how to ssh -Y and then su - <another user> and still forward X applications to your local machine

When you connect to a remove machine via ssh with X11 forwarding enabled, ssh on the server creates a .Xauthority file in the user's home directory. Because ssh listens for X11 on a TCP socket, anyone can connect. Because anyone can connect, we need some way of preventing just anyone from using your display. This is done with that .Xauthority file. The file contains a "cookie" which is presented to the X11 server that verifies the client should be allowed to connect.

Skipping all the details, if you copy that .Xauthority file to your target user's home directory (and give them ownership), you should be able to connect.


  1. ssh -Y to the remote machine as yourself.
  2. Once there, type xauth list. A list of MAGIC-COOKIE items appears. Your login session is most likely the bottom one on the list. (Check this by looking at the hostname and UNIX number code, and comparing it with the hostname you shelled from and your current localhost:## DISPLAY env variable.)
  3. Switch users.
  4. Type xauth add + the entire MAGIC-COOKIE line from above.
  5. Graphics should appear now. Test it with a quick xlogo.

I like Randy's answer, but it didn't quite work for me.

Here is what I got to work:

  1. ssh -Y as user1
  2. xauth list | grep `uname -n`
  3. Switch to user2
  4. unset XAUTHORITY
  5. xauth generate :0 .
  6. xauth add :0 . <KEY-FROM-STEP-2>

Note the two periods in steps 5 and 6.

If I just follow Randy's answer, user2's XAUTHORITY variable is still pointing to user1's .Xauthority file. And his syntax of the +key didn't work.