Re: Help setting DISPLAY to an ipmasq'd machine.
Andrew Perrin wrote: > > Yes, you're doing it wrong. > > 1.) You don't need two ssh sessions; just one, from xserver_machine to > work_linux_box: > ssh -C -X work_linux_box from xserver_machine > > 2.) When you set the display to ipmasq_box:0.0, you're asking the remote > host to display X apps on the main display of your ipmasq_box - which, > luckily, your ipmasq_box refuses to do. What you want to do is route X > packets through your ssh tunnel. Most ssh servers set $DISPLAY > appropriately, so before doing the export DISPLAY part, do: > > echo $DISPLAY > > DISPLAY should contain the name of the *remote* host, followed by a colon, > then x.0 where x>1. Mine contains: > > [EMAIL PROTECTED]:~$ ssh -X isis.unc.edu > [EMAIL PROTECTED] ~ >echo $DISPLAY > login2.isis.unc.edu:11.0 > > If you don't get that, I'm not entirely sure how to figure out which > display will tunnel for you (the 11.0 in this case). Maybe others can help > there. > > The theory is this: you open a connection from your firewalled machine to > your work machine. You do this in a secure way, using ssh, that is > permitted by both firewalls. You then use this secure channel to funnel X > packets through. X client apps on your work box "display" to a dummy > server on the same machine, so far as they know. That dummy server, > though, catches the packets and sends them over the pre-existing ssh > tunnel to your xserver_machine, where your ssh client grabs them back and > sends them to xserver_machine's local X server. > > Hope this helps. > I'm very interested in have X11 ssh tunnel working !! but I have the same problem. How can I force ssh server to set DISPLAY variable? If DISPLAY variable is not set when I ssh the *remote* server, is it a sshd problem or an Xserver problem? thanks --xgnu
Re: Help setting DISPLAY to an ipmasq'd machine.
Andrew Perrin wrote: > > Yes, you're doing it wrong. > > 1.) You don't need two ssh sessions; just one, from xserver_machine to > work_linux_box: > ssh -C -X work_linux_box from xserver_machine > > 2.) When you set the display to ipmasq_box:0.0, you're asking the remote > host to display X apps on the main display of your ipmasq_box - which, > luckily, your ipmasq_box refuses to do. What you want to do is route X > packets through your ssh tunnel. Most ssh servers set $DISPLAY > appropriately, so before doing the export DISPLAY part, do: > > echo $DISPLAY > > DISPLAY should contain the name of the *remote* host, followed by a colon, > then x.0 where x>1. Mine contains: > > [EMAIL PROTECTED]:~$ ssh -X isis.unc.edu > [EMAIL PROTECTED] ~ >echo $DISPLAY > login2.isis.unc.edu:11.0 > > If you don't get that, I'm not entirely sure how to figure out which > display will tunnel for you (the 11.0 in this case). Maybe others can help > there. > > The theory is this: you open a connection from your firewalled machine to > your work machine. You do this in a secure way, using ssh, that is > permitted by both firewalls. You then use this secure channel to funnel X > packets through. X client apps on your work box "display" to a dummy > server on the same machine, so far as they know. That dummy server, > though, catches the packets and sends them over the pre-existing ssh > tunnel to your xserver_machine, where your ssh client grabs them back and > sends them to xserver_machine's local X server. > > Hope this helps. > I'm very interested in have X11 ssh tunnel working !! but I have the same problem. How can I force ssh server to set DISPLAY variable? If DISPLAY variable is not set when I ssh the *remote* server, is it a sshd problem or an Xserver problem? thanks --xgnu
Re: Help setting DISPLAY to an ipmasq'd machine.
