[lug] X over ssh

Tkil tkil at scrye.com
Sun Oct 14 00:09:31 MDT 2001 

>>>>> "Ken" == Ken Weinert <kenw at ihs.com> writes:

Ken> I apologize in advance, but I've forgotten who I talked with at
Ken> the meeting Thursday night,

that would have been me.  don't feel bad; i didn't remember Scott's
name, either, so i've already been amply repaid.  :)

Ken> but I thought I'd let everyone know I got my X over ssh problem
Ken> solved. [...]

Ken> I understand that xauth is better than xhost, but since I'm
Ken> ssh-tunneled from end-to-end, is this a big concern?

as someone else already pointed out, this looks like you're not really
using SSH tunnelling for the X connection at all.

if your access machine now has ssh and sshd on it, and both "access"
and "work" allow x forwarding, then this *should* just work:

| home$ echo $DISPLAY
| home:0.0
|
| home$ xauth list
| home/unix:0 MIT-MAGIC-COOKIE-1 00112233445566778899001122334455
| home:0      MIT-MAGIC-COOKIE-1 00112233445566778899001122334455
| 
| home$ ssh -X access

| access$ echo $DISPLAY
| access:10.0
| 
| access$ xauth list
| access/unix:10 MIT-MAGIC-COOKIE-1 deadbeefdeadbeefdeadbeefdeadbeef
| access:10      MIT-MAGIC-COOKIE-1 deadbeefdeadbeefdeadbeefdeadbeef
| 
| access$ ssh -X work

| work$ echo $DISPLAY
| work:10.0
| 
| work$ xauth list
| work/unix:10 MIT-MAGIC-COOKIE-1 aa55aa55aa55aa55aa55aa55aa55aa55
| work:10      MIT-MAGIC-COOKIE-1 aa55aa55aa55aa55aa55aa55aa55aa55
| 
| work$ xclock &

pay particular attention to the different values of $DISPLAY as you
set up the two-hop tunnel.  also, note that ssh/sshd has taken care of
updating the xauth info along the way; the cookies don't match, but
ssh/sshd translates them on the fly.  this means that each server sees
the string it wants to see, but that string is never actually
transmitted as is.  (i think; it's been a while since i went trawling
about in the bowels of the ssh X forwarding code.)

(the output from "echo" and "xauth" is by-hand, since i don't have a
configuration handy for testing this except my own, and as much as i
like everyone on the list, i'm *not* sharing my long-running xauth
cookies with the public.  :)

you mentioned that you were getting errors in the log between "home"
and "access", regarding problems with xauth.  if you don't have a
private, writable xauth area on access, i would suspect that as the
reason this wouldn't work.

t.

More information about the LUG mailing list