Re: [Cooker] Netscape ssh
Am 2000-04-09, um 14:43:42 (-0700) schrieb Eugenio Diaz: When I make a ssh connection to the localhost, I get a definition like "DISPLAY=fulgore:12.0", which is ok, but for some reason, if I run an Xclient like xterm, it hangs there without doing nothing, even if I run "xhosts +"; and if I press ctrl-c, it takes about a minute to exit. What is wrong? Hard to say, but perhups You haven't enabled forewarding X sessions. From my "etc/ssh/ssh_config": -8---8 Host * ForwardAgent yes ForwardX11 yes FallBackToRsh no -8---8 And from my "etc/ssh/sshd_config": -8---8 X11Forwarding yes -8---8 look if You have those lines also, and then thry a ssh -v localhost xterm There You shold get (hopfully) enough debug-output if it won't work ... -- Tschüss und bis demnächst, Stefan +-+ | Stefan Siegel | | Kurt-Schumacher-Str. 34 / App. 144 | | D-67663 Kaiserslautern | | Tel.: +49-631-18269 | |-| | http://www.student.uni-kl.de/~siegel/ | | mailto:[EMAIL PROTECTED] | | PGP Public Key: | | finger [EMAIL PROTECTED] | +-+
Re: [Cooker] Netscape ssh
--- Stefan Siegel [EMAIL PROTECTED] wrote: OK, I understand You only want to make local connections Not really, my machine is on the net, but I have telnet disabled, and use ssh to open root xterms. to Your machine. But You totally missunderstood the concept of ssh. ssh stands for "secure shell" so every time You are going to connect to a sshd (a secure shell daemon) Your ssh-client will make a encrypted (= secure) connection. When You enable X11 connections via ssh, the sshd will use a virtual X11 server, some sort of proxy, to handle your X-requests and transfer them encrypted via Your ssh connection. So If You are only working on your local machine, (standalone computer), using ssh is only a possibility to slowdown Your machine ;-) That, I did not know. I was confused thinking that Xclients would comunicate with the sshd through the arbitrary port ssh creates, but now I understand that Xclients are not ssh enabled and need to be fooled by using a X proxy on a different display number. When I make a ssh connection to the localhost, I get a definition like "DISPLAY=fulgore:12.0", which is ok, but for some reason, if I run an Xclient like xterm, it hangs there without doing nothing, even if I run "xhosts +"; and if I press ctrl-c, it takes about a minute to exit. What is wrong? = ___ Eugenio Diaz, BSEE/BSCE Invent.com, Inc. 1001 N. Lake Destiny Rd., Suite 125 Linux Engineer Maitland, FL 32751 Tel.: (407)475-1130 [EMAIL PROTECTED] Fax: (407)475-1128 [EMAIL PROTECTED] __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Re: [Cooker] Netscape ssh
Well, under normal circumstances the display is foo:0.0; I mean, 12.0 could be correct in your case, but it's unusual. Other than that, it beats me, though high security levels might defeat the xhosts bit. (And in the long term you really want to give a specific list of hosts to allow, but I'd play with plain "xhosts +" until it works.) On Sun, 09 Apr 2000, you wrote: | --- Stefan Siegel [EMAIL PROTECTED] wrote: | OK, I understand You only want to make local | connections | | Not really, my machine is on the net, but I have | telnet disabled, and use ssh to open root xterms. | | to Your machine. But You totally missunderstood the | concept of ssh. | | ssh stands for "secure shell" so every time You are | going to connect to a sshd (a secure shell daemon) | Your ssh-client will make a encrypted (= secure) | connection. When You enable X11 connections via ssh, | | the sshd will use a virtual X11 server, some sort of | | proxy, to handle your X-requests and transfer them | encrypted via Your ssh connection. | So If You are only working on your local machine, | (standalone computer), using ssh is only a | possibility to slowdown Your machine ;-) | | That, I did not know. I was confused thinking that | Xclients would comunicate with the sshd through the | arbitrary port ssh creates, but now I understand that | Xclients are not ssh enabled and need to be fooled by | using a X proxy on a different display number. | | When I make a ssh connection to the localhost, I get a | definition like "DISPLAY=fulgore:12.0", which is ok, | but for some reason, if I run an Xclient like xterm, | it hangs there without doing nothing, even if I run | "xhosts +"; and if I press ctrl-c, it takes about a | minute to exit. What is wrong? | | = | ___ | Eugenio Diaz, BSEE/BSCE Invent.com, Inc. | 1001 N. Lake Destiny Rd., Suite 125 | Linux Engineer Maitland, FL 32751 | Tel.: (407)475-1130 | [EMAIL PROTECTED] Fax: (407)475-1128 | [EMAIL PROTECTED] | | __ | Do You Yahoo!? | Talk to your friends online with Yahoo! Messenger. | http://im.yahoo.com -- "Brian, the man from babbleon-on" [EMAIL PROTECTED] Brian T. Schellenberger http://www.babbleon.org Support http://www.eff.org. Support decss defendents. Support http://www.programming-freedom.org. Boycott amazon.com.
