SSH Question
Hi, I see some of you talking about SSHing into your computer from another. What if the computer you're using isn't Linux/Unix? I was thinking that you could reboot that computer and boot up Puppy using a USB drive, or should/can you do this through any shell irrespective of the OS? Thanks. -- Telly Williams Knowledge Is Power -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH Question
try putty for windows On Thu, Oct 11, 2007 at 01:20:52AM -0600, Telly Williams wrote: Hi, I see some of you talking about SSHing into your computer from another. What if the computer you're using isn't Linux/Unix? I was thinking that you could reboot that computer and boot up Puppy using a USB drive, or should/can you do this through any shell irrespective of the OS? Thanks. -- Telly Williams Knowledge Is Power -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: SSH Question
On Thu, Oct 11, 2007 at 05:22:25PM +1000, Alex Samad wrote: try putty for windows Thank you. -- Telly Williams Knowledge Is Power -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH Question
Telly Williams escribió: On Thu, Oct 11, 2007 at 05:22:25PM +1000, Alex Samad wrote: try putty for windows Thank you. Actually, to be able to connect from a linux machine to a windows machine you also need a ssh server (well, the same goes for the inverse) that does not come preinstalled in windows. -- .---. | Miguel J. Jiménez | | Programador Senior| | Área de Internet | | [EMAIL PROTECTED]| :---: | ISOTROL, S.A. | | Edificio BLUENET, Avda. Isaac Newton nº3, 4ª planta. | | Parque Tecnológico Cartuja '93, 41092 Sevilla (ESP). | | Teléfono: +34 955 036 800 (ext.1805) - Fax: +34 955 036 849 | | http://www.isotrol.com| :---: | Una bandera une a los habitantes de un pais bajo unos ideales| | comunes y es por eso por lo que todos ellos deben aceptarlos de | | buena gana y no ser forzados a ello pues entonces dicha bandera | | no serviría de nada. - Emperador Ming, Flash Gordon (1x07)(2007) | '---' begin:vcard fn;quoted-printable:Miguel J. Jim=C3=A9nez Jim=C3=A9nez n;quoted-printable:Jim=C3=A9nez Jim=C3=A9nez;Miguel J. org;quoted-printable:ISOTROL, S.A.;Sector P=C3=BAblico / Gestores de Contenidos adr;quoted-printable;quoted-printable;quoted-printable:Parque Tecnol=C3=B3gico Cartuja 93;;C/ Isaac Newton 3, 4=C2=AA;Sevilla;Sevilla;41092;Espa=C3=B1a email;internet:[EMAIL PROTECTED] title:Programador Senior tel;work:+34 955 036 800 (ext. 1805) tel;fax:+34 955 036 849 tel;cell:+34 607 44 87 64 x-mozilla-html:TRUE url:http://www.isotrol.com version:2.1 end:vcard
Re: SSH Question
On Thu, Oct 11, 2007 at 05:22:25PM +1000, Alex Samad wrote: try putty for windows no matter how much putty you apply, its still just windows! rimshot A signature.asc Description: Digital signature
Re: SSH Question
Hi, 2007/10/11, Telly Williams [EMAIL PROTECTED]: Hi, I see some of you talking about SSHing into your computer from another. What if the computer you're using isn't Linux/Unix? if you talk about the target computer being a windows host then cygwin has an ssh daemon, personally I use rdesktop for windows as the shell is pretty useless on windows imho. if you talk about another machine being windows and your home machine - being remote and the target google for putty hth martin -- http://noneisyours.marcher.name http://feeds.feedburner.com/NoneIsYours -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH Question
if you talk about the target computer being a windows host then cygwin has an ssh daemon, personally I use rdesktop for windows as the shell is pretty useless on windows imho. if you talk about another machine being windows and your home machine - being remote and the target google for putty hth martin But if I didn't want to be bothered with windows, or didn't feel safe using the (arbitrary) PC, I could load up something like Puppy from a USB, SSH into my computer, and then shutdown and load back up windows? Or is that too much work? -- Telly Williams Knowledge Is Power -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH Question
On Thu, Oct 11, 2007 at 06:48:26PM -0600, Telly Williams wrote: if you talk about the target computer being a windows host then cygwin has an ssh daemon, personally I use rdesktop for windows as the shell is pretty useless on windows imho. if you talk about another machine being windows and your home machine - being remote and the target google for putty hth martin But if I didn't want to be bothered with windows, or didn't feel safe using the (arbitrary) PC, I could load up something like Puppy from a USB, SSH into my computer, and then shutdown and load back up windows? sure. you could even roll your own puppy with your ssh keys (you do use pubkey auth, right?) included, stick it on a usb key and just keep it in your pocket. Or is that too much work? only you know what is too much work for you. ;-) A signature.asc Description: Digital signature
ssh question
All, I noticed today that openssh released version 2.9 Monday. Can someone tell me why debian is using 1.2.3-9.3. Is it that debian is only supporting ssh1, or is the version numbering just different? Thank you for your time. Andrew
Re: ssh question
[EMAIL PROTECTED] wrote: All, I noticed today that openssh released version 2.9 Monday. Can someone tell me why debian is using 1.2.3-9.3. Is it that debian is only supporting ssh1, or is the version numbering just different? Thank you for your time. simple really. when openssh2 came out debian potato(stable) was already frozen. frozen means no new packages unless they are critical bug fixes. openssh2 is a huge upgrade and is not worth the risk for the current system. the next version of debian will have a newer version of openssh, not sure which one, check packages.debian.org to see which one is in the 'testing' distribution. nate -- ::: ICQ: 75132336 http://www.aphroland.org/ http://www.linuxpowered.net/ [EMAIL PROTECTED]
Re: ssh question
On Thu, May 03, 2001 at 11:50:43AM -0400, [EMAIL PROTECTED] wrote: I noticed today that openssh released version 2.9 Monday. Can someone tell me why debian is using 1.2.3-9.3. Is it that debian is only supporting ssh1, or is the version numbering just different? Thank you for your time. Potato was released some time ago. The OpenSSH maintainer can't go back in time with a copy of SSH 2.9 and add it to potato. Sid and woody, development versions of Debian, include more recent versions of OpenSSH (2.5.1p1 on woody) and are sure to include 2.9 soon. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpdtURABvtG3.pgp Description: PGP signature
A SSH question.
