sudo as root X11 connection rejected because of wrong authentication

I received this problem recently when I logged into root on a machine.

X11 connection rejected because of wrong authentication

How did this problem happen? Here’s what I did.

ssh -X [email protected]
sudo su
xclock
X11 connection rejected because of wrong authentication

If I open xclock as a user, then X11 works just fine. As a result, I know that the server and client’s X11 forwarding is working.

A root problem

My .Xauthority and X11 credentials aren’t being passed over to root.

ssh [email protected]
sudo su
xauth merge /home/huyle/.Xauthority
xclock

xclock works, so all I had to do was merge my user’s .Xauthority to root's.

How to Create SSH Keys for Secure SSH Access

Create SSH keys for SSHing

SSH keys allow you to SSH into a machine without a password prompt. Before we create our SSH key, make sure that we have a ~/.ssh folder. If not, create the ~/.ssh folder.

mkdir ~/.ssh

Now, we can use the following command to generate an SSH public key and private key:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

-t represents the encryption scheme. -b represents the number of bits. -C is used for e-mail identification. You can press Enter on the next three prompts to leave them as default and blank because you don’t need to have a passphrase.

Enter file in which to save the key (/Users/you/.ssh/id_rsa): [Press enter]
Enter passphrase (empty for no passphrase): [Type a passphrase]
Enter same passphrase again: [Type passphrase again]
Your identification has been saved in /Users/you/.ssh/id_rsa.
Your public key has been saved in /Users/you/.ssh/id_rsa.pub.
The key fingerprint is:
01:0f:f4:3b:ca:85:d6:17:a1:7d:f0:68:9d:f0:a2:db [email protected]
cd ~/.ssh
ls

You’ll find two new files.

id_rsa  id_rsa.pub

 

Using the SSH Keys

The keys must be verified on the machine that we’re sshing into to circumvent the password prompt.

ssh [email protected]_machine_ip

Enter password. We still have to enter password until we make this machine acknowledge our SSH key. We first make sure that our target machine has a ~/.ssh folder. touch will create a new ~/.ssh/authorized_keys file if it does not exist.

mkdir ~/.ssh
touch ~/.ssh/authorized_keys
exit

Now, we use SSH to send our id_rsa.pub file to the target machine. We add our id_rsa.pub, which is our public key, to ~/.ssh/authorized_keys.

cd ~/.ssh
ssh [email protected]_machine_ip 'cat >> ~/.ssh/authorized_keys' < ~/.ssh/id_rsa.pub

We essentially appended ~/.ssh/id_rsa.pub's contents into ~/.ssh/authorized_keys. Now, our target machine knows to accept this id_rsa.pub's private key. Let's see if our SSH key works.

ssh [email protected]_machine_ip

No more password prompt! Success!

 

Delete passwords for user. Rely only on SSH keys.

It's common practice to delete passwords. Most people rely only on SSH keys because only you with the private key can enter machines that have a ~/.ssh/authorized_keys with only your public key. We can delete passwords completely, so that only the private keys, id_rsa, of the public keys, id_rsa.pub, added to ~/.ssh/authorized_keys can access the machine.

To delete the password for a user, root:

passwd -d root

Now that the root password is deleted, using SSH keys is the only way to SSH into the target_machine_ip. You can always check who is logged into the machine to find any suspicious characters.

who
root tty1 2015-12-02 17:52
root pts/0 2015-12-16 04:43 (155.41.49.252)

You can tell if the user is you by looking at the time and IP address. If anyone is suspiciously logged into the machine that is not you or the machine itself, you can log everyone that is logged into that user.

pkill -KILL -u root

How to Setup Shortcuts for SSH

Instead of using SSH on an IP address that you’ll definitely forget, you can use shortcuts instead! For instance, instead of typing:

ssh [email protected]

Wouldn’t you rather do something like:

 

Creating SSH shortcuts

To create shortcuts, you have to create a file inside your home directory’s .ssh folder called config.

If the ~/.ssh directory does not exist.

Now, we can create the config file.

For every IP address that you want to add a shortcut, add the following three lines of information corresponding to shortcut name, IP address, and username separated by a new line:

Now, you can ssh into the machine with the shortcut.

You can also ssh to any other hostname that you have set in the config file.