Yes, you're doing it wrong. 1.) You don't need two ssh sessions; just one, from xserver_machine to work_linux_box: ssh -C -X work_linux_box from xserver_machine 2.) When you set the display to ipmasq_box:0.0, you're asking the remote host to display X apps on the main display of your ipmasq_box - which, luckily, your ipmasq_box refuses to do. What you want to do is route X packets through your ssh tunnel. Most ssh servers set $DISPLAY appropriately, so before doing the export DISPLAY part, do: echo $DISPLAY DISPLAY should contain the name of the *remote* host, followed by a colon, then x.0 where x>1. Mine contains: [EMAIL PROTECTED]:~$ ssh -X isis.unc.edu [EMAIL PROTECTED] ~ >echo $DISPLAY login2.isis.unc.edu:11.0 If you don't get that, I'm not entirely sure how to figure out which display will tunnel for you (the 11.0 in this case). Maybe others can help there. The theory is this: you open a connection from your firewalled machine to your work machine. You do this in a secure way, using ssh, that is permitted by both firewalls. You then use this secure channel to funnel X packets through. X client apps on your work box "display" to a dummy server on the same machine, so far as they know. That dummy server, though, catches the packets and sends them over the pre-existing ssh tunnel to your xserver_machine, where your ssh client grabs them back and sends them to xserver_machine's local X server. Hope this helps. -- Andrew J Perrin - [EMAIL PROTECTED] - http://www.unc.edu/~aperrin Asst Professor of Sociology, U of North Carolina, Chapel Hill 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA On Fri, 8 Jun 2001 [EMAIL PROTECTED] wrote: > OK, I just tried this: > > ssh -C -X ipmasq_box from work_linux_box > ssh -C -X xserver_box from ipmasq_box (same session as above) > > In a new work_linux_box session: export DISPLAY=ipmasq_box:0.0 > xterm & > > I get: > _X11TransSocketINETConnect: Can't connect: errno = 111 > xterm Xt error: Can't open display: ipmasq_box:0.0 > > If I run xterm from xserver_box, the xterm is displayed on work_linux_box. > > Am I doing this wrong? Also, does ipmasq_box need to be running an > xserver? Right now it does not, but it has most if not all of the xserver > stuff on it. > > Thanks, > > maillst > On Fri, Jun 08, 2001 at 11:26:04AM -0500, Andrew Perrin wrote: > > It's non-trivial, since under the X protocol the socket will be > > initialized by work_linux_box, which means you need some way to tell > > ipmasq_machine to forward those packets to xserver_machine. You could do > > this with a specific ipchains rule for that situation, assuming you want > > *all* X packets coming from work_linux_box to be routed to > > xserver_machine; you'd have to forward all packets coming from x.x.x.x on > > whatever port X comes in on to xserver_machine. > > > > There's an easier way, though, which is what I generally do in a similar > > situation: open an ssh session from xserver_machine to work_linux_box: > > > > ssh -C -X work_linux_box > > > > then, once logged in via ssh, make sure your DISPLAY variable is set > > correctly (most ssh servers do this right- it should be > > work_linux_box:x.0, where x > 0). work_linux_box is now sending X packets > > to itself on a different X display, which is caught by ssh and tunnelled > > to xserver_machine. > > > > Hope this helps. > > > > -- > > Andrew J Perrin - [EMAIL PROTECTED] - http://www.unc.edu/~aperrin > > Asst Professor of Sociology, U of North Carolina, Chapel Hill > > 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA > > > > > > On Fri, 8 Jun 2001 [EMAIL PROTECTED] wrote: > > > > > I need some help figuring out how to set the display variable to a > > > machine that is being ipmasq'd on my network. > > > > > > Here is what I have: > > > > > > Xserver_machine (192.168.1.3) > > > | > > > | > > > IPMasq_Machine (192.168.1.1 on internal network) > > > | (x.x.x.x on internet) > > > > > > | Internet | > > > > > > | > > > Company_Firewall (y.y.y.y on internet) > > > |(10.a.b.c on company lan) > > > Work_linux_box (10.d.e.f) > > > > > > I want to set the DISPLAY variable on work_linux_box to display on > > > Xserver_machine to assist me doing off hours support. It will be > > > difficult to get the comany to modify the firewall. > > > > > > So, is this possible to do? If so, what exactly do I need to do on the > > > linux side. I do have it setup that I can ssh from work_linux_box to > > > ipmasq_machine and from there to anywhere on the 192.168 lan. So I have > > > that much connectivity setup. > > > > > > Thanks for any help, and feel free to ask if more information is needed > > > (the real internet ip's will NOT be supplied to help prevent
Re: Help setting DISPLAY to an ipmasq'd machine.