I understand that this is not a Debian specific question but I'm hoping someone out there will be kind and explain this one in short easy to understand words. :) I'm trying to ssh into my Debian box on a DSL line setting behind a floppyfw based firewall. When I am at home I can SSH into that box from my Wife's winders box using Terraterm witht he ttssh stuff. Of course this is not going through the firewall but I know that ssh works. Now on the box at my house if I do this ssh -L 9000:myinternetaddress:22 myinternaladdress It connects to WinterMute (My Debian box) nicely. AFAIK at that point it is going through the floppyfw based firewall to connect. Would that be right or do I need to do something else to test this. Now when I come to work and try to do Terraterm with the same command line options it fails. Does anyone know why or what I'm doing wrong. Thanks.
RE: A SSH question.
Perhaps you should try using the -P option, which will use a non-privileged port for outgoing connections. Jason I understand that this is not a Debian specific question but I'm hoping someone out there will be kind and explain this one in short easy to understand words. :) I'm trying to ssh into my Debian box on a DSL line setting behind a floppyfw based firewall. When I am at home I can SSH into that box from my Wife's winders box using Terraterm witht he ttssh stuff. Of course this is not going through the firewall but I know that ssh works. Now on the box at my house if I do this ssh -L 9000:myinternetaddress:22 myinternaladdress It connects to WinterMute (My Debian box) nicely. AFAIK at that point it is going through the floppyfw based firewall to connect. Would that be right or do I need to do something else to test this. Now when I come to work and try to do Terraterm with the same command line options it fails. Does anyone know why or what I'm doing wrong. Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A SSH question.
On Wed, Mar 14, 2001 at 10:05:40AM -0700, Ray Percival wrote: I understand that this is not a Debian specific question but I'm hoping someone out there will be kind and explain this one in short easy to understand words. :) I'm trying to ssh into my Debian box on a DSL line setting behind a floppyfw based firewall. When I am at home I can SSH into that box from my Wife's winders box using Terraterm witht he ttssh stuff. Of course this is not going through the firewall but I know that ssh works. Now on the box at my house if I do this ssh -L 9000:myinternetaddress:22 myinternaladdress It connects to WinterMute (My Debian box) nicely. AFAIK at that point it is going through the floppyfw based firewall to connect. Would that be right or do I need to do something else to test this. That isn't very clear from your description. If you have a shell account at your ISP, at work or whatever -- as long as it's outside your firewall -- try telnetting to your ssh server port 22 from there. Or use a web-based port scanner ( http://grc.com , http://crypto.yashy.com ) and see if port 22 is open. Now when I come to work and try to do Terraterm with the same command line options it fails. Does anyone know why or what I'm doing wrong. Thanks. If it's not the firewall, check hosts.allow/hosts.deny (assuming your ssh is compiled with tcp-wrappers), xinetd.conf if you're running xinet... I'll need more details to give you a better answer. HTH Dima -- E-mail dmaziuk at bmrb dot wisc dot edu (@work) or at crosswinds dot net (@home) I'm going to exit now since you don't want me to replace the printcap. If you change your mind later, run -- magicfilter config script
Re: remote x via ssh question
On Mon, Jan 01, 2001 at 10:21:47AM -0800, Forrest English wrote: i know i can export it just like i would any other time, but i also set X11Forwarding yes, which i belive should forward it automaticaly, and here's what i recive when i try and run [EMAIL PROTECTED] forrest]$ xterm xterm Xt error: Can't open display: Hi, Here is what works for me. Let's say I want to ssh from host SSH-CLIENT to host SSH-SERVER. On SSH-CLIENT I created a file $HOME/.ssh/config and added the following lines to it: Host * ForwardX11 yes That's it. When I ssh from SSH-CLIENT to SSH-SERVER, I can run any X app from SSH-SERVER on the display of SSH-CLIENT. If you want you can replace '*' by 'SSH-SERVER' for the X11 forwarding to work for just that host. Note that the relevant option is 'ForwardX11 yes' and not the sshd_config option 'X11Forwarding yes'. After starting an ssh session, and logging into SSH-SERVER, when I do 'echo $DISPLAY' I get 'SSH-SERVER:10.0'. The 10 comes from the sshd_config file in SSH-SERVER: 'X11DisplayOffset 10'. As far as I know one should not set DISPLAY manually in an ssh session: here's what the ssh(1) manpage says: DISPLAY The DISPLAY variable indicates the location of the X11 server. It is automatically set by ssh to point to a value of the form ``hostname:n'' where hostname indicates the host where the shell runs, and n is an integer = 1. ssh uses this special value to forward X11 connections over the secure channel. The user should normally not set DISPLAY explicitly, as that will render the X11 connection insecure (and will require the user to manually copy any required authorization cookies). HTH, Raghavendra. -- N. Raghavendra [EMAIL PROTECTED] | Another year is gone - Harish-Chandra Research Institute | A travel hat on my head, GnuPG public key at:| Straw sandals on my feet. http://riemann.mri.ernet.in/~raghu/ | -- Matsuo Basho
Re: remote x via ssh question
