Mailinglist Archive: opensuse-security (179 mails)

< Previous Next >
Re: [suse-security] ssh and X11 help
  • From: Calin Duma <calind@xxxxxxxxxxxxx>
  • Date: Sat, 01 May 2004 16:42:01 -0400
  • Message-id: <40940B99.2000702@xxxxxxxxxxxxx>


Brandon Hines wrote:

Ken Schneider wrote:

-----Original Message-----
From: Calin Duma <calind@xxxxxxxxxxxxx>
To: armins@xxxxxxx, suse-security@xxxxxxxx
Date: Sat, 01 May 2004 11:31:37 -0400
Subject: Re: [suse-security] ssh and X11 help


Thanks Armin. I am doing it with with an ssh config file that sets the
X11 forwarding via a config file entry

The fact that the display is correctly set as I ssh though the two machines tells us that the X11 is forwarded - I am not sure why the xterm does not pop up.

Calin



Because you also need to allow remote "x" programs to display on your
screen. This can be done with xhost + and then xhost - after you are through.

I tried the xhost+ for now and I have the same behavior. But I wouldn't want to leave it wide open any way - that is a high security risk.


Ken,

This is really bad advice, especially in a security list.

The xhost command is for allowing remote systems access to your display. If you must use it, at the very least specify the host for which you are granting access: "xhost + IP_ADDRESS". An even better way to do this is with xauth, but it is a bit more complicated. Where xhost is system based, xauth is session based.

The ssh X forwarding facility should work regardless of xhost. It uses xauth with magic-cookies. I would check to make sure xauth is in your path on both machines. If there are both stock SuSE installs, things should just work, although you might need to specify the -X option. I have has issues when connecting to various Solaris boxes.

The machine I am connecting to is a Solaris 5.8.box. The important part in the initial message that I posted is that I tried using a putty build on Suse and had the same problem. Using the same putty version on Windows with Exceed as the X server I was able to do it. That makes me believe that Brandon has the right ideea.

I checked both machines (local and remote) and xauth is in the path - but I am pretty sure that the problem is with the Xauthority. What else should I look for ? Below is the message I am getting when I ssh to the remote machine. After the last line I am stuck until the connection times out:

debug2: x11_get_proto /usr/openwin/bin/xauth list gatekeeper:15.0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug2: callback done
debug1: channel 0: open confirm rwindow 10000 rmax 16384
No match
Erase is Backspace
Kill is Ctrl-K
shaman{cduma}1: xterm
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from <ipaddresshere> 54755
debug2: fd 7 setting TCP_NODELAY
debug2: fd 7 setting O_NONBLOCK
debug2: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: client_input_channel_open: ctype x11 rchan 1 win 30000 max 1024
debug1: client_request_x11: request from 155.157.121.230 47588
debug1: fd 7 setting TCP_NODELAY
debug1: fd 7 setting O_NONBLOCK
debug2: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11

*** The two messages below appear because I resized the current windown on my suse machine.
debug2: client_check_window_change: changed
debug2: channel 0: request window-change










< Previous Next >