Re: More (more) SSH Fun (X11 forwarding)

[Timo Lilja]

Jan Niehusmann <[EMAIL PROTECTED]> writes:

>Another possible solution would be:
>
>ssh -L 2000:remotehost:22 firewall
>
>and then, again on the local machine:
>
>ssh -X -p 2000 localhost
>(here you may get a warning about unknown/wrong host keys, because the
>daemon you are connecting to is, of course, not presenting the host key
>of localhost)

Yet another solution is to use ssh config option ProxyCommand. E.g.,

 local$ ssh remotehost -o 'ProxyCommand ssh firewall nc %h %p'

ProxyCommand runs ssh to connect machine firewall and starts netcat
there to connect to the actual remotehost sshd. (%h expands to
remotehost and %p to ssh port.)

See ssh(1) or ssh_config(5) manual pages for more info on
ProxyCommand.

ProxyCommand is especially handy if you set up it in ~/.ssh/config
file, e.g.,

Host remote-direct
 HostName remote.somewhere
 ProxyCommand ssh firewall %h %p

After this you can use scp/cvs/rsync or whatever with remote-direct as your
hostname.


-- 
Timo Lilja

"Objects are a poor man's closures."  -- Norman Adams


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More (more) SSH Fun (X11 forwarding)

[Tom Hoover]

On Tue, Jul 16, 2002 at 09:52:19AM +0200, Jan Niehusmann wrote:
> 
> Another possible solution would be:
> 
> ssh -L 2000:remotehost:22 firewall
> 
> and then, again on the local machine:
> 
> ssh -X -p 2000 localhost
> 
> This way, you have a direct ssh connection between both computers
> involved in X forwarding, and the firewall doesn't need (parts of)
> an X installation.

Thanks!  I'll have to try out that method also.  I did, however, get
everything setup to do what I wanted it to...

At work, we're behind a firewall, and can only access the internet thru
a proxy server.  I cannot therefore connect normally to my home network
using ssh.  I found a perl script on the web (ssh-tunnel.pl) that allows
one to tunnel ssh thru ssl, which _will_ pass thru the proxy server.  I
only had to setup another instance of sshd at home to listen on port
443, and I was then able to connect.  I can now "ssh" thru the proxy
server to my home firewall/router, and then "ssh" from there into my
desktop machine which resides behind the firewall.  I was able to
forward X over the ssh connection...it was pretty cool to run X
applications on my home machine from the work machine (I know that this
is probably "old hat" to many of you, but I felt a sense of accomplishment 
managing to do it thru two firewalls and a proxy server).  :-)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More (more) SSH Fun (X11 forwarding)

[Jan Niehusmann]

On Sat, Jul 13, 2002 at 07:03:50PM -0500, Tom Hoover wrote:
> that it was supposed to work, I found that I needed xauth installed on
> the firewall machine, even though X is not installed on the firewall.
> Once I did an "apt-get install xbase-clients" on the firewall,
> everything started working.  Thanks for confirming that cascading is
> possible, and pointing me to the solution!

Another possible solution would be:

ssh -L 2000:remotehost:22 firewall

and then, again on the local machine:

ssh -X -p 2000 localhost
(here you may get a warning about unknown/wrong host keys, because the
daemon you are connecting to is, of course, not presenting the host key
of localhost)

This way, you have a direct ssh connection between both computers
involved in X forwarding, and the firewall doesn't need (parts of)
an X installation.

Jan


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More (more) SSH Fun (X11 forwarding)

[Tom Hoover]

On Sat, Jul 13, 2002 at 11:18:31PM +0200, James Nord wrote:
> Tom Hoover wrote:
> >How do I connect to the desktop computer _thru_ the firewall and use X11
> >forwarding?  Do I have to setup ssh port forwarding on the firewall?  Do
> >I have to setup some other VPN software?  Is there a howto anywhere that
> >will guide me?
> 
> You should be able to cascade the X forwarding.
> 
> Did you try,
> 
> [EMAIL PROTECTED]> ssh -X [EMAIL PROTECTED]
> [EMAIL PROTECTED]> ssh -X [EMAIL PROTECTED]

I had tried that before, and it didn't work (my problem was that since
it hadn't worked, I didn't know if it was _supposed_ to work).  To test,
I then tried:

 [EMAIL PROTECTED]> ssh -X [EMAIL PROTECTED]
 [EMAIL PROTECTED]> ssh -X [EMAIL PROTECTED]

which worked (this proved that cascading _should_ work).  Once I knew
that it was supposed to work, I found that I needed xauth installed on
the firewall machine, even though X is not installed on the firewall.
Once I did an "apt-get install xbase-clients" on the firewall,
everything started working.  Thanks for confirming that cascading is
possible, and pointing me to the solution!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More (more) SSH Fun (X11 forwarding)

