Re: [TCLUG:8994] X over SSH thru IPMasq

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:8994] X over SSH thru IPMasq
From: Peter Lukas <peter@math.umn.edu>
Date: Wed, 6 Oct 1999 13:58:08 -0500 (CDT)
In-Reply-To: <19991006134623.J3613@wizard.real-time.com>

Yipes!  Running xhost + (anything) places us in the same boat as running
XDMCP.  Part of SSH's security features the usage of xauth rather than
xhost.  Install xauth on the server side, or move it to the path SSH
expects it to be in.  In addition, not only is is more secure, but it
takes the guesswork out of having to issue forwarding requests and
application launch commands.  Picture this: by running the application on
the server and telling it to display back on your client leaves you open
for virtually anyone on that machine to do the same!  If I was on the same
machine, I could issue:

xv /path/to/offensive/image.jpg -display bobsbox:21

And the application would display on your machine.  This also works in
reverse as well -- there's really no end to the laundry list of nasty
things I can do to your box once you've issued an xhost + command.
Granted, this isn't too much of a problem on a private network, but it's a
rare example of where extra security is less work.

Peter Lukas

On Wed, 6 Oct 1999, Bob Tanner wrote:

> Try this.
> 
> On your machine xhost + <remote>
> 
> On your machine ssh -R 6020:localhost:6000 <remote>
> 
> Log into the remote machine, then do this:
> 
> myXapplication -display localhost:21
> 
> SSH will tunnel the X application through to you just fine.
> 
> 
> Quoting Peter Lukas (peter@math.umn.edu):
> > This can be one of many problems.  Most likely, the problem is being
> > caused by there either not being an xauth in the expected path, or xauth
> > is not installed on the machine.  To SSH, if xauth isn't found, no X11
> > forwarding is allowed.  Pass the -v flag the next time you try it to see
> > what types of error messages SSH generates when you connect:
> > 
> > shaft.badmutha.org: Requesting X11 forwarding with authentication 
> > spoofing.
> > shaft.badmutha.org: Remote: X11 forwarding disabled in server
> > configuration file.
> > Warning: Remote host denied X11 forwarding, perhaps xauth program could
> > not be run on the server side.
> > 
> > Peter Lukas
> > 
> > On Wed, 6 Oct 1999, Michael Hicks wrote:
> > 
> > > > You can connect directly to the X server, but that's not really a
> > > > security-conscious move,  Use an SSH client to connect to the X-Windows
> > > > machine from the NT machine.  Enable X11 forwarding in the SSH client from
> > > > the X Server machine to your NT machine and tell the local X-Server to get
> > > > requests from the loopback device.  That way, all X11 traffic travels over
> > > > the encrypted connection to your display and cannot be easily sniffed by
> > > > outsiders.
> > > 
> > > Speaking of using SSH for handling X..  I was at home over the weekend, where
> > > we have a cable modem.  I was hoping to try remotely displaying an X
> > > application, mostly just for testing purposes.  I logged into my box with SSH,
> > > and ran the application, but it said it couldn't connect to the X server.  The
> > > problem probably relates to the fact that my family has an IP Masq gateway at
> > > home.  However, I expected SSH to work fine, since I thought any X
> > > communication would just piggyback on an already existing connection, rather
> > > than make a new one or anything.
> > > 
> > > Anyway, I guess I'm wondering if anyone has had luck getting X to run over SSH
> > > when they're behind an IP masq gateway..  Maybe I just forgot something.
> > > 
> > > -- 
> > >  _  _  _  _ _  ___    _ _  _  ___ _ _  __   I know everything about 
> > > / \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   everything, except that. 
> > > \_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)                            
> > > [ Mike Hicks | http://umn.edu/~hick0088 | mailto:hick0088@tc.umn.edu ]
> > > 
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> > > For additional commands, e-mail: tclug-list-help@mn-linux.org
> > > 
> > > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> > For additional commands, e-mail: tclug-list-help@mn-linux.org
> 
> -- 
> Bob Tanner <tanner@real-time.com>       | Phone : (612)943-8700
> http://www.real-time.com                | Fax   : (612)943-8500
> Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
> 
>

Follow-Ups:
- Re: [TCLUG:8994] X over SSH thru IPMasq
  - From: Bob Tanner <tanner@real-time.com>

References:
- Re: [TCLUG:8994] X over SSH thru IPMasq
  - From: Bob Tanner <tanner@real-time.com>

Prev by Date: Re: [TCLUG:8994] X over SSH thru IPMasq
Next by Date: Re: [TCLUG:8994] X over SSH thru IPMasq
Prev by thread: Re: [TCLUG:8994] X over SSH thru IPMasq
Next by thread: Re: [TCLUG:8994] X over SSH thru IPMasq
Index(es):
- Date
- Thread