where to change the default location of .Xauthority file when log in via ssh -X as a specific user

Question

I need to change the .Xauthority file location for a group of users to be $HOME/tmp/.Xauthority rather than the default $HOME/.Xauthority.

I already tried what I could catch up from several sources like:

I set the environment variable like this in several /etc/.profile, .profile, .bashrc .... etc. with the following: XAUTHORITY=$HOME/tmp/.Xauthority

With the result of:

Any login attempt with a user of sshx group (ssh -X server) results in timeout in locking $HOME/.Xauthority. It is like having changed nothing. Interesting about is that if I echo $XAUTHORITY it shows $HOME/tmp/.Xauthority. authx is working as well, but not at the time of login.

Therefore the processing I need must happen somewhere before ssh -X or while establishing the X connection. Where do I have to change it so that I can address a group of users only since I do not want root or users without a sshX group be affected since they eventually do not have the directory?

Answer 1

The way I do it is to set XAUTHORITY=/tmp/Xauthority-username in ~/.ssh/environment, but that requires changing /etc/ssh/sshd_config to say PermitUserEnvironment yes.

I use /tmp because that keeps it local to each machine. With home directories on NFS, that becomes a bottleneck and causes race conditions where starting several apps simultaneously on multiple remote hosts can cause some to fail.

Answer 2

I came up with something partial, but still I have now the .Xauthority relocated to ~/tmp/.Xauthority which is actually a great progress for now. (Ubuntu Server is the target OS)

All the settings stay the same only a file need to be created ~/.ssh/rc which is loaded upon connection of ssh -X servername:

if read proto cookie && [ -n "$DISPLAY" ]; then
            if [ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]; then
                    # X11UseLocalhost=yes
                    echo add unix:`echo $DISPLAY |
                        cut -c11-` $proto $cookie
            else
                    # X11UseLocalhost=no
                    echo add $DISPLAY $proto $cookie
            fi | xauth -q -f ~/tmp/.Xauthority -
    fi

which starts the xauth and creates the file in the location you want, it also adds/creates entries in the .Xauthority file for proper authentication.

Now you need to modifiy the ~./profile since the shell is loaded it needs to know where the .Xauthority file is found. Therefore we add one line at the very top:

export XAUTHORITY=~/tmp/.Xauthority

This enables me to connect via ssh -X servername to a shell and start any X app. Lets try this by starting xeyes or xclock.

Cool, but still another issue came up to me to have it done right, but I have no solution for it now. If you try to start the X app directly from the remote, like:

x@y:~$ ssh -X servername xeyes

X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.
X11 connection rejected because of wrong authentication.
Error: Can't open display: localhost:11.0

This is a interesting error, since if you google it there are a lot of answers, but now the situation itself leads to that assumption that something is different when bash is loaded and it is left out. The only thing I assume is the line in .profile which sets the XAUTHORITY variable, but how do I set it without loading a shell. Why does it work if I have a user which has the .Xauthority file in the default location (~/.Xauthority)?