[CS-FSLUG] Using SSH
Tim Young
Tim.Young at LightSys.org
Thu Oct 14 10:38:09 CDT 2004
Yes, the X forwarding is set up to go only one direction. It is a security
thing. Though the security is really a part of xwindows. X, even when just
running on your own computer, is set up to accept all windows controls as if
they were over the network. It makes life just a little peculiar programming,
but it allows you to execute the programs on a remote computer and view the
window locally.
Because of this, they needed to add a layer of security. Without that
security, anyone could execute a program on their computer and have the display
appear on yours. (You do not even need to have an SSH tunnel open to pass X
traffic). One favorite was to pop the X-Eyes up on someones terminal... "Big
brother is watching!" There are also fun tools, like xmelt, or xroaches that
can really freak someone out if they have no clue what is going on. Of course,
you could also run trojans...
So there is an xwindows permissions setup that you need to give hosts
permission to dump applications to your window before they can do so. You can
do that with the xauth command. I believe X forwarding through SSH only goes
one direction. But if you are on a LAN you can send your Xwindows to another
computer simply by exporting "DISPLAY=computer:0" and it will be sent to
computer's primary xwindows display.
- Tim
Don Parris wrote:
>
> I got it! I cannot launch an app when running ssh, but once I log
> into the remote host, I can run any app I want - xclock, Mozilla,
> whatever. Almost every example uses xclock as a parameter to the ssh
> command, thus launching xclock in the process. Mine won't do that.
>
> In fact, I can launch remote X apps on host B from A, but not on A
> from B. Here's the error I get from the other box:
>
> Xlib: connection to "host:1100" refused by server.
> Xlib: Invalid MIT-MAGIC-COOKIE-1 key
> Error: Can't open display: peter:11.0
>
> I can launch console apps - even vim - remotely from B just not X apps.
>
> Don
>
> On Thu, 14 Oct 2004 10:47:13 -0400, Don Parris <gnumathetes at gmail.com> wrote:
> >
> >
> > On Thu, 14 Oct 2004 10:38:47 -0400, K Montgomery <keltik at albany.edu> wrote:
> > > SSH keys and X forwarding -- like peanut butter and jelly! (Unless you
> > > have a nut allergy.)
> > >
> > > Once you get the hang of these together, you'll have a blast.
> > >
> > > On Thu, 2004-10-14 at 02:19 -0400, Don Parris wrote:
> > > > I'd like to play with the remote X session, but am not quite sure how
> > > > this concept works. I need to understand what is needed on the remote
> > > > host and what is needed on the local host. Frankly, the documentation
> > > > I've seen just confuses me. I've got the /etc/ssh/ssh_config file set
> > > > to forward X11 and use password authentication so far (on one host).
> > > >
> > > > Thanks in advance for the clarifications,
> > > > Don
> > >
> > > Like Josiah said, allowing the SSH daemon to forward X is as simple as a
> > > configuration change. On the remote server add the line "X11Forwarding
> > > yes" to the /etc/ssh/sshd_config file. When making the SSH connection,
> > > use "ssh -X" in your command line to request X11 forwarding on the
> > > client side; or insert the line "ForwardX11 yes" in your
> > > local /etc/ssh/ssh_config to make it the default.
> > >
> > > X forwarding through SSH is quite a blessing. Even better is
> > > passwordless login using SSH keys.
> > >
> > > On Thu, 2004-10-14 at 02:19 -0400, Don Parris wrote:
> > > > I gather the process is something like:
> > > > (1) Run ssh-keygen - give pass phrase & filename (opt)
> > > > (2) Copy or e-mail public key to remote host & place in
> > > > ~/.ssh/authorized_keys2
> > >
> > > That's right. But you'll still be asked for your passphrase when you
> > > try to log in (if there is one, I guess). To go passwordless, you need
> > > to run "ssh-agent" at the beginning of your local login session -- the
> > > purpose of this agent is to hold on to your private SSH keys. Then run
> > > "ssh-add" to add your keys to the agent. You enter your passphrase once
> > > to add the keys, and you don't have to enter it again for the remainder
> > > of your session. This makes remote logins a breeze!
> > >
> > > I use gdm and GNOME in Mandrake 10.1. There's code
> > > in /etc/X11/gdm/Xsession that automatically starts the agent. All I do
> > > is add /usr/bin/ssh-add to my startup programs, and I'm asked for my
> > > passphrase when I log into GNOME. I'm not sure how you'd set that up on
> > > your machine, but I don't think it would be hard to figure out.
> > >
> > Thanks. I'm sure it would be about the same. I have to admit, I
> > might not have thought of adding ssh-add to the start-up programs.
> > Welly, welly, clever! ;)
> >
> >
> >
> >
> > --
> > DC Parris GNU Evangelist
> > http://matheteuo.org/
> > gnumathetes at gmail.com
> > Free software is like God's love -
> > you can share it with anyone anywhere anytime!
> >
>
> --
> DC Parris GNU Evangelist
> http://matheteuo.org/
> gnumathetes at gmail.com
> Free software is like God's love -
> you can share it with anyone anywhere anytime!
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
More information about the Christiansource
mailing list