[SOLVED] X11 auth merging in Solaris. How to automate ?
Solaris / OpenSolarisThis forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I have a Solaris-10 non global zone. I am using MobaXterm. I login on box with root and then "su - caddrd" and then "/usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin". This is supposed to open a GUI console, but it is failing and I am not able to figure out. These are steps
Code:
ssh root@server1
/root# /usr/openwin/bin/xauth list
tsapiq05-zcadq01/unix:10 MIT-MAGIC-COOKIE-1 40d89c398dd5a69ecfba8f0bd853ec02
tsapiq05-zcadq01/unix:11 MIT-MAGIC-COOKIE-1 03cc68b63e22985c68b484ffa8408baf
su - caddrd
-bash-3.2$ /usr/openwin/bin/xauth add prod-appstess/unix:10 MIT-MAGIC-COOKIE-1 40d89c398dd5a69ecfba8f0bd853ec02
-bash-3.2$ /usr/openwin/bin/xauth add prod-appstess/unix:11 MIT-MAGIC-COOKIE-1 03cc68b63e22985c68b484ffa8408baf
-bash-3.2$ /usr/openwin/bin/xauth list
prod-appstess/unix:10 MIT-MAGIC-COOKIE-1 40d89c398dd5a69ecfba8f0bd853ec02
prod-appstess/unix:11 MIT-MAGIC-COOKIE-1 03cc68b63e22985c68b484ffa8408baf
(Copy same keys for cadwebppc account also)
/usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
Here xauth merge should work. But each time, I add keys via xauth, it will work. I will log out and next time, it will again stops. Seems like, it generates new cookies every time. I am not able to figure out, how should I automate it.
GUI works when I execute firefox or any other GUI based tool, but as stated above it is not happening when I do it with sudo. I tried, but it again failed.
Quote:
-bash-3.2$ /usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
-bash-3.2$ echo $DISPLAY
localhost:10.0
jpollard, due to security purpose, cadwebppc is not allowed to login directly on server. caddrd is allowed to run UserAdmin program as cadwebppc user and this access is given in /etc/sudoers.
And even caddrd is also not allowed to have password of cadwebppc. caddrd is allowed to run just that command.
Last edited by abhisheks77; 04-28-2014 at 05:15 PM.
Seems like, I missed to understand your suggestion. I tried this
Quote:
-bash-3.2$ id
uid=57135(caddrd) gid=57135(devgroup)
-bash-3.2$ /usr/openwin/bin/xauth extract $DISPLAY | /usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
/usr/openwin/bin/xauth: (argv):1: bad "extract" command line
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
-bash-3.2$
-bash-3.2$ /usr/openwin/bin/xauth extract $DISPLAY | /usr/local/bin/sudo -u cadwebppc /usr/openwin/bin/xauth merge - /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
/usr/openwin/bin/xauth: (argv):1: bad "extract" command line
Password:
Display variables are coming from .profile, which is placed for caddrd and cadwebppc
Server name - tsapiq05-zcadq01
This user will login to server - caddrd
caddrd will run command as cadwebppc user
Command to run - /usr/local/bin/sudo -u cadwebppc /cad/envs/qa-cm/cadwccDomain/ucm/cs/bin/UserAdmin
Last edited by abhisheks77; 04-28-2014 at 05:36 PM.
Now because of the complexity of the sudo command structure, it can be put into a script (easiest) or put into an alias (harder to get the quoting quite right for the expansion of the DISPLAY but not too hard).
It gets a bit harder if the sudo command is not allowed to have parameters as the DISPLAY environment variable value HAS to match what was obtained by ssh when it connects.
Only the first connection made will get 10.0 (assuming the X offset for sshd is 10), but if the port is in use, sshd will try 11, 12, 13... until a port is found.
The DISPLAY envrionment variable should never be set in a .profile file.
Each time ssh connects to a forwarding sshd server, a DISPLAY environment variable is created as needed. It may have the value 10.0, but it can ALSO have the value 11.0 (a second connection). And at the same time, an MIT-MAGIC-COOKIE is generated for authentication. Each connection will create a new authentication key associated with that generation of the environment variable. That key is ALSO deleted on logout (well, there are things that can prevent it, but does try to clean up). The fact that you have two keys in the authority file at all shows that.
If you wipe it out or use the wrong one, you will NOT get a connection.
On the first login to the workstation, you should show a "xauth list $DISPLAY". This will show a
"<hostname>/unix:0 MIT-MAGIC-COOKIE-1 xxxx...".
I think I may have found what and where things are getting confused (not counting the definition of DISPLAY in the profile)...
The default configuration of sshd directs sshd to create "localhost:<port# - 6000>.0" value for the display environment variable. Unfortunately, the xauth entry for that display is created with the "<hostname>/unix:<port# - 6000>" identification. Since this key is not associated with the "localhost" IP number the "xauth extract - $DISPLAY" fails... (my error - sorry, I will give a workaround for that. I thought it translated the <hostname> into localhost IP, and I was wrong.
You can test this by logging onto the server and doing:
Code:
xauth list ${DISPLAY##localhost}
Which should return the entry for your forwarded connection (as defined by the DISPLAY environment variable created by sshd). You can double test this by logging in twice, as the second connection will get a new DISPLAY value, and a different access key.
Now that we can extract the key, passing the key through sudo should work now.
I had to look up the syntax for "${DISPLAY##localhost}". What it does is remove the string "localhost" from the beginning of the value of the DISPLAY environment variable, which leaves the ":<port# - 6000>.0" part. Since this is ":10.0" for the first sshd connection, xauth now uses the "unix:..." portion for the extraction. Adding this entry to the Xauthority for the target user should work for the original DISPLAY value also passed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.