Re: [Cooker] Netscape ssh
El jue, 06 abr 2000, escribiste: If you change it to DISPLAY=localhost:0.0 then you can run your X apps with no problem. Yes, but then X apps are not encrypted and, if you introduce some password in one of them (in netscape to receive e-mail for example), that password can be easily stollen. Uh what? ssh is encrypting the session. That's what X11 forwarding is for. From the ssh man: If the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 programs started from the shell (or com mand) will go through the encrypted channel, and the connection to the real X server will be made from the local machine. The user should not manually set DISPLAY. Forwarding of X11 connections can be configured on the command line or in configuration files. The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. This is normal, and happens because ssh creates a ``proxy'' X server on the server machine for forwarding the connections over the encrypted channel. If DISPLAY=somehost:0.0 then X apps are NOT forwarding through ssh.
Re: [Cooker] Netscape ssh
Am 2000-04-06, um 23:19:31 (-0700) schrieb Eugenio Diaz: I don't know what he is talking about, since as far as I know the number after the colon in the DISPLAY variable indicates a display number in the X server, and has nothing to do with any ssh controlled port; that handled by the ssh/sshd combo, and probably the X client and server don't even know their connection is being forwarder through other ports. Plus I was talking about localhost--localhost connection anyways, where packets never touch the interface cable, where only systems valid users could possibly have an opportunity to snoop them. OK, I understand You only want to make local connections to Your machine. But You totally missunderstood the concept of ssh. ssh stands for "secure shell" so every time You are going to connect to a sshd (a secure shell daemon) Your ssh-client will make a encrypted (= secure) connection. When You enable X11 connections via ssh, the sshd will use a virtual X11 server, some sort of proxy, to handle your X-requests and transfer them encrypted via Your ssh connection. So If You are only working on your local machine, (standalone computer), using ssh is only a possibility to slowdown Your machine ;-) -- Tschüss und bis demnächst, Stefan +--+ | Stefan Siegel | | Kurt-Schumacher-Str. 34 / App. 144 | | D-67663 Kaiserslautern | | Tel.: +49-631-18269 | | | | http://www.student.uni-kl.de/~siegel/ | | mailto:[EMAIL PROTECTED] | | PGP Public Key: | | finger [EMAIL PROTECTED] | +--+
Re: [Cooker] Netscape ssh
I have noticed that since about a month ago, my root ssh terms (ssh -l root localhost) get default values for the DISPLAY variable which are some what strange to me. Values like: "DISPLAY=hostyouareconnectingfrom:24.0" before it used to be: "DISPLAY=hostyouareconnectingfrom:0.0" If you change it to DISPLAY=localhost:0.0 then you can run your X apps with no problem. --- thomas poindessous [EMAIL PROTECTED] wrote: I have a really annoying problem. When I use ssh user@localhost, the XAUTHORITY is not set to /tmp/Xauth..., so I can't launch X app. It works only with myself and root (who has my identity.pub as authorized_keys). And I have one user who can't lauch netscape. It always says "Killed". I have recreated it account several times but it was only the same thing. And for WindowMaker, binairies must be in /usr/X11R6/bin -- Thomas Poindessous Eleve en 1ere annee d'ingenieur a l'Epita [EMAIL PROTECTED] = ___ Eugenio Diaz, BSEE/BSCE Invent.com, Inc. 1001 N. Lake Destiny Rd., Suite 125 Linux Engineer Maitland, FL 32751 Tel.: (407)475-1130 [EMAIL PROTECTED] Fax: (407)475-1128 [EMAIL PROTECTED] __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Re: [Cooker] Netscape ssh
