This is a post originally from 2009 (!!).

All our servers (were) behind firewalls and to login I need to use a bastion host.

I start from a Windoze PC (alas!) using putty 0.60 to ssh the gateway (remember to set X11 forwarding).

Now I am on the gateway and I ssh to one of the servers using

ssh -Y

The forwarding is already working. I can run /usr/openwin/bin/xterm

However it’s not that easy.

Before I run my X application, I need to become another user, and to do that I need to use powerbroker:

pbrun -u xxxx bash

Now the X11 forwarding is broken.

After banging my head on the desk and almost giving up, I came across a series of posts (now lost from memory - apologies to miss the attribution) which helped me devise a solution.

What I needed to do was to generate the auth cookie for the user that needs to be authorized to do x11 forwarding and merge or add that to the .Xauthority of the new account.

As user Y, execute:

xauth generate display:xx .

this will generate the cookie for the .Xauthority of user Y.

Now make the newly generated .Xauthority file available to user X.

Become user X:

pbrun -u xxxx bash

and now execute:

xauth merge /tmp/myxauth

assuming /tmp/myxauth is your .Xauthority generated as user Y.

Set the display to display:xx and voila’, it works.

PS: Remember to remove the temporary copy of the file .Xauthority