[EMAIL PROTECTED] writes: > ssh -C -X ipmasq_box from work_linux_box > ssh -C -X xserver_box from ipmasq_box (same session as above) > > In a new work_linux_box session: export DISPLAY=ipmasq_box:0.0 > xterm & Don't set the DISPLAY variable. ssh does it for you. Dan
Re: Help setting DISPLAY to an ipmasq'd machine.
OK, I just tried this: ssh -C -X ipmasq_box from work_linux_box ssh -C -X xserver_box from ipmasq_box (same session as above) In a new work_linux_box session: export DISPLAY=ipmasq_box:0.0 xterm & I get: _X11TransSocketINETConnect: Can't connect: errno = 111 xterm Xt error: Can't open display: ipmasq_box:0.0 If I run xterm from xserver_box, the xterm is displayed on work_linux_box. Am I doing this wrong? Also, does ipmasq_box need to be running an xserver? Right now it does not, but it has most if not all of the xserver stuff on it. Thanks, maillst On Fri, Jun 08, 2001 at 11:26:04AM -0500, Andrew Perrin wrote: > It's non-trivial, since under the X protocol the socket will be > initialized by work_linux_box, which means you need some way to tell > ipmasq_machine to forward those packets to xserver_machine. You could do > this with a specific ipchains rule for that situation, assuming you want > *all* X packets coming from work_linux_box to be routed to > xserver_machine; you'd have to forward all packets coming from x.x.x.x on > whatever port X comes in on to xserver_machine. > > There's an easier way, though, which is what I generally do in a similar > situation: open an ssh session from xserver_machine to work_linux_box: > > ssh -C -X work_linux_box > > then, once logged in via ssh, make sure your DISPLAY variable is set > correctly (most ssh servers do this right- it should be > work_linux_box:x.0, where x > 0). work_linux_box is now sending X packets > to itself on a different X display, which is caught by ssh and tunnelled > to xserver_machine. > > Hope this helps. > > -- > Andrew J Perrin - [EMAIL PROTECTED] - http://www.unc.edu/~aperrin > Asst Professor of Sociology, U of North Carolina, Chapel Hill > 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA > > > On Fri, 8 Jun 2001 [EMAIL PROTECTED] wrote: > > > I need some help figuring out how to set the display variable to a machine > > that is being ipmasq'd on my network. > > > > Here is what I have: > > > > Xserver_machine (192.168.1.3) > > | > > | > > IPMasq_Machine (192.168.1.1 on internal network) > > | (x.x.x.x on internet) > > > > | Internet | > > > > | > > Company_Firewall (y.y.y.y on internet) > > |(10.a.b.c on company lan) > > Work_linux_box (10.d.e.f) > > > > I want to set the DISPLAY variable on work_linux_box to display on > > Xserver_machine to assist me doing off hours support. It will be difficult > > to get the comany to modify the firewall. > > > > So, is this possible to do? If so, what exactly do I need to do on the > > linux side. I do have it setup that I can ssh from work_linux_box to > > ipmasq_machine and from there to anywhere on the 192.168 lan. So I have > > that much connectivity setup. > > > > Thanks for any help, and feel free to ask if more information is needed > > (the real internet ip's will NOT be supplied to help prevent attacks > > against me or my work). > > > > Thanks, > > > > maillst > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: Help setting DISPLAY to an ipmasq'd machine.
It's non-trivial, since under the X protocol the socket will be initialized by work_linux_box, which means you need some way to tell ipmasq_machine to forward those packets to xserver_machine. You could do this with a specific ipchains rule for that situation, assuming you want *all* X packets coming from work_linux_box to be routed to xserver_machine; you'd have to forward all packets coming from x.x.x.x on whatever port X comes in on to xserver_machine. There's an easier way, though, which is what I generally do in a similar situation: open an ssh session from xserver_machine to work_linux_box: ssh -C -X work_linux_box then, once logged in via ssh, make sure your DISPLAY variable is set correctly (most ssh servers do this right- it should be work_linux_box:x.0, where x > 0). work_linux_box is now sending X packets to itself on a different X display, which is caught by ssh and tunnelled to xserver_machine. Hope this helps. -- Andrew J Perrin - [EMAIL PROTECTED] - http://www.unc.edu/~aperrin Asst Professor of Sociology, U of North Carolina, Chapel Hill 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA On Fri, 8 Jun 2001 [EMAIL PROTECTED] wrote: > I need some help figuring out how to set the display variable to a machine > that is being ipmasq'd on my network. > > Here is what I have: > > Xserver_machine (192.168.1.3) > | > | > IPMasq_Machine (192.168.1.1 on internal network) > | (x.x.x.x on internet) > > | Internet | > > | > Company_Firewall (y.y.y.y on internet) > |(10.a.b.c on company lan) > Work_linux_box (10.d.e.f) > > I want to set the DISPLAY variable on work_linux_box to display on > Xserver_machine to assist me doing off hours support. It will be difficult > to get the comany to modify the firewall. > > So, is this possible to do? If so, what exactly do I need to do on the linux > side. I do have it setup that I can ssh from work_linux_box to > ipmasq_machine and from there to anywhere on the 192.168 lan. So I have that > much connectivity setup. > > Thanks for any help, and feel free to ask if more information is needed (the > real internet ip's will NOT be supplied to help prevent attacks against me or > my work). > > Thanks, > > maillst > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Help setting DISPLAY to an ipmasq'd machine.