[James Nord]

Tom Hoover wrote:


I have a related question.  I have no trouble using X11 forwarding from
within my LAN, but how do I punch thru my firewall using ssh?  Here's my
setup:

a = firewall/router running potato
b = desktop running woody
c = laptop running woody

If the laptop (c) is connected directly to my LAN (either wired or
wireless), I can "ssh -X b" and connect to the desktop (b) computer and
run programs under X.  If I'm at work (therefore outside the firewall),
and want to connect to the desktop computer, I can "ssh a", and after
logging in to the firewall I can "ssh b" and read my mail using mutt,
but I cannot run program under X (adding the -X switch doesn't work).

How do I connect to the desktop computer _thru_ the firewall and use X11
forwarding?  Do I have to setup ssh port forwarding on the firewall?  Do
I have to setup some other VPN software?  Is there a howto anywhere that
will guide me?
 



You should be able to cascade the X forwarding.

Did you try,

[EMAIL PROTECTED]> ssh -X [EMAIL PROTECTED]
[EMAIL PROTECTED]> ssh -X [EMAIL PROTECTED]

?

/James


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

More (more) SSH Fun (X11 forwarding)

[Tom Hoover]

I have a related question.  I have no trouble using X11 forwarding from
within my LAN, but how do I punch thru my firewall using ssh?  Here's my
setup:

a = firewall/router running potato
b = desktop running woody
c = laptop running woody

If the laptop (c) is connected directly to my LAN (either wired or
wireless), I can "ssh -X b" and connect to the desktop (b) computer and
run programs under X.  If I'm at work (therefore outside the firewall),
and want to connect to the desktop computer, I can "ssh a", and after
logging in to the firewall I can "ssh b" and read my mail using mutt,
but I cannot run program under X (adding the -X switch doesn't work).

How do I connect to the desktop computer _thru_ the firewall and use X11
forwarding?  Do I have to setup ssh port forwarding on the firewall?  Do
I have to setup some other VPN software?  Is there a howto anywhere that
will guide me?

Thanks!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Sam Vilain]

Yes, I found that.  ssh is setting DISPLAY to localhost:X, but only adding an 
xauth entry for `uname -n`/unix:X

hofmann:~$ ssh compileit 
compileit:~$ xauth list 
compileit/unix:11  MIT-MAGIC-COOKIE-1  e212a6688726a059503e0c9535289c17
compileit:~$ echo $DISPLAY
localhost:11.0
compileit:~$ xload
X11 connection rejected because of wrong authentication.
X connection to localhost:11.0 broken (explicit kill or server shutdown).
compileit:~$ xauth add localhost/unix:11 MIT-MAGIC-COOKIE-1 \
e212a6688726a059503e0c9535289c17
compileit:~$ xload
X11 connection rejected because of wrong authentication.
X connection to localhost:11.0 broken (explicit kill or server shutdown).
compileit:~$ xauth add localhost:11 MIT-MAGIC-COOKIE-1 \
e212a6688726a059503e0c9535289c17
compileit:~$ xload
compileit:~$ 

I thought it was just because the system has a non-standard localhost config 
where gethostbyname(localhost) == gethostbyname(`uname -n`) != 127.0.0.1.

Anyway, this isn't the correct forum for this discussion - I've logged a bug in 
the BTS - number 152250.

Cheers,
Sam.

On Mon, 1 Jul 2002 13:24:34 -0700
Anne Carasik <[EMAIL PROTECTED]> wrote:

> Hi all,
> 
> I'm having really weird problem with X11 forwarding and two 
> Debian boxes. 
> 
> I can login with OpenSSH and scp and everything else no
> problem.
> 
> However, when I try to launch an xterm, I get either:
> can't open DISPLAY
> 
> Or the display is set to server:10.0.
> 
> I don't have this problem SSH'ing into any RH boxes.
> 
> The version I'm running on both the client and server is:
> OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
> 
> Let me know if you have any ideas. Running the client and server in both
> verbose and debugging modes provides me with nothing useful :(
> 
> -Anne
> -- 
>   .-"".__."``".   Anne Carasik, System Administrator
>  .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
> (O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
> ~`~~
> 
> 


--
   Sam Vilain, [EMAIL PROTECTED]   Easyspace:  an accredited ICANN
GPG: http://sam.vilain.net/sam.ascregistrar & web hosting company
 7D74 2A09 B2D3 C30F F78E Have your domain run by techies
 278A A425 30A9 05B5 2F13 with a clue.  www.easyspace.com

 "Acid is not for every brain - only the healthy, happy, wholesome,
  handsome, hopeful, humorous, high-velocity should seek these
  experiences. This elitism is totally self-determined.
 "Unless you are self-confident, self-directed, self-selected, please
  abstain."
 - Dr. Timothy Leary, Pd.D.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Loren Jordan]

I had this problem as well, but didn't need it bad enough until I started 
reading this thread and decided to look into it more.