on Mon, Jan 01, 2001 at 07:50:13PM -0600, Richard Cobbe ([EMAIL PROTECTED]) wrote: Lo, on , January 1, Forrest English did write: sorry about that, i should have been more specific. i have my sshd_config file set up on both machines to allow X11Forwarding. i am trying to connect from my desktop (thneed) to my server (truffula.net). [EMAIL PROTECTED]:~$ ssh -X truffula.net [EMAIL PROTECTED]'s password: Last login: Mon Jan 1 14:41:42 2001 from 192.168.1.10 [EMAIL PROTECTED] forrest]$ bluefish channel 0: istate 4 != open channel 0: ostate 64 != open Gdk-ERROR **: X connection to truffula.net:10.0 broken (explicit kill or server shutdown). Hm. From that error, it looks like the X connection was established, then broken. It's obvious that your login shell on truffula has the right DISPLAY setting, so I'm not entirely sure what's going on here. i can do it just fine if i export the DISPLAY to my ip, however i've talked to several people who have told me there is no need fo this if ssh is configured to forward x. You're right, you shouldn't have to do that. Moreover, if you *do* set DISPLAY manually (presumably to something like `thneed:0.0', the X messages will NOT be tunneled over ssh and will therefore NOT be encrypted. Bad idea. Good point. I'd forgotten that. If your networks are in direct proximate contact, then exporting your DISPLAY variable means that X sessions are being exported over a direct link -- not through your SSH tunnel. I'd look at two things. 1. If ssh is setting up the tunnel properly, it should be creating, on the *remote* side, an X socket under /tmp/.X11-unix, usually with a high number, say X64, or so. If this doesn't exist, your X11 forwarding is *not* being properly initialized. 2. Run ssh with the following arguments: $ ssh -X -v remotehost ...the '-v' flag specifies verbose output. Look to see what happens to your X11 forward request. I suspect it's being denied. Cheers. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ Evangelist, Zelerate, Inc. http://www.zelerate.org What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/http://www.kuro5hin.org pgpsj57fFwkbl.pgp Description: PGP signature
Re: remote x via ssh question
This thread has invoked some curiosity in me. If I use ssh to forward X connections, does that mean I can use X through an IP masquerading router? I cannot use X in the normal way right now (by setting DISPLAY to my IP address) because my IP doesn't really exist beyond the router. Thanks, -D
Re: remote x via ssh question
On Tue, Jan 02, 2001 at 04:22:31AM -0500, D-Man wrote: This thread has invoked some curiosity in me. If I use ssh to forward X connections, does that mean I can use X through an IP masquerading router? Yup, if the box you're sitting at is inside the firewall. It's a bit trickier the other way around. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpKIwmoKeJOe.pgp Description: PGP signature
Re: remote x via ssh question
on Tue, Jan 02, 2001 at 03:29:51AM -0600, Nathan E Norman ([EMAIL PROTECTED]) wrote: On Tue, Jan 02, 2001 at 04:22:31AM -0500, D-Man wrote: This thread has invoked some curiosity in me. If I use ssh to forward X connections, does that mean I can use X through an IP masquerading router? Yup, if the box you're sitting at is inside the firewall. It's a bit trickier the other way around. In which case, the usual answer is to build a bridge through the firewall, either by initiating an outbound ssh session from your internal box, or by having an account on the firewall itself. See the Firewall-Piercing HOWTO for more info. Note that you should clear whatever methods you use with your organization's security policy. Personal or legal consequences may result. http://www.linuxdoc.org/HOWTO/mini/Firewall-Piercing.html -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ Evangelist, Zelerate, Inc. http://www.zelerate.org What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/http://www.kuro5hin.org pgpHIzFVIbvdA.pgp Description: PGP signature
remote x via ssh question
i know i can export it just like i would any other time, but i also set X11Forwarding yes, which i belive should forward it automaticaly, and here's what i recive when i try and run [EMAIL PROTECTED] forrest]$ xterm xterm Xt error: Can't open display: (this is from my other box, which is a mandrake machine). it seems to be the same thing that happens when i try and run an application localy as root while using x as user.so, i guess i'm wondering how i'd fix that too. are there some permisions that need to be set correctly, so that i can run applications as a user other than the user that is currently using x? -- Forrest English http://truffula.net I don't like this air, but that doesn't mean I'm going to stop breathing. -Doug Martsch
Re: remote x via ssh question
Please set your linewrap to 72 chars. What's wrong with your shift key? on Mon, Jan 01, 2001 at 10:21:47AM -0800, Forrest English ([EMAIL PROTECTED]) wrote: i know i can export it just like i would any other time, but i also set X11Forwarding yes, which i belive should forward it automaticaly, and here's what i recive when i try and run [EMAIL PROTECTED] forrest]$ xterm xterm Xt error: Can't open display: (this is from my other box, which is a mandrake machine). it seems to be the same thing that happens when i try and run an application localy as root while using x as user.so, i guess i'm wondering how i'd fix that too. are there some permisions that need to be set correctly, so that i can run applications as a user other than the user that is currently using x? How are you invoking ssh? You have to specify -X to forward X11 connections, or specify on a per-host basis in your configuration file. Does the remote SSH daemon allow X11 forwarding? Some daemons now deny this by default. Both client *and* server must enable X11 forwarding. Are you invoking ssh from a shell which has an appropriate $DISPLAY value in the first place? -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ Evangelist, Zelerate, Inc. http://www.zelerate.org What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/http://www.kuro5hin.org pgpgXWBbksCGk.pgp Description: PGP signature
Re: remote x via ssh question
