new authentication key associated with that generation of the environment variable. That key is ALSO deleted on logout (well, there are things that can prevent it, but does try to clean up). The fact that you have two keys in the authority file at all shows that.

If you wipe it out or use the wrong one, you will NOT get a connection.

On the first login to the workstation, you should show a "xauth list $DISPLAY". This will show a
"<hostname>/unix:0 MIT-MAGIC-COOKIE-1 xxxx...".

I think I may have found what and where things are getting confused (not counting the definition of DISPLAY in the profile)...

The default configuration of sshd directs sshd to create "localhost:<port# - 6000>.0" value for the display environment variable. Unfortunately, the xauth entry for that display is created with the "<hostname>/unix:<port# - 6000>" identification. Since this key is not associated with the "localhost" IP number the "xauth extract - $DISPLAY" fails... (my error - sorry, I will give a workaround for that. I thought it translated the <hostname> into localhost IP, and I was wrong.

A workaround (at least using bash syntax):

Code:

xauth extract - ${DISPLAY##localhost} | sudo -u cadwebppc <script to start app> $DISPLAY

You can test this by logging onto the server and doing:

Code:

xauth list ${DISPLAY##localhost}

Which should return the entry for your forwarded connection (as defined by the DISPLAY environment variable created by sshd). You can double test this by logging in twice, as the second connection will get a new DISPLAY value, and a different access key.

Now that we can extract the key, passing the key through sudo should work now.

I had to look up the syntax for "${DISPLAY##localhost}". What it does is remove the string "localhost" from the beginning of the value of the DISPLAY environment variable, which leaves the ":<port# - 6000>.0" part. Since this is ":10.0" for the first sshd connection, xauth now uses the "unix:..." portion for the extraction. Adding this entry to the Xauthority for the target user should work for the original DISPLAY value also passed.