1: make sure /etc/ssh/sshd_config has Xforwarding enabled "yes"
2: make sure you have "xbase-clients" installed, it contains the xauth program.
3: run ssh with "-X" on the command line or edit ssh_config to always turn 
on X forwarding.


This worked for me between 2 woody boxes. One is a server with no need for 
X on it's console so I didn't have the xbase-clients package installed and 
didn't see the problem untill running "ssh -v -X" and reading the output...


Hope this helps,
Loren

At 07:58 PM 7/1/2002 -0400, Dossy wrote:

On 2002.07.01, Vineet Kumar <[EMAIL PROTECTED]> wrote:
> So anyway, here's a basic rundown of things to double-check:
>
> the server has "X11Forwarding yes" in its config (and that config has
> been loaded, i.e. the server has been restarted since the change).

Be specific:  On the server, look at /etc/ssh/sshd_config ...

> the client has X11Forwarding yes in its config, in the right place (i.e.
> after where it says "Host *", and no later declarations override and
> disable it.)

Again, specific:  On the client, look at /etc/ssh/ssh_config ...
and, on the client's ssh_config, it's "ForwardX11" not "X11Forwarding".

Here's a quick way to test:

$ grep -i X11 /etc/ssh/ssh_config /etc/ssh/sshd_config

If you want to filter out any lines that are entirely
commented out:

$ grep -i X11 /etc/ssh/ssh_config /etc/ssh/sshd_config \
| sed -e 's/#.*//' | egrep -v ':$'

On my system, from this second command, I only get:

/etc/ssh/sshd_config:X11Forwarding yes
/etc/ssh/sshd_config:X11DisplayOffset 10


> you're not connecting with a key which is restricted with a
> no-X11-forwarding directive in the options section of the
> authorized_keys.

Good thing to check, but certainly implies more SSH kung-fu
than the average user.

> DISPLAY is set on the client, and displaying of local X apps works
> before ever attempting a connect to the remote server. This means that
> the local xauth cookie is valid and authorized to connect to the local
> X server.

This is the analog to the standard helpdesk first question of
"is it plugged in?"  Sometimes we forget to ask this one ...

> xauth is found at /usr/bin/X11/xauth, or the correct location is
> specified correctly with an XAuthLocation directive in the remote
> sshd's sshd_config, and the connecting user has correct (+rx)
> permissions on it.

Another good point.

> I'm about to review the thread one more time to see if you've posted any
> "ssh -v" or "sshd -d" outputs that may provide additional insight. If it
> continues to fail, those may be useful for us to diagnose the problem.

I just did this.  The thread starts here:

http://lists.debian.org/debian-security/2002/debian-security-200207/msg00017.html

I found no such output.

-- Dossy

--
Dossy Shiobara   mail: [EMAIL PROTECTED]
Panoptic Computer Network web: http://www.panoptic.com/
  "He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Michael Eyrich]

On Mon, Jul 01, 2002 at 04:32:59PM -0700, Anne Carasik wrote:
| Hi Vineet,
| 
| It doesn't matter--it's still does not work no matter what I do
| to my X server.

is your local routing working? i.e., can you ping localhost and
$(hostname)?





-- 
Michael EyrichTechnische Universität Berlin


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Ivan Brezina]

> Hi all,
>
> I'm having really weird problem with X11 forwarding and two
> Debian boxes.
>
> I can login with OpenSSH and scp and everything else no
> problem.
>
> However, when I try to launch an xterm, I get either:
> can't open DISPLAY
>
> Or the display is set to server:10.0.
>

If DISPLAY=server:10.0 it means it is correct.
But may be, that xterm cannot resolve the name "server".
Try "ping server". May be, you have to modify /etc/hosts.

Ivan Brezina


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Dossy]

On 2002.07.01, Vineet Kumar <[EMAIL PROTECTED]> wrote:
> So anyway, here's a basic rundown of things to double-check:
> 
> the server has "X11Forwarding yes" in its config (and that config has
> been loaded, i.e. the server has been restarted since the change).

