[SLUG] X forwarding over ssh
Hi all,
can I have X forwarding over ssh such that it works from
desktop to desktop machines with 2 firewalls in between?
ie.
desktop1 -- fw1 --internet-- fw2 -- desktop2
and desktop 1 and 2 have private IP addresses (on different
subnets etc as well). fw 1 and 2 have real IP addresses.
So far when I try this, my display var starts off set to
:0 on desktop1, I ssh -X to fw2, display var is now not
set so no X apps start. I manually set the DISPLAY to
export DISPLAY=`echo $SSH_CLIENT | awk '{print $1:0}'`
but the trouble is it is the IP address of fw1 which not
surprisingly rejects the connection.
So what am I doing wrong?
ta,
Dave.
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
So what am I doing wrong? Nothing unless you're the admin of fw2. fw2 probably has X11Forwarding off in it's /etc/ssh/sshd_config Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
On Wed, 2003-03-05 at 10:00, [EMAIL PROTECTED] wrote: So what am I doing wrong? Nothing unless you're the admin of fw2. fw2 probably has X11Forwarding off in it's /etc/ssh/sshd_config no it's set to yes. the bit I don't get is how does it end up back on my desktop1 box? (ie. back through fw1) on the remote machine my display var is always empty yet the ssh man page says it should be automatically looked after and set. If I manually set it then it tries to connect back to fw1 on port 6000 which is rejected. Ie. it appears to me it's not using ssh X forwarding at all. Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
On Wed, Mar 05, 2003 at 10:09:35AM +1030, David Fitch wrote: On Wed, 2003-03-05 at 10:00, [EMAIL PROTECTED] wrote: fw2 probably has X11Forwarding off in it's /etc/ssh/sshd_config no it's set to yes. the bit I don't get is how does it end up back on my desktop1 box? (ie. back through fw1) on the remote machine my display var is always empty yet the ssh man page says it should be automatically looked after and set. If I manually set it then it tries to connect back to fw1 on port 6000 which is rejected. Ie. it appears to me it's not using ssh X forwarding at all. Does the remote box have xauth. X11Forwarding needs that. Try running your ssh client with a bit more -v -v verbosness. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
On Wed, 2003-03-05 at 10:22, Colin Humphreys wrote: Does the remote box have xauth. X11Forwarding needs that. Try running your ssh client with a bit more -v -v verbosness. yes xauth is in the path on all boxes. here's the verbose output (private bits XXX'd out) note in this case lisa is the remote firewall machine since I have to ssh to that first then ssh to the remote desktop machine, but for the moment I'm just trying to get xterm to run on lisa but display on my local desktop. [EMAIL PROTECTED]:~$ ssh -v -X lisa OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to lisa [XXXpublic IP addressXXX] port 22. debug1: Connection established. debug1: identity file /home/davidf/.ssh/identity type -1 debug1: identity file /home/davidf/.ssh/id_rsa type -1 debug1: identity file /home/davidf/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 debug1: match: OpenSSH_3.5p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 131/256 debug1: bits set: 1614/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'lisa' is known and matches the RSA host key. debug1: Found key in /home/davidf/.ssh/known_hosts:6 debug1: bits set: 1619/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/davidf/.ssh/identity debug1: try privkey: /home/davidf/.ssh/id_rsa debug1: try privkey: /home/davidf/.ssh/id_dsa debug1: next auth method to try is keyboard-interactive debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is password [EMAIL PROTECTED]'s password: debug1: ssh-userauth2 successful: method password and now I'm logged in. Before doing the ssh my DISPLAY var was set to :0, now on lisa it is not set, and not surprisingly xterm fails to work. According to all the man pages/faqs/googles I can find it should just work... Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
On Wed, Mar 05, 2003 at 10:38:30AM +1030, David Fitch wrote: [ . ] publickey,password,keyboard-interactive debug1: next auth method to try is password [EMAIL PROTECTED]'s password: debug1: ssh-userauth2 successful: method password and now I'm logged in. Before doing the ssh my DISPLAY var was set to :0, now on lisa it is not set, and not surprisingly xterm fails to work. According to all the man pages/faqs/googles I can find it should just work... It looks like your ssh is not requesting X forwarding, regardless of the -X flag. I get a debug1: Requesting X11 forwarding with authentication spoofing. when I tried -v -v -X here, even when it is denied from the other side. The lack of the DISPLAY variable also points to this. Typically, it will be something like lisa:10. So why is your ssh not asking for X11 forwarding? Maybe there's an option in your local .ssh config (personal or /etc/ssh/ssh_config which says not to ask for X) Or maybe it doesn't know you using X at the local end. I presume the DISPLAY is exported. You could try setting it explicitly: export DISPLAY=desktop1:0 and try again. Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