[EMAIL PROTECTED] writes: > I want to set the DISPLAY variable on work_linux_box to display on > Xserver_machine to assist me doing off hours support. It will be > difficult to get the comany to modify the firewall. Can you ssh into work_linux_box from Xserver_machine? If so, the easiest thing to do will be to do ssh -X Work_linux_box and let ssh tunnel the display. -- Alan Shutko <[EMAIL PROTECTED]> - In a variety of flavors! BE ALOOF! (There has been a recent population explosion of lerts.)
Re: Help setting DISPLAY to an ipmasq'd machine.
[EMAIL PROTECTED] writes: > I want to set the DISPLAY variable on work_linux_box to display on > Xserver_machine to assist me doing off hours support. It will be > difficult to get the comany to modify the firewall. > > So, is this possible to do? If so, what exactly do I need to do on > the linux side. I do have it setup that I can ssh from > work_linux_box to ipmasq_machine and from there to anywhere on the > 192.168 lan. So I have that much connectivity setup. Use the -X option to ssh. This sets up an encrypted tunnel for X11 packets between the host you are on and the host you are ssh'ing to. This will work only if the FORWARD_X11 option has not been specifically turned off in the sshd configuration of either machine. -Anthony.
Re: Help setting DISPLAY to an ipmasq'd machine.
On Fri, Jun 08, 2001 at 11:01:49AM -0400, [EMAIL PROTECTED] wrote: > I need some help figuring out how to set the display variable > to a machine that is being ipmasq'd on my network. > > Here is what I have: > > Xserver_machine (192.168.1.3) > | > | > IPMasq_Machine (192.168.1.1 on internal network) > | (x.x.x.x on internet) > > | Internet | > > | > Company_Firewall (y.y.y.y on internet) > |(10.a.b.c on company lan) > Work_linux_box (10.d.e.f) > > I want to set the DISPLAY variable on work_linux_box to > display on Xserver_machine to assist me doing off hours > support. It will be difficult to get the comany to modify the > firewall. > > So, is this possible to do? If so, what exactly do I need to > do on the linux side. I do have it setup that I can ssh from > work_linux_box to ipmasq_machine and from there to anywhere on > the 192.168 lan. So I have that much connectivity setup. > > Thanks for any help, and feel free to ask if more information > is needed (the real internet ip's will NOT be supplied to help > prevent attacks against me or my work). ideally, you could put together a vpn -- but if company firewall policy prohibits that, maybe yuo could do port forwarding to achieve the effect you're after? just guessing... with a vpn, you'd have your 192.168.*.* subnet appear to be locally connected to your 10.*.*.* net. it's tres kewl. with port forwarding, you can have hits incoming on ipmasq_machine public interface (1.2.3.4) port 7531 forwarded transparently to xserver_machine (192.168.1.3) port 24680 if you want. -- DEBIAN NEWBIE TIP #42 from Pietro Cagnoni <[EMAIL PROTECTED]> : Would you like to DISABLE CONTROL-ALT-DEL? Piece of cake. Just comment the line out in /etc/inittab # What to do when CTRL-ALT-DEL is pressed. ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now and then "kill -HUP 1" to have init re-read the file. =Kent <[EMAIL PROTECTED]> Also see http://newbieDoc.sourceForge.net/ ...