Be specific:  On the server, look at /etc/ssh/sshd_config ...

> the client has X11Forwarding yes in its config, in the right place (i.e.
> after where it says "Host *", and no later declarations override and
> disable it.)

Again, specific:  On the client, look at /etc/ssh/ssh_config ...
and, on the client's ssh_config, it's "ForwardX11" not "X11Forwarding".

Here's a quick way to test:

$ grep -i X11 /etc/ssh/ssh_config /etc/ssh/sshd_config

If you want to filter out any lines that are entirely
commented out:

$ grep -i X11 /etc/ssh/ssh_config /etc/ssh/sshd_config \
| sed -e 's/#.*//' | egrep -v ':$'

On my system, from this second command, I only get:

/etc/ssh/sshd_config:X11Forwarding yes
/etc/ssh/sshd_config:X11DisplayOffset 10


> you're not connecting with a key which is restricted with a
> no-X11-forwarding directive in the options section of the
> authorized_keys.

Good thing to check, but certainly implies more SSH kung-fu
than the average user.

> DISPLAY is set on the client, and displaying of local X apps works
> before ever attempting a connect to the remote server. This means that
> the local xauth cookie is valid and authorized to connect to the local
> X server.

This is the analog to the standard helpdesk first question of
"is it plugged in?"  Sometimes we forget to ask this one ...

> xauth is found at /usr/bin/X11/xauth, or the correct location is
> specified correctly with an XAuthLocation directive in the remote
> sshd's sshd_config, and the connecting user has correct (+rx)
> permissions on it.

Another good point.

> I'm about to review the thread one more time to see if you've posted any
> "ssh -v" or "sshd -d" outputs that may provide additional insight. If it
> continues to fail, those may be useful for us to diagnose the problem.

I just did this.  The thread starts here:

http://lists.debian.org/debian-security/2002/debian-security-200207/msg00017.html

I found no such output.

-- Dossy

-- 
Dossy Shiobara   mail: [EMAIL PROTECTED] 
Panoptic Computer Network web: http://www.panoptic.com/ 
  "He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Vineet Kumar]

* Vineet Kumar ([EMAIL PROTECTED]) [020701 16:51]:
> So anyway, here's a basic rundown of things to double-check:

Add to this list that "UseLogin" is set to no (its default) and
X11UseLocalhost is set to yes (its default) on the server.

> I'm about to review the thread one more time to see if you've posted any
> "ssh -v" or "sshd -d" outputs that may provide additional insight. If it
> continues to fail, those may be useful for us to diagnose the problem.

I didn't find any such output posted. I'd recommend trying to start the
server with -d and running the client with -v to see if there's an error
message that can help you figure out what the problem is. If you can't
tell by looking at the output yourself, post them here and we'll have a
look.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes." -E.W. Dijkstra


pgphrFBi6c3Cu.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Jeremy Drake]

I have tried it with woody-woody, and I got no X forwarding.  Looking at 
/etc/ssh/sshd_config, X11Forwarding no was there.  After changing 
X11Forwarding yes and restarting /etc/init.d/ssh restart, and 
reconnecting, worked fine...

 -- 
"It's a summons."
"What's a summons?"
"It means summon's in trouble."
-- Rocky and Bullwinkle


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Vineet Kumar]

* Anne Carasik ([EMAIL PROTECTED]) [020701 16:34]:
> Hi Vineet,
> 
> It doesn't matter--it's still does not work no matter what I do
> to my X server.
> 
> Anyway, I turned off xhost and X11 listening a while ago.

Right. My point was that this is a way /around/ ssh forwarding. It won't
make it any easier to get ssh forwarding working, and can only confuse
the issue. Glad you've moved on from it.

So anyway, here's a basic rundown of things to double-check:

the server has "X11Forwarding yes" in its config (and that config has
been loaded, i.e. the server has been restarted since the change).

the client has X11Forwarding yes in its config, in the right place (i.e.
after where it says "Host *", and no later declarations override and
disable it.)

you're not connecting with a key which is restricted with a
no-X11-forwarding directive in the options section of the
authorized_keys.

DISPLAY is set on the client, and displaying of local X apps works
before ever attempting a connect to the remote server. This means that
the local xauth cookie is valid and authorized to connect to the local
X server.

xauth is found at /usr/bin/X11/xauth, or the correct location is
specified correctly with an XAuthLocation directive in the remote
sshd's sshd_config, and the connecting user has correct (+rx)
permissions on it.