Lo, on , January 1, Forrest English did write: [reformatted for 80 columns] i know i can export it just like i would any other time, but i also set X11Forwarding yes, which i belive should forward it automaticaly, and here's what i recive when i try and run [EMAIL PROTECTED] forrest]$ xterm xterm Xt error: Can't open display: This is a little unclear. Is truffula the ssh server or client? Also, where did you set X11Forwarding to yes---server or client? (I think it needs to be in both places.) (this is from my other box, which is a mandrake machine). it seems to be the same thing that happens when i try and run an application localy as root while using x as user. so, i guess i'm wondering how i'd fix that too. are there some permisions that need to be set correctly, so that i can run applications as a user other than the user that is currently using x? Yes, but that's not what's giving you this error message. To fix the local/root problem: su DISPLAY=:0.0 export DISPLAY xauth merge ~forrest/.Xauthority xterm where forrest is the name of the user who started X, either via startx or through an [xkg]dm login. You'll need to reset DISPLAY each time root logs in, and you'll need to remerge the xauthority crud each time you restart the X server. Richard
Re: remote x via ssh question
on Mon, Jan 01, 2001 at 05:17:16PM -0500, David B . Harris ([EMAIL PROTECTED]) wrote: To quote kmself@ix.netcom.com, How are you invoking ssh? You have to specify -X to forward X11 connections, or specify on a per-host basis in your configuration file. Does the remote SSH daemon allow X11 forwarding? Some daemons now deny this by default. Both client *and* server must enable X11 forwarding. Are you invoking ssh from a shell which has an appropriate $DISPLAY value in the first place? I'm not sure, but does xhost also need to be invoked to allow a remote ssh-tunneled X app to connect? No. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ Evangelist, Zelerate, Inc. http://www.zelerate.org What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/http://www.kuro5hin.org pgp5JbiEpRv69.pgp Description: PGP signature
Re: remote x via ssh question
sorry about that, i should have been more specific. i have my sshd_config file set up on both machines to allow X11Forwarding. i am trying to connect from my desktop (thneed) to my server (truffula.net). [EMAIL PROTECTED]:~$ ssh -X truffula.net [EMAIL PROTECTED]'s password: Last login: Mon Jan 1 14:41:42 2001 from 192.168.1.10 [EMAIL PROTECTED] forrest]$ bluefish channel 0: istate 4 != open channel 0: ostate 64 != open Gdk-ERROR **: X connection to truffula.net:10.0 broken (explicit kill or server shutdown). i can do it just fine if i export the DISPLAY to my ip, however i've talked to several people who have told me there is no need fo this if ssh is configured to forward x. On Mon, 1 Jan 2001 13:50:57 -0800, kmself@ix.netcom.com said: --OwLcNYc0lM97+oe1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Please set your linewrap to 72 chars. What's wrong with your shift key? nothing. on Mon, Jan 01, 2001 at 10:21:47AM -0800, Forrest English ([EMAIL PROTECTED] ..net) wrote: i know i can export it just like i would any other time, but i also set X11Forwarding yes, which i belive should forward it automaticaly, and here's what i recive when i try and run =20 [EMAIL PROTECTED] forrest]$ xterm xterm Xt error: Can't open display: =20 (this is from my other box, which is a mandrake machine). it seems to be the same thing that happens when i try and run an application localy as root while using x as user.so, i guess i'm wondering how i'd fix that too. are there some permisions that need to be set correctly, so that i can run applications as a user other than the user that is currently using x? How are you invoking ssh? You have to specify -X to forward X11 connections, or specify on a per-host basis in your configuration file. Does the remote SSH daemon allow X11 forwarding? Some daemons now deny this by default. Both client *and* server must enable X11 forwarding. Are you invoking ssh from a shell which has an appropriate $DISPLAY value in the first place? --=20 Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ Evangelist, Zelerate, Inc. http://www.zelerate.org What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/http://www.kuro5hin.org --OwLcNYc0lM97+oe1 Content-Type: application/pgp-signature Content-Disposition: inline -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6UPvBOEeIn1XyubARAjF0AJwMbwpDRwb+vp9AUpx5iaRULjuSewCfTy2f se2hu74B203n/8PruYMtHjY= =Pd6e -END PGP SIGNATURE- --OwLcNYc0lM97+oe1-- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Forrest English http://truffula.net I don't like this air, but that doesn't mean I'm going to stop breathing. -Doug Martsch
Re: remote x via ssh question
On Mon, Jan 01, 2001 at 04:18:13PM -0800, Forrest English wrote: sorry about that, i should have been more specific. i have my sshd_config file set up on both machines to allow X11Forwarding. i am trying to connect from my desktop (thneed) to my server (truffula.net). [EMAIL PROTECTED]:~$ ssh -X truffula.net [EMAIL PROTECTED]'s password: Last login: Mon Jan 1 14:41:42 2001 from 192.168.1.10 [EMAIL PROTECTED] forrest]$ bluefish channel 0: istate 4 != open channel 0: ostate 64 != open Gdk-ERROR **: X connection to truffula.net:10.0 broken (explicit kill or server shutdown). i can do it just fine if i export the DISPLAY to my ip, however i've talked to several people who have told me there is no need fo this if ssh is configured to forward x. Have you tried - $ blufish ? kent -- In order to make an apple pie from scratch, you must first create the universe. - Carl Sagan
Re: remote x via ssh question