On Wed, 2003-03-05 at 12:27, [EMAIL PROTECTED] wrote: It looks like your ssh is not requesting X forwarding, regardless of the -X flag. sorry, it appears I chopped off the end of the debug output in my previous email. After I enter my password I get: [EMAIL PROTECTED]'s password: debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: x11-req debug1: Requesting authentication agent forwarding. debug1: channel request 0: [EMAIL PROTECTED] debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug1: channel 0: open confirm rwindow 0 rmax 32768 Last login: Wed Apr 2 11:59:28 2003 from X so no errors I can see but DISPLAY is still unset. Before doing the ssh, it doesn't matter if DISPLAY is set to :0 or mydesktop:0, it gets lost after the ssh. h maybe something funny is happening with xauth?? I noticed doing ssh -v -v -X lisa it's displaying: debug2: x11_get_proto /usr/bin/X11/xauth list spiral:0 2/dev/null this appears one line before the requesting X11 forwarding message. Is that running on my local desktop or the remote machine? cos manually doing xauth list on my desktop returns various stuff but doing it on the remote machine returns nothing, and there is no .Xauthority file in my home dir on the remote machine, but there is on my local desktop one... Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
On Wed, Mar 05, 2003 at 01:18:15PM +1030, David Fitch wrote: h maybe something funny is happening with xauth?? I noticed doing ssh -v -v -X lisa it's displaying: debug2: x11_get_proto /usr/bin/X11/xauth list spiral:0 2/dev/null What is spiral? this appears one line before the requesting X11 forwarding message. Is that running on my local desktop or the remote machine? cos manually doing xauth list on my desktop returns various stuff but doing it on the remote machine returns nothing, and there is no .Xauthority file in my home dir on the remote machine, but there is on my local desktop one... Permissions problem? Maybe you can't write to your own home dir to write the .Xauthority file? Firewall? Ssh has to listen to the forwarding port (6000 + DISPLAY screen) i.e. localhost:6010 on the destination machine. Try netcat (nc -p 6010 -l) to this works. Running out of ideas ... Matt -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
On Wed, 2003-03-05 at 14:53, [EMAIL PROTECTED] wrote: On Wed, Mar 05, 2003 at 01:18:15PM +1030, David Fitch wrote: h maybe something funny is happening with xauth?? I noticed doing ssh -v -v -X lisa it's displaying: debug2: x11_get_proto /usr/bin/X11/xauth list spiral:0 2/dev/null What is spiral? my local desktop machine this appears one line before the requesting X11 forwarding message. Is that running on my local desktop or the remote machine? cos manually doing xauth list on my desktop returns various stuff but doing it on the remote machine returns nothing, and there is no .Xauthority file in my home dir on the remote machine, but there is on my local desktop one... Permissions problem? Maybe you can't write to your own home dir to write the .Xauthority file? no I can create an empty one, I copied root's .Xauthority and did xauth merge to create one for me so I have one now - but of course all that should have just happened. Firewall? Ssh has to listen to the forwarding port (6000 + DISPLAY screen) i.e. localhost:6010 on the destination machine. Try netcat (nc -p 6010 -l) to this works. Running out of ideas ... I'm suspecting the firewall at the remote end at the moment, (think it's blocking too much internal stuff rather than just external) gonna try and talk to the guy who's looking after that. Thanks for the ideas and help. Dave. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
Re: [SLUG] X forwarding over ssh
On Wed, 2003-03-05 at 15:31, David Fitch wrote: On Wed, 2003-03-05 at 14:53, [EMAIL PROTECTED] wrote: On Wed, Mar 05, 2003 at 01:18:15PM +1030, David Fitch wrote: h maybe something funny is happening with xauth?? snip Running out of ideas ... This might be an idea Recent debians disable remote X connections by default, you have to remove the nolisten flag in the X startup scripts (Xdm startx) howto: see http://www.debian.org/doc/manuals/reference/ch-tune.en.html#s-xtcp -- Anthony Wood [EMAIL PROTECTED] Switch Online Group -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