That's all I can come up with off the top of my head right now.  I know
you did say that you've done some of the things mentioned above, but if
it's still failing, it's a good idea to double-check that all of those
above conditions are met. Sometimes when changing lots of things around
in desperation, we forget to change something back.

I'm about to review the thread one more time to see if you've posted any
"ssh -v" or "sshd -d" outputs that may provide additional insight. If it
continues to fail, those may be useful for us to diagnose the problem.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes." -E.W. Dijkstra


pgp366pY90j4q.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Dossy]

On 2002.07.01, Anne Carasik <[EMAIL PROTECTED]> wrote:
> I need to know what DOES work, or if this is a bug.
> 
> How did you get X11 working on Debian running OpenSSH 3.4p1? Did it
> just magically work for you? Did you have to set something?

Anne,

I've only been glancing at this thread but -- did you post your
sshd_config and ssh_config and the command line you were using?

In a previous post, you said:

> So, if I force X11 with the -X (even though my ssh_config on
> the client is set to X11Forwarding yes), I get this:
> 
> So, it looks like I have to have X11UseLocalhost set to no,
> but I still can't open the X11.

(See 
http://lists.debian.org/debian-security/2002/debian-security-200207/msg00020.html
 for the whole message.)

Noah replied in message debian-security-200207/msg00022.html saying:

> Get what?

To which you replied:

> Uh, the output that I included.

You included NO output.  Was that your point?

Can you include the output from the SSH client with the
command line parameters "-v -X"?  Include the entire
output ... 

Also, can you give us the output of "echo $DISPLAY" on
the client _before_ you kick off the SSH, as well as
"echo $DISPLAY" once you've SSH'ed in (from the shell
running on the server)?

-- Dossy

-- 
Dossy Shiobara   mail: [EMAIL PROTECTED] 
Panoptic Computer Network web: http://www.panoptic.com/ 
  "He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Jeremy Drake]

Sorry for no context, I just deleted the message before I decided to 
reply...

Using ssh from debian woody to debian sid...  This is the first time I 
even tried to do X11 forwarding, so I didn't change anything for it...  
BTW, client is i586 laptop, server is parisc(hppa) workstation.  I don't 
have a woody ssh server with x at the moment.  I am in the process of 
doing an install.

[EMAIL PROTECTED]:~$ ssh -V
OpenSSH_3.4p1 Debian 1:3.4p1-0.0woody1, SSH protocols 1.5/2.0, OpenSSL 
0x0090603f
[EMAIL PROTECTED]:~$ ssh -X [ip deleted]
Linux krakatoa 2.4.18-pa45 #2 Sun Jun 30 14:41:49 PDT 2002 parisc unknown

Most of the programs included with the Debian GNU/Linux system are
freely redistributable; the exact distribution terms for each program
are described in the individual files in /usr/share/doc/*/copyright

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Mon Jul  1 16:41:57 2002 from [address deleted]
[EMAIL PROTECTED] jeremyd]$ xterm
[xterm opens on local display]
[EMAIL PROTECTED] jeremyd]$ ssh -V
OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL 0x0090604f


-- 
It's easier to take it apart than to put it back together.
-- Washlesky


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[David Caplan]

Ok... it was just a suggestion to find out the source of
the problem :)

I wasn't sure if ssh depended on xauth/host or not.
I guess it doesn't.

-David


> 
> nonono! don't set your x server to listen for tcp and don't use xhost.
> 
> That is the Wrong Way. The whole idea of using ssh's x forwarding is to
> avoid sending your X session (including all your keystrokes) across the
> wire in the clear. (It's also rather convenient, once it's set up right,
> to locally-display remote apps, but demonstrated difficulties in getting
> it set up negate any convenience argument in this case, I think!)
> 
> For review:
> 
> http://www.google.com/search?q=never+xhost&btnI=I
> 
> good times,
> Vineet

-+-
 // <[EMAIL PROTECTED]> //  
gpg fingerprint:: A439 6991 01CD 18F8 BF17  4E3E 7197 B014 014D 64C1  


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Anne Carasik]

Hi Vineet, 

I appreciate the help, but I know that setting the DISPLAY doesn't work
either. 

I need to know what DOES work, or if this is a bug.

How did you get X11 working on Debian running OpenSSH 3.4p1? Did it
just magically work for you? Did you have to set something?

