X11 forwarding works when I am logged in my CentOS 6.6 cluster as myself (using ssh -AY user@ipaddress). When I try switching users, e.g. sudo su user2 and try to fire up xterm, I get the error :
X11 connection rejected because of wrong authentication.
xterm Xt error: Can't open display: localhost:11.0
How do I get X11 forwarding to work in this case?
using sudo su is likely to loose all authorization.
setup ssh key authentication, then use ssh -AY user2@localhost (or ssh -AY user2@localhost xterm )
You're not the first to suffer this issue. The cause is quite simple: your X server is (quite reasonably) set to require an authentication token, and the second user doesn't have access to that token. There are a number of solutions:
Don't run X11 applications as the other user. As yourself, start an xterm running a shell as the other user:
xterm -e sudo -s user2
Obviously this approach will not work if you really need to run a GUI application as the other user, but it's always worth considering before anything more complex.
Allow user2 to access your X server without authentication. As yourself, add this user using xhost:
xhost +SI:localuser:user2
sux and use that instead of su. It's a simple shell wrapper, and it's now mostly fallen by the wayside, given solutions such as the next one.Configure su and sudo to use pam_xauth. This is a standard module (in libpam-modules on Debian). All that is required is to add the line
session optional pam_xauth.so
to /etc/pam.d/su and to /etc/pam.d/sudo. There are additional options (see the man page) but you're unlikely to need them.