Lo, on , January 1, Forrest English did write: sorry about that, i should have been more specific. i have my sshd_config file set up on both machines to allow X11Forwarding. i am trying to connect from my desktop (thneed) to my server (truffula.net). [EMAIL PROTECTED]:~$ ssh -X truffula.net [EMAIL PROTECTED]'s password: Last login: Mon Jan 1 14:41:42 2001 from 192.168.1.10 [EMAIL PROTECTED] forrest]$ bluefish channel 0: istate 4 != open channel 0: ostate 64 != open Gdk-ERROR **: X connection to truffula.net:10.0 broken (explicit kill or server shutdown). Hm. From that error, it looks like the X connection was established, then broken. It's obvious that your login shell on truffula has the right DISPLAY setting, so I'm not entirely sure what's going on here. i can do it just fine if i export the DISPLAY to my ip, however i've talked to several people who have told me there is no need fo this if ssh is configured to forward x. You're right, you shouldn't have to do that. Moreover, if you *do* set DISPLAY manually (presumably to something like `thneed:0.0', the X messages will NOT be tunneled over ssh and will therefore NOT be encrypted. Bad idea. Richard
Re: ssh question / 2nd post first did not work
On Thu, 14 Dec 2000, Andrew Hall wrote: This may be silly, but here goes. I have downloaded the new version os ssh due to the security announcement a little bit ago. Looking at its depends I see that it requires libz1 but I can not find that package anywhere on the debian site. I do have zlib1g installed. What's the difference between the two packages? Can anyone tell me why there would be that dependency to a package that as far as I can tell does not exist? Thanks for you time. Instead of downloading ssh, I suggest: apt-get install ssh This will load and install any packages ssh depends on automatically. Dwight
ssh question / 2nd post first did not work
Hello, This may be silly, but here goes. I have downloaded the new version os ssh due to the security announcement a little bit ago. Looking at its depends I see that it requires libz1 but I can not find that package anywhere on the debian site. I do have zlib1g installed. What's the difference between the two packages? Can anyone tell me why there would be that dependency to a package that as far as I can tell does not exist? Thanks for you time. Drew
PuTTy and SSH Question
Friday i was trying to get PSCP to work, which i had never used before, and it wouldnt so since it was Friday i gave up for the day. So today im logging into the box and this is the error im getting: Incorrect MAC received on packet This comes from Putty and actualy the first time i logged in the computer acted like i didnt have the right key, then it cached the key, then it wouldnt let me in. So then i erased the file under c:\windows and it cached the key again, and now im getting the Incorrect MAC received on packet? thing...any clues? I havent changed the IP or the NIC so im not sure what is going on...Any ideas? Thanks for the help! Tom
Re: ssh question
On Sun, 10 May 1998, G. Kapetanios wrote: Thanks for all the replys. The RSA keys method can be made not to ask for anything if you put no passphrase, and that is my question. I can do what I want without a passphrase. But is this safe ?? The man page of ssh-keygen says that if you put no passphrase YOU SHOULD KNOW WHAT YOU ARE DOING. This is the scary bit. The man page does not bother to explain what the consequences of no passphrase are. Does anyone know ?? Thanks George From my understanding (which is far from complete) ssh does its main authentication via two public/private keys (one for the server and one for the client). When you first connect via ssh there is a chalenge/answer session that goes on so that the server can confirm the identity of the client. Once this is confimed the session is encrypted and from there it is just like rsh. So the passphrase prompt you see is the same as you would get when using rsh from an untrusted client. Thus if the client truely is a 'trusted' host then you can set it up so that you don't need to enter the passphrase. This is alot safer than using rsh from a 'trusted' host, as you are not open to spoof attacks (where some other machine pretends to be the trusted host). On the other hand, I'm sure there are some *extremely* complicated ways to abuse the trust of the server to gain entry to the system from somewhere else - but if you trust your network enough to use rsh with no passphrase, then you will have no worries about using ssh with no passphrase. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh question
On Sun, May 10, 1998 at 09:15:07PM +0100, G. Kapetanios wrote:
Thanks for all the replys. The RSA keys method can be made not to ask for
anything if you put no passphrase, and that is my question. I can do what
I want without a passphrase. But is this safe ??
The man page of ssh-keygen says that if you put no passphrase YOU SHOULD
KNOW WHAT YOU ARE DOING. This is the scary bit. The man page does not
bother to explain what the consequences of no passphrase are. Does anyone
know ??
The danger is that someone gaining your private key by any means is able
to log in to any other machine that accepts that key.
What I do locally is put pass phrases on my private keys, but use
ssh-agent to start the system Xsession script. Then in .xsession, I run
ssh-add. Adter ssh-add returns, I try to start remote sessions.
The following is added to /etc/X11/Xsession just after the
/etc/environment clause:
if [ -x /usr/bin/ssh-agent ] ; then
if [ -z ${SSH_AGENT_PID} ] ; then
exec /usr/bin/ssh-agent $0
fi
fi
Then in your .xsession file, you may
ssh-add
xtoolwait ssh -n remote.host.name xterm -geometry +0-0 +sb +rv -e mutt -y
The ssh-agent process will hold the unencrypted private key in RAM, which
is more difficult for an intruder to read than from disk. The ssh-agent
dies when you log out as well.
This modification to Xsession has been submitted as part of wishlist
#15085 against xbase, but hasn't been acted on yet. The above would
probably also work at the top of a .xsession file, but I haven't tested it.
An alternative is to run ssh-agent and ssh-add from your
.login/.profile files, and save the output (export SSH_*=... lines) to a
temporary file for future sourcing. Email me if you want bash versions
(they're on an offline machine at the moment).