-Anne

This one time, Vineet Kumar wrote:
> No, that's not right, either. If you have DISPLAY set in the environment
> of the ssh client when it connects, and the remote sshd and local ssh
> are instructed to allow it, ssh forwarding takes place. It gets set up
> by creating a virtual X server on the remote machine and setting DISPLAY
> there to that (something like remote:10.0). X clients run remotely
> connect to that virtual X server, which simply acts as a sort of proxy
> to send the X data through the ssh tunnel to the X server on the local
> machine.
> 
> So DISPLAY won't be set to the local ssh client machine. If it is, the X
> clients will be sending their data straight to the local client over the
> network, in the clear! (If the local X server is set to listen for it,
> which it shouldn't be, and isn't by default on recent debian systems.)
> 
> Once it's working, you shouldn't have to touch DISPLAY. (Except possibly
> to make sure it's set to the right thing on the LOCAL side, before the
> connection is ever attempted. That should only happen if your
> environment is whacked for some other reason, though.)
> 
> good times,
> Vineet
> -- 
> http://www.doorstop.net/
> -- 
> "Computer Science is no more about computers
> than astronomy is about telescopes." -E.W. Dijkstra



-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpuqlG8IjIFT.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Vineet Kumar]

* Ashish Gulhati ([EMAIL PROTECTED]) [020701 16:17]:
> 
> > Okay, having X11 listening for TCP connections with xhost +
> > enabled didn't help.
> > 
> > I'm open to other suggestions. :)
> 
> Having X listening on the remote host isn't necessary for X11
> forwarding, nor is it necessary to do xhost +
> 
> Just use -X and make sure the host mentioned in the DISPLAY variable
> in the remote shell does resolve to the host you're ssh-ing from. Or
> change DISPLAY to use the IP address instead.

No, that's not right, either. If you have DISPLAY set in the environment
of the ssh client when it connects, and the remote sshd and local ssh
are instructed to allow it, ssh forwarding takes place. It gets set up
by creating a virtual X server on the remote machine and setting DISPLAY
there to that (something like remote:10.0). X clients run remotely
connect to that virtual X server, which simply acts as a sort of proxy
to send the X data through the ssh tunnel to the X server on the local
machine.

So DISPLAY won't be set to the local ssh client machine. If it is, the X
clients will be sending their data straight to the local client over the
network, in the clear! (If the local X server is set to listen for it,
which it shouldn't be, and isn't by default on recent debian systems.)

Once it's working, you shouldn't have to touch DISPLAY. (Except possibly
to make sure it's set to the right thing on the LOCAL side, before the
connection is ever attempted. That should only happen if your
environment is whacked for some other reason, though.)

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes." -E.W. Dijkstra


pgpfLq4Nia5fK.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Anne Carasik]

Hi Vineet,

It doesn't matter--it's still does not work no matter what I do
to my X server.

Anyway, I turned off xhost and X11 listening a while ago.

-Anne

This one time, Vineet Kumar wrote:
> * Anne Carasik ([EMAIL PROTECTED]) [020701 16:01]:
> > This one time, David Caplan wrote:
> > > Hi, I'm not exactly sure what you are trying to do, maybe this will
> > > help :)
> > > does it matter if you authorize the other computer with xhost?
> > > or just a `xhost +` ?
> > 
> > Nope, that didn't help. It may be because X11 isn't listening on
> > port 6000, but I really didn't think that would affect X11 forwarding.
> > 
> > Guess it does.  I'll try and set my X11 to listen, and if that fixes
> > it, it goes in the FAQ :)
> 
> nonono! don't set your x server to listen for tcp and don't use xhost.
> 
> That is the Wrong Way. The whole idea of using ssh's x forwarding is to
> avoid sending your X session (including all your keystrokes) across the
> wire in the clear. (It's also rather convenient, once it's set up right,
> to locally-display remote apps, but demonstrated difficulties in getting
> it set up negate any convenience argument in this case, I think!)
> 
> For review:
> 
> http://www.google.com/search?q=never+xhost&btnI=I
> 
> good times,
> Vineet
> -- 
> http://www.doorstop.net/
> -- 
> "Computer Science is no more about computers
> than astronomy is about telescopes." -E.W. Dijkstra



-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpwNFunb0s7p.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Vineet Kumar]

* Anne Carasik ([EMAIL PROTECTED]) [020701 16:01]:
> This one time, David Caplan wrote:
> > Hi, I'm not exactly sure what you are trying to do, maybe this will
> > help :)
> > does it matter if you authorize the other computer with xhost?
> > or just a `xhost +` ?
> 
> Nope, that didn't help. It may be because X11 isn't listening on
> port 6000, but I really didn't think that would affect X11 forwarding.
> 
> Guess it does.  I'll try and set my X11 to listen, and if that fixes
> it, it goes in the FAQ :)

nonono! don't set your x server to listen for tcp and don't use xhost.

