Linux Computer Store and Cafe

Bryce C. plug-discuss@lists.plug.phoenix.az.us
10 Apr 2002 07:49:45 -0700 

Just to point out the obvious, does the ssh server have it set?   In the
/etc/ssh/sshd_config file, there shoud be a line "X11Forwarding yes"
w/o the quotes and in the f /etc/ssh/ssh_config file on Crystaldragon,
there should be a line "ForwardX11 yes" w/o quotes in the in the Host *
section or under a special host section for chrystal dragon. Then you
don't have to add the -X to your command.  Just try that and see.

Bryce C.
Network Administrator
CoBryce Communications
Bryce @ BryceCo . Net


On 10 Apr 2002 13:48:53 -0700, der.hans wrote:
> Am 10. Apr, 2002 schwätzte Thomas Mondoshawan Tate so:
> 
> > Unfortunately, no it doesn't. I'm guessing it has to have this to provide
> > X11 connection forwarding, right?
> 
> xauth is required for X services over ssh. It's what provides the
> authentication for X. Actually, I heard of a possiblity to use a different
> auth service for X, but it still requires stuff to be installed, so use
> xauth :).
> 
> > What I'm trying to do is forward an X client connection through two
> > firewalls to my internal box. Eg:
> >
> > Crystaldragon -> Tank (firewall) -> { I-net } -> Thing (firewall) -> Nadesico
> >
> > Both Tank and Thing are Linux servers/firewalls. I'm sitting at
> > Crystaldragon and want an xterm run on Nadesico to appear here. My guess is
> > if SSH requires xauth to be present, then I can't do this via the X11
> > forwarding option. How, then, is it possible to do this forwarding securely?
> > Is it possible to setup a pair of SSH tunnels running on Tank and Thing that
> > forwards incoming connections from Nadesico to Crystal?
> 
> Make sure xauth is installed everywhere. It's not a security issue for the
> firewalls, so no reason not to have it.
> 
> Another possibility might be to put up an ssh tunnel or other vpn type of
> thing between the two firewalls. Then Crystaldragon and Nadesico would have
> a 'local' connection.
> 
> You could also do ssh tunneling for port 6000, but that seems like a strange
> way to go.
> 
> ciao,
> 
> der.hans
> -- 
> #  This line intentionally left blank.
> # We now return you to your regularly scheduled paranoia...
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>