-Drake
--
Dr. Drake Diedrich, Research Officer - Computing, (02)6279-8302
John Curtin School of Medical Research, Australian National University 0200
Replies to other than [EMAIL PROTECTED] will be routed off-planet
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh question
Hi, Have you considered using the tcp wrapper support that ssh has? By the way, is the Debian ssh package compiled with tcp wrapper support? Anyway, assuming it is, if you really need to have an empty passphrase I would strongly suggest that you only allow secure shell logins from trusted machine which you can setup in your /etc/hosts.allow and /etc/hosts.deny file. Again, this assumes that the Debian package has tcp wrapper support compiled in to it or you compiled in tcp wrapper support yourself. -Ossama __ Ossama Othman [EMAIL PROTECTED] --- PGP Keys --- Public: http://astrosun.tn.cornell.edu/staff/othman/OO_PUBLIC.asc REVOKED: http://astrosun.tn.cornell.edu/staff/othman/OO_REVOKED.asc -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh question
On Mon, May 11, 1998 at 01:16:55PM +1000, Drake Diedrich wrote: An alternative is to run ssh-agent and ssh-add from your .login/.profile files, and save the output (export SSH_*=... lines) to a temporary file for future sourcing. Email me if you want bash versions (they're on an offline machine at the moment). Here is my .xsession file: eval `ssh-agent` ssh-add fvwm2 When xdm starts, it asks for my user name and password, and then ssh asks for my passphrase. The info is stored in RAM and available for any shell in X. There may be some problems if you use a csh variant. ssh-agent seems to check the password file for your shell, but I think the .xsession is run under sh. Try changing eval `ssh-agent` to eval `ssh-agent -s` to get the correct type of variable assignments. I don't know if the csh problem was with xdm or startx or both. -- Lee Bradshaw [EMAIL PROTECTED] (preferred) Alantro Communications [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh question
Hi all, After some security incident on my network I decided to set up ssh. I think I have figured most things of interest to me out. However, before I had rsh in ascript to start my mail program which is another host through FvwmButtons. Now that I disabled rsh I tried to figure a way to do the same with slogin. I figured the way but it involves setting authorisation keys without passphrases. How bad is this ? Am I loosing all security ? Am I better off with rsh in this case ? And another related wuestion: When I disabled rsh I simply chmoded the programs 700. Now I can't use rsh as a simple user (although I can as root) even if I set the permissions as they used to be. I get a message saying rcmd: socket: Permission denied Obviously the programs to set sssh involve some secure sockets. Is there a workaround or not for this ?? Thanks for any comment George --- George Kapetanios Churchill College Cambridge, CB3 0DSE-Mail: [EMAIL PROTECTED] U.K. WWW: http://garfield.chu.cam.ac.uk/~gk205/work_info.html --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh question
On Sun, 10 May 1998, G. Kapetanios wrote: Hi all, After some security incident on my network I decided to set up ssh. I think I have figured most things of interest to me out. However, before I had rsh in ascript to start my mail program which is another host through FvwmButtons. Now that I disabled rsh I tried to figure a way to do the same with slogin. I figured the way but it involves setting authorisation keys without passphrases. How bad is this ? Am I loosing all security ? Am I better off with rsh in this case ? And another related wuestion: When I disabled rsh I simply chmoded the programs 700. Now I can't use rsh as a simple user (although I can as root) even if I set the permissions as they used to be. I get a message saying rcmd: socket: Permission denied Obviously the programs to set sssh involve some secure sockets. Is there a workaround or not for this ?? Thanks for any comment George ssh CAN replace both rsh and rlogin, To do things as you would with rsh, you use 'ssh command'. The trick is that you must first put the public keys for each system into either /etc/ssh or your .ssh directory (in the files ssh_known_keys or known_keys respectively). The easiest way to do this is to slogin from one machine to the other, and then do the same from the other machine back again - manually approving authentication each time (by the way - slogin is just an alias for ssh). Hope that helps, chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh question
ssh CAN replace both rsh and rlogin, To do things as you would with rsh, you use 'ssh command'. The trick is that you must first put the public keys for each system into either /etc/ssh or your .ssh directory (in the files ssh_known_keys or known_keys respectively). The easiest way to do this is to slogin from one machine to the other, and then do the same from the other machine back again - manually approving authentication each time (by the way - slogin is just an alias for ssh). yes, but even then ssh asks for a password, I've tried every authentication method described in the ssh man page, but I couldn't get it to login without manual authentication (with rsa keys it asks for the passphrase). The other thing I don't like about ssh is that it doesn't enforce the /etc/login.access /etc/limits or the comment field in /etc/passwd (which allows you to set the priority at which users processes run at).. As I have no real need to have my sessions encrypted, I see no advantage to using ssh over telnet.. pgphOHNgtWMMF.pgp Description: PGP signature
Re: ssh question
On Sun, May 10, 1998 at 03:28:40PM -0400, Norbert Veber wrote: yes, but even then ssh asks for a password, I've tried every authentication method described in the ssh man page, but I couldn't get it to login without manual authentication rhosts with RSA host authentication is what you wish. Be aware that there had been a ssh verision in the debian archives that didn't try this authentication. The current one is ok. You will need to have the other host id in your ~/.ssh/known_hosts and the name in ~/.shosts Works fine here. Nils -- *-* | Quotes from the net: L Linus Torvalds, W Winfried Truemper | | Lthis is the special easter release of linux, more mundanely called 1.3.84 | | WUmh, oh. What do you mean by special easter release?. Will it quit | * Wworking today and rise on easter? * pgp9Ee8OKaCN2.pgp Description: PGP signature
Re: ssh question
Thanks for all the replys. The RSA keys method can be made not to ask for anything if you put no passphrase, and that is my question. I can do what I want without a passphrase. But is this safe ?? The man page of ssh-keygen says that if you put no passphrase YOU SHOULD KNOW WHAT YOU ARE DOING. This is the scary bit. The man page does not bother to explain what the consequences of no passphrase are. Does anyone know ?? Thanks George On Sun, 10 May 1998, Norbert Veber wrote: ssh CAN replace both rsh and rlogin, To do things as you would with rsh, you use 'ssh command'. The trick is that you must first put the public keys for each system into either /etc/ssh or your .ssh directory (in the files ssh_known_keys or known_keys respectively). The easiest way to do this is to slogin from one machine to the other, and then do the same from the other machine back again - manually approving authentication each time (by the way - slogin is just an alias for ssh). yes, but even then ssh asks for a password, I've tried every authentication method described in the ssh man page, but I couldn't get it to login without manual authentication (with rsa keys it asks for the passphrase). The other thing I don't like about ssh is that it doesn't enforce the /etc/login.access /etc/limits or the comment field in /etc/passwd (which allows you to set the priority at which users processes run at).. As I have no real need to have my sessions encrypted, I see no advantage to using ssh over telnet.. --- George Kapetanios Churchill College Cambridge, CB3 0DSE-Mail: [EMAIL PROTECTED] U.K. WWW: http://garfield.chu.cam.ac.uk/~gk205/work_info.html --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH Question SOLVED.
