X11 interface general issues with PAM
Article ID: 117702
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
You can find different issues to use SSH with x11 in PAM
Environment
PAM 3.2.0
Accessing Linux OS with X11
Xmind application or ReflectionX as Xserver in the windows station
Windows Station connecting via NAT to network of PAM server and where are the servers
Accessing Linux OS with X11
Xmind application or ReflectionX as Xserver in the windows station
Windows Station connecting via NAT to network of PAM server and where are the servers
Cause
Cause1) After opening the ssh session with x11 enabled checking the variable $DISPLAY this is blank.
Cause2) trying open xclock from SSH session and getting errors:
X11 connection rejected because of wrong authentication.
X connection to localhost:11.0 broken (explicit kill or server shutdown)
or this error:
Xlib: connection to "localhost:12.0" refused by server
Xlib: PuTTY X11 proxy: Authorisation not recognised
Cause2) trying open xclock from SSH session and getting errors:
X11 connection rejected because of wrong authentication.
X connection to localhost:11.0 broken (explicit kill or server shutdown)
or this error:
Xlib: connection to "localhost:12.0" refused by server
Xlib: PuTTY X11 proxy: Authorisation not recognised
Resolution
For cause1 when variable $DISPLAY is showing as blank, sounds ssh session is not opened with -X flag. Check this points:
1) You can edit the device uncheck the x11 apply the modification, enabling the checkbox again and saving again and test to see if works;
2) Check if xorg-x11-apps is instaleld on the Linux device. These tools are useful to test for example 'xclock'
rpm -q xorg-x11-apps' returns the message:
"package xorg-x11-apps is not installed".
when is installed you have something like this:
rpm -qa xorg-x11-server-Xorg xorg-x11-xauth xorg-x11-apps
xorg-x11-apps-7.7-6.el6.x86_64
xorg-x11-xauth-1.0.9-1.el6.x86_64
xorg-x11-server-Xorg-1.17.4-16.el6_9.1.x86_64
you can ask Unix administrator to install using root user and rpm command if this is not installed or the user does not have access to check it.
3) Check on linux server if have X11 ports 60100 for example. command line: netstat --listen | grep 60100 (an example if x11 is using port 60100)
For cause 2 when errors related to "wrong authentication" and X11 connection being rejected or trying outside PAM also getting error "refused by server" use this steps for use case where you have a ssh session opened with a generic user and do a sudo su to oracle user for example to install oracle or run xclock as oracle user.
a) from generic user issue these commands:
cp $PWD/.Xauthority /tmp/$USER.Xauthority ; chmod 644 /tmp/$USER.Xauthority ;
export XAUTHORITY="/tmp/$USER.Xauthority"
echo $DISPLAY > /tmp/$USER.DISPLAY ; chmod 644 /tmp/$USER.DISPLAY ;
b) sudo to oracle user (or another user)
in .bashrc ou .profile
XUSER=`who am i | awk '{print $1}'` ;
export DISPLAY=`cat /tmp/$XUSER.DISPLAY` ;
export XAUTHORITY="/tmp/$XUSER.Xauthority" ;
now xclock and other x11 app as installation of oracle should work under PAM ssh session with x11.
1) You can edit the device uncheck the x11 apply the modification, enabling the checkbox again and saving again and test to see if works;
2) Check if xorg-x11-apps is instaleld on the Linux device. These tools are useful to test for example 'xclock'
rpm -q xorg-x11-apps' returns the message:
"package xorg-x11-apps is not installed".
when is installed you have something like this:
rpm -qa xorg-x11-server-Xorg xorg-x11-xauth xorg-x11-apps
xorg-x11-apps-7.7-6.el6.x86_64
xorg-x11-xauth-1.0.9-1.el6.x86_64
xorg-x11-server-Xorg-1.17.4-16.el6_9.1.x86_64
you can ask Unix administrator to install using root user and rpm command if this is not installed or the user does not have access to check it.
3) Check on linux server if have X11 ports 60100 for example. command line: netstat --listen | grep 60100 (an example if x11 is using port 60100)
For cause 2 when errors related to "wrong authentication" and X11 connection being rejected or trying outside PAM also getting error "refused by server" use this steps for use case where you have a ssh session opened with a generic user and do a sudo su to oracle user for example to install oracle or run xclock as oracle user.
a) from generic user issue these commands:
cp $PWD/.Xauthority /tmp/$USER.Xauthority ; chmod 644 /tmp/$USER.Xauthority ;
export XAUTHORITY="/tmp/$USER.Xauthority"
echo $DISPLAY > /tmp/$USER.DISPLAY ; chmod 644 /tmp/$USER.DISPLAY ;
b) sudo to oracle user (or another user)
in .bashrc ou .profile
XUSER=`who am i | awk '{print $1}'` ;
export DISPLAY=`cat /tmp/$XUSER.DISPLAY` ;
export XAUTHORITY="/tmp/$XUSER.Xauthority" ;
now xclock and other x11 app as installation of oracle should work under PAM ssh session with x11.
Feedback
Yes
No
Powered by
