Re: [CentOS] remote ssh to machine how display firefox
On Sat, Dec 08, 2007, Les Mikesell wrote: Les Bell wrote: Les Mikesell [EMAIL PROTECTED] wrote: What's a 'trusted' forwarding mean as opposed to any other kind? A trusted X11 client will bypass the security controls specified in the X11 Security Extension Specification (see http://refspecs.freestandards.org/X11/security.pdf). In general, you don't want to enable this unless you have to. Notice that trusted forwarding trusts the users to all be good guys. Is there a way to describe it in more than 2 words but less than 18 pages? The main point seems to be that almost nothing works if your forwarding isn't trusted. But shouldn't being able to log in via ssh mean that you are trusted? One would hope so, assuming authorized_keys and proper pass phrases (but then putty and others allow this from the Microsoft Virus, Windows and I don't trust anything coming from Windows). On the few systems where we permit ssh authentication with user name and password, access is tightly controlled via tcp_wrappers to specific IP addresses. Recently we have been using OpenVPN to allow secure access from remote users which makes restricting ssh access easier when people are roaming so can't be easily identified by IP address. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
Bill Campbell [EMAIL PROTECTED] wrote: True enough, but ssh makes the X11 DISPLAY things so easy! One doesn't have to much with xhosts and such. Absolutely - you might *want* to use SSH for the convenience, but you shouldn't *need* to. I preach SSH Everywhere as SOP, even on trusted networks. This is probably the case almost everywhere, now that telnet is pretty much dead. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
Les Mikesell [EMAIL PROTECTED] wrote: What's a 'trusted' forwarding mean as opposed to any other kind? A trusted X11 client will bypass the security controls specified in the X11 Security Extension Specification (see http://refspecs.freestandards.org/X11/security.pdf). In general, you don't want to enable this unless you have to. Notice that trusted forwarding trusts the users to all be good guys. (In fact, if you're on a trusted network, you shouldn't need to use SSH at all, since you trust the devices (and their users) attached to the network not to do nasty things like network sniffing, MitM attacks, etc.). Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
On Sat, Dec 08, 2007, Les Bell wrote: Les Mikesell [EMAIL PROTECTED] wrote: What's a 'trusted' forwarding mean as opposed to any other kind? A trusted X11 client will bypass the security controls specified in the X11 Security Extension Specification (see http://refspecs.freestandards.org/X11/security.pdf). In general, you don't want to enable this unless you have to. Notice that trusted forwarding trusts the users to all be good guys. (In fact, if you're on a trusted network, you shouldn't need to use SSH at all, since you trust the devices (and their users) attached to the network not to do nasty things like network sniffing, MitM attacks, etc.). True enough, but ssh makes the X11 DISPLAY things so easy! One doesn't have to much with xhosts and such. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 It is surprising how much new stuff users find that developers never do. You put a copy in front of a normal user and they find all these bugs that you would think developers would find. The real users and developers are completely different species as far as I am concerned. --Linux creator Linus Torvalds ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
Karanbir Singh wrote: ssh -X machine to connect to firefox you prolly meant -Y :D Ok well just double checked and tested it here and -X works here. I knew about -Y but thought you only use that if you absolutely have too :) the reason I would prefer -Y is that its ( well, the man page says anyway ) more secure than -X. Also, these days a lot of admins will disable -X functionality on machines. Have not come across anywhere -Y didnt work ( and the host OS was installed in the last 5 years ). I am not doubting that -X will mostly work, but perhaps we should be promoting the idea of -Y a bit more. Coming from a fedora client, you have had to specify -Y for a while for most things to work. But I don't think the man page makes it very clear what the difference is. What's a 'trusted' forwarding mean as opposed to any other kind? -- Les Mikesell [EMAIL PROTECTED] ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
I can ssh into a remote machine. I can start X on that machine with startx No need to start X on the remote machine. You need to do ssh -X remotemachine so that X is forwarded (back to the machine that you ssh'ed from). Make sure that X11Forwarding yes is set in the /etc/ ssh/sshd_config file (restart the sshd if it was not). Then you can simply type firefox and it will appear on the machine you started the ssh from (assuming of course that a X server is running locally). This of course works for any X11 application, not just Firefox. Alfred ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerry Geis wrote: So I want to be using firefox on the remote machine but displaying the screen output from firefox in my office. Both boxes are running centos 5. how is that done? First, man ssh, so you can read the ssh manual. Second, make sure on the remote host that this line is in /etc/ssh/sshd_config. X11Forwarding yes Then run ssh while forwarding X [EMAIL PROTECTED] ~]$ ssh -X [EMAIL PROTECTED] [EMAIL PROTECTED] ~]$ /usr/bin/firefox Regards, Max -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHWK4oHoeeepPau2ERAprrAJ4xwyzkVAxaHfYibjnIQgbJR1EZAACglSuR Rj4AbSA13VW/64kbGzaOW8g= =nZOy -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
Jerry Geis wrote: I can ssh into a remote machine. I can start X on that machine with startx How do I then start firefox on that machine (from the ssh prompt) and have it display on my machine in my office. So I want to be using firefox on the remote machine but displaying the screen output from firefox in my office. Both boxes are running centos 5. how is that done? Jerry ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Hi you dont need to start X on the remote system at all ssh -X machine to connect to firefox ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
On 07/12/2007, Jerry Geis [EMAIL PROTECTED] wrote: Jerry Geis wrote: I can ssh into a remote machine. I can start X on that machine with startx How do I then start firefox on that machine (from the ssh prompt) and have it display on my machine in my office. So I want to be using firefox on the remote machine but displaying the screen output from firefox in my office. Both boxes are running centos 5. don't startx on the REMOTE machine, have it running on the LOCAL machine. local$ ssh -X remote ...authenticate... remote$ firefox and firefox should open on the local... I tried the above (without the ) and firefox just returns. I looked at /etc/ssh/sshd_config and X11Forwarding is yes. First - make sure you have xauth installed on the remote machine. With CenttOS 5 it comes in xorg-x11-xauth. Ssh needs it to pass over the x11 authentication cookies (e.g. I don't install X environment on my servers so I have to remember to install this package separately). Secondly - when you login through SSH, type echo $DISPLAY and see if you get anything - if not then X11 isn't being forwarded yet. Also I hope you start ssh after having X11 environment started on your local machine and from a shell which has $DISPLAY set correctly *locally*. When all these tests are passed I usually try to run a basic X11 program like xlogo but you might not have it so just try to run firefox again and see what happens. --Amos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
John R Pierce wrote: Jerry Geis wrote: I can ssh into a remote machine. I can start X on that machine with startx How do I then start firefox on that machine (from the ssh prompt) and have it display on my machine in my office. So I want to be using firefox on the remote machine but displaying the screen output from firefox in my office. Both boxes are running centos 5. don't startx on the REMOTE machine, have it running on the LOCAL machine. local$ ssh -X remote ...authenticate... remote$ firefox and firefox should open on the local... or you can do a port forward if you wanted to just use your local browser. ssh -L local-port:localhost:remote-port user@destination eg. ssh -L 8080:localhost:80 [EMAIL PROTECTED] then, in your local browser, simply type localhost:8080 as the url to display port 80 from the remote server. More information can be found at http://www.ssh.com/support/documentation/online/ssh/adminguide/32/Port_Forwarding.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] remote ssh to machine how display firefox
Karanbir Singh wrote: Clint Dilks wrote: ssh -X machine to connect to firefox you prolly meant -Y :D Ok well just double checked and tested it here and -X works here. I knew about -Y but thought you only use that if you absolutely have too :) Anyway Have a Great Day ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos