[lug] X over ssh
Ken Weinert
kenw at ihs.com
Sun Oct 14 06:14:43 MDT 2001
* Tkil (tkil at scrye.com) [011014 06:12]:
> >>>>> "Ken" == Ken Weinert <kenw at ihs.com> writes:
>
> as someone else already pointed out, this looks like you're not really
> using SSH tunnelling for the X connection at all.
Unfortunately, you're both correct. It must be taking
advantage of the fact that I have a previously opened hole in the
firewall for vnc to my machine (from my home machine) but I'm not sure
how it's working.
My setup at work is a little different because I'm using Xvnc
as my main X server. I did this so I could use the same desktop at
home and work for when I telecommute.
Therefore my ssh command has been:
ssh -X ihsaccess.net -l kenw -L 5901:mike:5901
so now it doesn't matter whether I telnet or ssh from ihsaccess to
mike, this works:
home: xhost +mike
mike: DISPLAY=home:0
mike: x_command
It shows up at home. Which is good, in a way, but not so good
from a security standpoint.
> if your access machine now has ssh and sshd on it, and both "access"
> and "work" allow x forwarding, then this *should* just work:
>
> | home$ echo $DISPLAY
> | home:0.0
> |
> | home$ xauth list
> | home/unix:0 MIT-MAGIC-COOKIE-1 00112233445566778899001122334455
> | home:0 MIT-MAGIC-COOKIE-1 00112233445566778899001122334455
> |
> | home$ ssh -X access
>
> | access$ echo $DISPLAY
> | access:10.0
> |
> | access$ xauth list
> | access/unix:10 MIT-MAGIC-COOKIE-1 deadbeefdeadbeefdeadbeefdeadbeef
> | access:10 MIT-MAGIC-COOKIE-1 deadbeefdeadbeefdeadbeefdeadbeef
Can't check this, xauth isn't on the list of commands.
The value of DISPLAY here is access_ip:10.0
> | access$ ssh -X work
I get a message when I do this about mike/work not being a
known machine and it can't update the list of known hosts. I don't
think this is a real problem, just a PITA that I have to answer the
question every time.
> | work$ echo $DISPLAY
> | work:10.0
Here I differ: I get 192:10.0
> | work$ xauth list
> | work/unix:10 MIT-MAGIC-COOKIE-1 aa55aa55aa55aa55aa55aa55aa55aa55
> | work:10 MIT-MAGIC-COOKIE-1 aa55aa55aa55aa55aa55aa55aa55aa55
> |
> | work$ xclock &
This doesn't work - in a way. The command executes but I
don't know where it is actually displaying. Perhaps on the access
monitor.
Hmmm, thought just occurred to me - perhaps the value of
DISPLAY on work should be work:10? I'll test that next.
As I'm sure that those of you with a clue already knew, no,
this didn't work.
> pay particular attention to the different values of $DISPLAY as you
> set up the two-hop tunnel. also, note that ssh/sshd has taken care of
> updating the xauth info along the way; the cookies don't match, but
> ssh/sshd translates them on the fly. this means that each server sees
> the string it wants to see, but that string is never actually
> transmitted as is. (i think; it's been a while since i went trawling
> about in the bowels of the ssh X forwarding code.)
Perhaps that "list of know hosts" message is significant here.
> like everyone on the list, i'm *not* sharing my long-running xauth
> cookies with the public. :)
But we aren't the public, we're your friends :)
> you mentioned that you were getting errors in the log between "home"
> and "access", regarding problems with xauth. if you don't have a
> private, writable xauth area on access, i would suspect that as the
> reason this wouldn't work.
This might still be a problem. It wasn't till Friday afternoon
that the ssh command got added to the access machine so I'll relate my
experiences to the admin on Monday.
Thanks for all your help.
--
Ken Weinert kenw at ihs.com 303-858-6956 (V) 303-705-4258 (F)
GnuPG KeyID: 9274F1CE GnuPG available at http://www.gnupg.org/
GnuPG Key Fingerprint: 1D87 3720 BB77 4489 A928 79D6 F8EC DD76 9274 F1CE
Does fuzzy logic tickle?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20011014/36b5abfa/attachment.pgp>
More information about the LUG
mailing list