That is the Wrong Way. The whole idea of using ssh's x forwarding is to
avoid sending your X session (including all your keystrokes) across the
wire in the clear. (It's also rather convenient, once it's set up right,
to locally-display remote apps, but demonstrated difficulties in getting
it set up negate any convenience argument in this case, I think!)

For review:

http://www.google.com/search?q=never+xhost&btnI=I

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes." -E.W. Dijkstra


pgp0Cpq3KUcwF.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Ashish Gulhati]

> Okay, having X11 listening for TCP connections with xhost +
> enabled didn't help.
> 
> I'm open to other suggestions. :)

Having X listening on the remote host isn't necessary for X11
forwarding, nor is it necessary to do xhost +

Just use -X and make sure the host mentioned in the DISPLAY variable
in the remote shell does resolve to the host you're ssh-ing from. Or
change DISPLAY to use the IP address instead.

Regards

#!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Anne Carasik]

Okay, having X11 listening for TCP connections with xhost +
enabled didn't help.

I'm open to other suggestions. :)

-Anne

This one time, Anne Carasik wrote:
> Hi David, 
> 
> Nope, that didn't help. It may be because X11 isn't listening on
> port 6000, but I really didn't think that would affect X11 forwarding.
> 
> Guess it does.  I'll try and set my X11 to listen, and if that fixes
> it, it goes in the FAQ :)
> 
> -Anne
> 
> This one time, David Caplan wrote:
> > Hi, I'm not exactly sure what you are trying to do, maybe this will
> > help :)
> > does it matter if you authorize the other computer with xhost?
> > or just a `xhost +` ?
> > 
> >- David
> > 
> > 
> > > 
> > > So, if I force X11 with the -X (even though my ssh_config on
> > > the client is set to X11Forwarding yes), I get the same as if
> > > I don't run ssh with the -X option.
> > > 
> > > -Anne
> > 
> > 
> > -+-
> >  // <[EMAIL PROTECTED]> //  
> > gpg fingerprint:: A439 6991 01CD 18F8 BF17  4E3E 7197 B014 014D 64C1
> >   
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> > 
> 
> -- 
>   .-"".__."``".   Anne Carasik, System Administrator
>  .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
> (O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
> ~`~~
> 



-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpGVfFoqpBxc.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Anne Carasik]

Hi David, 

Nope, that didn't help. It may be because X11 isn't listening on
port 6000, but I really didn't think that would affect X11 forwarding.

Guess it does.  I'll try and set my X11 to listen, and if that fixes
it, it goes in the FAQ :)

-Anne

This one time, David Caplan wrote:
> Hi, I'm not exactly sure what you are trying to do, maybe this will
> help :)
> does it matter if you authorize the other computer with xhost?
> or just a `xhost +` ?
> 
>- David
> 
> 
> > 
> > So, if I force X11 with the -X (even though my ssh_config on
> > the client is set to X11Forwarding yes), I get the same as if
> > I don't run ssh with the -X option.
> > 
> > -Anne
> 
> 
> -+-
>  // <[EMAIL PROTECTED]> //  
> gpg fingerprint:: A439 6991 01CD 18F8 BF17  4E3E 7197 B014 014D 64C1
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpt3Usyi4RBt.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[David Caplan]

Hi, I'm not exactly sure what you are trying to do, maybe this will
help :)
does it matter if you authorize the other computer with xhost?
or just a `xhost +` ?

   - David


> 
> So, if I force X11 with the -X (even though my ssh_config on
> the client is set to X11Forwarding yes), I get the same as if
> I don't run ssh with the -X option.
> 
> -Anne


-+-
 // <[EMAIL PROTECTED]> //  
gpg fingerprint:: A439 6991 01CD 18F8 BF17  4E3E 7197 B014 014D 64C1  


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Anne Carasik]

Clarifying myself.. sorry :)

So, if I force X11 with the -X (even though my ssh_config on
the client is set to X11Forwarding yes), I get the same as if
I don't run ssh with the -X option.

-Anne
-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpzWjFUI11GE.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Anne Carasik]

This one time, Norbert Preining wrote:
> > It doesn't matter about the sshd_config, only the ssh_config on the
> I DEFINITELY matter what is in the sshd_config on the server. The server
> make the primary dictate on what is allowed and what is forbidden.

Well, yeah.. but you said to check the ssh_config on the client and
the server... not just the server.

Anyway, let me know if you have any ideas.