Hope it's useful to some one out there... Why not make that a mini-HOWTO, and get it into a distribution somewhere? I fond a use for this, and so, IMHO, will others. Happy to... does anyone know how I go about doing this or if there is something already existant that it would be better added to? Adam. Internet Alaska -- 4050 Lake Otis Adam Shand(v) +1 907 562 4638 Anchorage, Alaska Systems Administrator (f) +1 907 562 1677 - http://larry.earthlight.co.nz --- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SSH Question SOLVED
Following sent to Adam Shand [EMAIL PROTECTED]: Hi Adam; I suggest that you 'poke around' a bit at: http://fatman.mathematik.tu-muenchen.de/~schwarz/debian-doc/ (Debian Documentation Project) -bill Get free e-mail and a permanent address at http://www.netaddress.com -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
SSH Question SOLVED.
For the use of people who may be interested. After my question here is what I have found you need to do in order to allow a passwordless RSA authenticated ssh or scp session between hosts. Hope it's useful to some one out there... Adam. ___ Written By Adam: 06 November 1997 To set up passwordless SSH sessions between hosts which rely on RSA for authentication rather then passwords, follow the steps below. 1. First make sure that there are ~/.ssh/identity and ~/.ssh/identity.pub files (this is where the public and private keys are kept) on both hosts. If the host/user does not yet have a key pair then you need to generate one by running 'ssh-keygen' (it's very straight forward, just run it). 2. Next copy (from the client machine) the line from ~/.ssh/identity.pub and put it in the ~/.ssh/authorized_keys file (make sure it doesn't line wrap accidentally, it should be only one line per host authorized). Check permissions to make sure *only* the user has read privileges to the private key! 3. Next on the server machine make sure that these changes have been made to the /etc/ssh/sshd_config file (you need to restart sshd if you made any changes): PermitRootLogin nopwd RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes 4. Create an ~/.shosts file on the server machine with an entry for the host that you want to have access. It should contain one fully qualified domain name per line. 5. Use SSH to connect *both* ways using the fully qualified domain name of the server host in the command line, this is to make sure that host keys are exchanged. You may have to temporarily modify the hosts.[allow|deny] files to allow the connection one way. 6. Test it with 'ssh -v hostname' and see what goes wrong. The most common problem I've run into is mismatched host keys, where the exchanged keys use an inconsistently qualified host named (ie. the server looks for 'host.isp.net' in ~/.ssh/known_hosts but can only find 'host'). 7. As Bruce says, Have a beer. Internet Alaska -- 4050 Lake Otis Adam Shand(v) +1 907 562 4638 Anchorage, Alaska Systems Administrator (f) +1 907 562 1677 - http://larry.earthlight.co.nz --- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
SSH Question...
Hi... I'm setting up an automated script which needs the functionality of rsh to execute some commands on a remote machine, and I need it to *not* prompt for a pasword. I know that I can do this with SSH using a .shosts file, but I would like to use one of SSH's additional methods of host authentication as well (to make it more secure against DNS pollution attacks etc). Is this possible to do and still not have to enter a password? Can anyone expain how or point me to relevant documentation? Thanks, Adam. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: SSH Question...
On Thu, 06 Nov 1997 02:48:26 -0900 Adam Shand ([EMAIL PROTECTED]) wrote: I'm setting up an automated script which needs the functionality of rsh to execute some commands on a remote machine, and I need it to *not* prompt for a pasword. I know that I can do this with SSH using a .shosts file, but I would like to use one of SSH's additional methods of host authentication as well (to make it more secure against DNS pollution attacks etc). Is this possible to do and still not have to enter a password? Can anyone expain how or point me to relevant documentation? You want to use ssh-agent. This works like this: make a key pair with ssh-keygen put the public key in any server you want to be able to log in put the private key in any machine you want to log from put a .identity link in your .ssh directory run ssh-agent and ssh-askpass before running ssh/scp/slogin. You also want to read the ssh and ssh-agent manpages... Phil. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
