Enable X11 forwarding after Sudo SSH session for AWS EC2 Linux instance

Posted in: Technical Track

Working with a secure environment presents some challenges and this post will demonstrate how to overcome one of the challenges.

Prerequisites: Configuration for X-Windows must have been completed.

Scenario: From laptop, connect to dinh@host, then connect to ssh ec2-user, then sudo su – oracle.

### Connect to AWS EC2 instance
[dinh@securehost ~]$ ssh -X ec2-user@ipaddress
Last login: Fri Dec  7 14:41:41 2018 from gw.ca.adm.pythian.com

       __|  __|_  )
       _|  (     /   Amazon Linux AMI

13 package(s) needed for security, out of 16 available
Run "sudo yum update" to apply all updates.

### Test xclock works from ec2-user
[ec2-user@ipaddress ~]$ xclock
Warning: Missing charsets in String to FontSet conversion

### Show all magic cookie
[ec2-user@ipaddress ~]$ xauth list
ipaddress/unix:12  MIT-MAGIC-COOKIE-1  7e53e7600ff4177d7bbc66bde0a1b1ca
ipaddress/unix:11  MIT-MAGIC-COOKIE-1  e3d1a8915484c929ef3e809b047e6352
ipaddress/unix:10  MIT-MAGIC-COOKIE-1  07b3de3093cef835c19239ea952231b7

### Show DISPLAY variable
[ec2-user@ipaddress ~]$ env|grep DISPLAY

### Create /tmp/xauth based on current DISPLAY variable
[ec2-user@ipaddress ~]$ xauth list | grep unix`echo $DISPLAY | cut -c10-12` > /tmp/xauth
[ec2-user@ipaddress ~]$ ll /tmp/xauth ; cat /tmp/xauth 
-rw-rw-r-- 1 ec2-user ec2-user 78 Dec  7 14:47 /tmp/xauth
ipaddress/unix:10  MIT-MAGIC-COOKIE-1  07b3de3093cef835c19239ea952231b7

### Sudo to oracle
[ec2-user@ipaddress ~]$ sudo su - oracle
Last login: Fri Dec  7 14:43:12 UTC 2018 on pts/0

### Add and Verify xauth
[oracle@ipaddress ~]$ xauth add `cat /tmp/xauth`
[oracle@ipaddress ~]$ xauth list
ipaddress/unix:10  MIT-MAGIC-COOKIE-1  07b3de3093cef835c19239ea952231b7

### Verify and Add DISPLAY variable
[oracle@ipaddress ~]$ env|grep DISPLAY
[oracle@ipaddress ~]$ export DISPLAY=localhost:10.0

### Test xclock works from oracle
[oracle@ipaddress ~]$ xclock
Warning: Missing charsets in String to FontSet conversion
[oracle@ipaddress ~]$ 

### Example of failed xclock
[oracle@ipaddress ~]$ xclock
Error: Can't open display: 
[oracle@ipaddress ~]$ xclock


Want to talk with an expert? Schedule a call with our team to get the conversation started.

2 Comments. Leave new

Thanks for sharing I had similar issue. After following the instructions I was able to fix.

Michael Dinh
May 3, 2019 6:58 am

Thanks for the feedback.


Leave a Reply

Your email address will not be published. Required fields are marked *