Pythian Blog: Technical Track

Enable X11 forwarding after Sudo SSH session for AWS EC2 Linux instance

Working with a secure environment presents some challenges and this post will demonstrate how to overcome one of the challenges. Prerequisites: Configuration for X-Windows must have been completed. Scenario: From laptop, connect to dinh@host, then connect to ssh ec2-user, then sudo su - oracle.
### Connect to AWS EC2 instance
 [dinh@securehost ~]$ ssh -X ec2-user@ipaddress
 Last login: Fri Dec 7 14:41:41 2018 from gw.ca.adm.pythian.com
 
  __| __|_ )
  _| ( / Amazon Linux AMI
  ___|\___|___|
 
 https://aws.amazon.com/amazon-linux-ami/2018.03-release-notes/
 13 package(s) needed for security, out of 16 available
 Run "sudo yum update" to apply all updates.
 
 ### Test xclock works from ec2-user
 [ec2-user@ipaddress ~]$ xclock
 Warning: Missing charsets in String to FontSet conversion
 ^C
 
 ### Show all magic cookie
 [ec2-user@ipaddress ~]$ xauth list
 ipaddress/unix:12 MIT-MAGIC-COOKIE-1 7e53e7600ff4177d7bbc66bde0a1b1ca
 ipaddress/unix:11 MIT-MAGIC-COOKIE-1 e3d1a8915484c929ef3e809b047e6352
 ipaddress/unix:10 MIT-MAGIC-COOKIE-1 07b3de3093cef835c19239ea952231b7
 
 ### Show DISPLAY variable
 [ec2-user@ipaddress ~]$ env|grep DISPLAY
 DISPLAY=localhost:10.0
 
 ### Create /tmp/xauth based on current DISPLAY variable
 [ec2-user@ipaddress ~]$ xauth list | grep unix`echo $DISPLAY | cut -c10-12` > /tmp/xauth
 [ec2-user@ipaddress ~]$ ll /tmp/xauth ; cat /tmp/xauth 
 -rw-rw-r-- 1 ec2-user ec2-user 78 Dec 7 14:47 /tmp/xauth
 ipaddress/unix:10 MIT-MAGIC-COOKIE-1 07b3de3093cef835c19239ea952231b7
 
 ### Sudo to oracle
 [ec2-user@ipaddress ~]$ sudo su - oracle
 Last login: Fri Dec 7 14:43:12 UTC 2018 on pts/0
 
 ### Add and Verify xauth
 [oracle@ipaddress ~]$ xauth add `cat /tmp/xauth`
 [oracle@ipaddress ~]$ xauth list
 ipaddress/unix:10 MIT-MAGIC-COOKIE-1 07b3de3093cef835c19239ea952231b7
 
 ### Verify and Add DISPLAY variable
 [oracle@ipaddress ~]$ env|grep DISPLAY
 [oracle@ipaddress ~]$ export DISPLAY=localhost:10.0
 
 ### Test xclock works from oracle
 [oracle@ipaddress ~]$ xclock
 Warning: Missing charsets in String to FontSet conversion
 ^C
 [oracle@ipaddress ~]$ 
 
 ### Example of failed xclock
 [oracle@ipaddress ~]$ xclock
 Error: Can't open display: 
 [oracle@ipaddress ~]$ xclock
 

No Comments Yet

Let us know what you think

Subscribe by email