-Anne
-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpK6dYbgSgTe.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Norbert Preining]

> It doesn't matter about the sshd_config, only the ssh_config on the

I DEFINITELY matter what is in the sshd_config on the server. The server
make the primary dictate on what is allowed and what is forbidden.

Best wishes

Norbert

---
Norbert Preining  Technische Universität Wien
gpg DSA: 0x09C5B094  fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
---
DULEEK (n.)

Sudden realisation, as you lie in bed waiting for the alarm to go off,
that it should have gone off an hour ago.

--- Douglas Adams, The Meaning of Liff 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Anne Carasik]

This one time, Noah L. Meyerhans wrote:
> On Mon, Jul 01, 2002 at 01:48:31PM -0700, Anne Carasik wrote:
> > So, if I force X11 with the -X (even though my ssh_config on
> > the client is set to X11Forwarding yes), I get this:
> Get what?

Uh, the output that I included.

> You don't have UseLogin set in sshd_config, do you?

No.

-Anne
-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpm4KqUeVmay.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Noah L. Meyerhans]

On Mon, Jul 01, 2002 at 01:48:31PM -0700, Anne Carasik wrote:
> So, if I force X11 with the -X (even though my ssh_config on
> the client is set to X11Forwarding yes), I get this:
> 

Get what?

You don't have UseLogin set in sshd_config, do you?

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgp077n7wPEfq.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Anne Carasik]

This one time, Norbert Preining wrote:
> On Mon, 01 Jul 2002, Anne Carasik wrote:
> > Let me know if you have any ideas. Running the client and server in both
> > verbose and debugging modes provides me with nothing useful :(
> Did you set 
>   X11Forwarding yes
> in both sshd_config on server and ssh_config (.ssh/config) on client?

It doesn't matter about the sshd_config, only the ssh_config on the
client. Anyway, they are both set to 

 X11Forwarding yes

The only other changes I've made are the following:

If I set X11UseLocalhost to yes on the server, I get this:

 server:/home/gator- xterm
 xterm Xt error: Can't open display: 

 server:/home/gator- echo $DISPLAY
 DISPLAY: Undefined variable.
 
If I set X11UseLocalhost to no, I get this:

 server:/home/gator- xterm
 xterm Xt error: Can't open display: 

 server:/home/gator- xterm
 xterm Xt error: Can't open display: server:10.0

So, if I force X11 with the -X (even though my ssh_config on
the client is set to X11Forwarding yes), I get this:

So, it looks like I have to have X11UseLocalhost set to no,
but I still can't open the X11.

Any ideas? Also, I did HUP the server between changes. :)

-Anne
-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpGVaDpwYhF5.pgp
Description: PGP signature

Re: More SSH Fun (X11 forwarding)

[Norbert Preining]

On Mon, 01 Jul 2002, Anne Carasik wrote:
> Let me know if you have any ideas. Running the client and server in both
> verbose and debugging modes provides me with nothing useful :(

Did you set 
X11Forwarding yes
in both sshd_config on server and ssh_config (.ssh/config) on client?

Best wishes

Norbert

---
Norbert Preining  Technische Universität Wien
gpg DSA: 0x09C5B094  fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
---
EDGBASTON (n.)

The spare seat-cushion carried by a London bus, which is placed
against the rear bumper when the driver wishes to indicate that the
bus has broken down. No one knows how this charming old custom
originated or how long it will continue.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More SSH Fun (X11 forwarding)

[Noah L. Meyerhans]

On Mon, Jul 01, 2002 at 01:24:34PM -0700, Anne Carasik wrote:
> However, when I try to launch an xterm, I get either:
> can't open DISPLAY

Are you explicitly asking for X11 forwarding on the client's command
line (-X)?

> Or the display is set to server:10.0.

That is normal.  That's what it should be if X11 forwarding is set up
correctly.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgp5EyOB0Znpc.pgp
Description: PGP signature

More SSH Fun (X11 forwarding)

[Anne Carasik]

Hi all,

I'm having really weird problem with X11 forwarding and two 
Debian boxes. 

I can login with OpenSSH and scp and everything else no
problem.

However, when I try to launch an xterm, I get either:
can't open DISPLAY

Or the display is set to server:10.0.

I don't have this problem SSH'ing into any RH boxes.

The version I'm running on both the client and server is:
OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL 0x0090604f

Let me know if you have any ideas. Running the client and server in both
verbose and debugging modes provides me with nothing useful :(

-Anne
-- 
  .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator at cacr dot caltech dot edu 
(O/ O) \-'  ` -="""=.',  Center for Advanced Computing Research
~`~~



pgpUi279YkgBg.pgp
Description: PGP signature