El jue, 06 abr 2000, escribiste: I have noticed that since about a month ago, my root ssh terms (ssh -l root localhost) get default values for the DISPLAY variable which are some what strange to me. Values like: "DISPLAY=hostyouareconnectingfrom:24.0" That is because X connections are forwarding through ssh. before it used to be: "DISPLAY=hostyouareconnectingfrom:0.0" If you change it to DISPLAY=localhost:0.0 then you can run your X apps with no problem. Yes, but then X apps are not encrypted and, if you introduce some password in one of them (in netscape to receive e-mail for example), that password can be easily stollen. I have a really annoying problem. When I use ssh user@localhost, the XAUTHORITY is not set to /tmp/Xauth..., so I can't launch X app. It works only with myself and root (who has my identity.pub as authorized_keys). I have had the same a problem and a guy give me the right solution. Change your /etc/profile.d/xhost.sh to: if [ ! -z "$DISPLAY" ];then if [ "`id -u`" -gt 14 ];then if [ -z "$XAUTHORITY" ];then export XAUTHORITY=$HOME/.Xauthority fi fi fi
Re: [Cooker] Netscape ssh
On Thu, 6 Apr 2000, Jose Antonio Becerra Permuy wrote: "DISPLAY=hostyouareconnectingfrom:24.0" That is because X connections are forwarding through ssh. before it used to be: "DISPLAY=hostyouareconnectingfrom:0.0" If you change it to DISPLAY=localhost:0.0 then you can run your X apps with no problem. Yes, but then X apps are not encrypted and, if you introduce some password in one of them (in netscape to receive e-mail for example), that password can be easily stollen. Uh what? ssh is encrypting the session. That's what X11 forwarding is for.
Re: [Cooker] Netscape ssh
This was writen in the openssh mailinglist:
/M
På 2000-Mar-28 klokka 22:58:03 +0200 skrivet Klaus Knopper:
: I believe the source of the problem is the automatic setup of the
: XAUTHORITY environment variable in different distributions
: (Mandrake, RedHat, others...) during login. openssh seems to create
: its own Xauthority cookie file in /tmp rather than create an entry
: in the user's $HOME/.Xauthority (why?). After successful ssh login,
: XAUTHORITY points to /tmp/ssh-randomstring/cookies, but the
: shell's profiles (/etc/profile.d/xhost.* in Mandrake 7.0) reset
: this variable to its default location $HOME/.Xauthority (except
: for root, this is why it works in the above context). So, the
: valid X11-cookie cannot be found by X11-applications because
: XAUTHORITY points to the wrong file.
Distributions that blindly set XAUTHORITY are broken. They should
check whether it's already set first, e.g.:
if [ -z "${XAUTHORITY}" ]; then
XAUTHORITY="${HOME}/.Xauthority"
export XAUTHORITY
fi
If the system administrator were to use PAM to set XAUTHORITY to a
desired value on login, it would be silently overridden, in the same
way that sshd's XAUTHORITY is. Violates principle of least surprise.
If i recall correctly, the reasons why OpenSSH doesn't use
~/.Xauthority are:
(1) alleviates problems with NFS-mounted home directories.
(2) authority entries can be cleaned up properly on logout instead of
sitting around.
Someone correct me there, please; i'm bound to be wrong.
--
jim knoble
[EMAIL PROTECTED]
[Cooker] Netscape ssh
I have a really annoying problem. When I use ssh user@localhost, the XAUTHORITY is not set to /tmp/Xauth..., so I can't launch X app. It works only with myself and root (who has my identity.pub as authorized_keys). And I have one user who can't lauch netscape. It always says "Killed". I have recreated it account several times but it was only the same thing. And for WindowMaker, binairies must be in /usr/X11R6/bin -- Thomas Poindessous Eleve en 1ere annee d'ingenieur a l'Epita [EMAIL PROTECTED]
