SSH tunnel and X forwarding - openssh

This is a discussion on SSH tunnel and X forwarding - openssh ; Hi all, I'm having a problem setting up an SSH connection with X Forwarding in a very special setup, and hope you will be able to help me. The setup is as follows: I live in a student residence and ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: SSH tunnel and X forwarding

  1. SSH tunnel and X forwarding

    Hi all,

    I'm having a problem setting up an SSH connection with X Forwarding in a very special setup, and hope you will be able to help me.

    The setup is as follows: I live in a student residence and have a computer there named ririu. This computer isn't reachable from the outside, as the university's computer center blocks all ingoing connections to the residencefrom the outside.
    The only reachable computer from the outside is our server in the residence, hal, for which the computer center makes an exception.

    I'm now at my parent's place and want to build up an SSH connection with X Forwarding from my computer here, freya, to ririu, my computer in the residence. As hal is in the same LAN as ririu, obviously I can connect from freya to hal, and then from hal to ririu.

    So I can also log in to hal and do a

    malte@hal $ ssh -g -L 2508:ririu:22 malte@ririu

    to build up an SSH tunnel. Then I can connect from freya to ririu using

    malte@freya $ ssh -p 2508 malte@hal

    This works like a charm. However, now I also want to have X Forwarding

    So I tried to specify -X as an additional parameter.

    malte@freya $ ssh -p 2508 -X malte@hal

    I do succeed in connecting to ririu. Except that the X forwarding doesn't work!

    malte@ririu $ firefox
    Error: no display specified
    malte@ririu $ echo $DISPLAY

    malte@ririu $

    An X Forwarding to hal works flawlessly:

    malte@freya:~$ ssh -X malte@hal
    malte@hal $ echo $DISPLAY
    localhost:11.0

    ....I can start X applications on hal and they are displayed on freya. But as you see, when I try to this from freya through an SSH tunnel from hal to ririu, the DISPLAY variable somehow gets lost. It doesn't help to randomly set the DISPLAY variable on ririu to localhost:11.0 or localhost:10.0 either, which I tried in desperation.

    I hope I made it clear what the problem is, otherwise just ask
    Do you have any idea why this isn't working? I would have assumed that ssh doesn't even notice it's running through an SSH tunnel and that this shouldhence work without problems. But it doesn't... so, is there any way for meto build up an ssh connection with X forwarding from freya to ririu at all?

    Thanks for your help


  2. Re: SSH tunnel and X forwarding

    On Tue, Sep 30, 2008 at 01:21:14PM +0200, Malte Horst Arthur Skoruppa wrote:
    > malte@hal $ ssh -g -L 2508:ririu:22 malte@ririu
    >
    > malte@freya $ ssh -p 2508 -X malte@hal
    >
    > I do succeed in connecting to ririu. Except that the X forwarding doesn't work!


    It should work as expected if you just skip the tunnel and use two
    ssh connections:

    imadev:~$ ssh -t -X vandev ssh -X arc1 xdpyinfo
    RSA host key for IP address '10.76.142.101' not in list of known hosts.
    wooledg@vandev's password:
    Warning: No xauth data; using fake authentication data for X11 forwarding.
    Password:
    name of display: localhost:11.0
    version number: 11.0
    vendor string: Hewlett-Packard Company
    vendor release number: 600000
    ....

    Of course you'll need xauth(1) on all three machines, and X11Forwarding
    in the sshd_config files on all but "hal".

    The -t option on the first ssh is so that there's a terminal in which
    the sshd on box #2 (vandev in my example) can ask for a password. This
    shouldn't be needed if you use keys.


  3. Re: SSH tunnel and X forwarding

    Malte,

    just one preliminary question:
    You have verified that every sshd on the way has X Forwarding enabled? And
    restarted it afterwards, eventually?

    Ah, well, and another question:
    Have you started sshd and ssh in very verbose mode (-vvv) and looked into
    the logs? Many things in verbose mode are completely alien wording, but
    sometimes one can get a hint.

    I have not tried using X forwarding on such a double ssh route myself, but
    I have configured something similar some months ago for someone else to
    use.
    What I did, was:
    On the first part of the way (that is freya to hal, isn't it?) I used
    public key authentication, and in authorized_keys I added
    "command=/path/to/ssh -X -l USER ririu" before the key. That makes the
    shell on hal open up the second part of the way on its own - you hop right
    through hal from freya to ririu. And you are restricted to exactly that
    command in the shell on hal, you can do nothing else.

    My first server was HPUX, the second some Linux (don't know the distro,
    presumably RedHat), and I remember I had to fiddle around with the syntax,
    but it worked in the end including X forwarding (according to the guy who
    had to use it).

    By the way, the above syntax is right away off my head - don't trust it
    down to the single sign.

    Regards,

    Dirk


    --On 30. September 2008 13:21:14 +0200 Malte Horst Arthur Skoruppa
    wrote:

    > Hi all,
    >
    > I'm having a problem setting up an SSH connection with X Forwarding in a
    > very special setup, and hope you will be able to help me.
    >
    > The setup is as follows: I live in a student residence and have a
    > computer there named ririu. This computer isn't reachable from the
    > outside, as the university's computer center blocks all ingoing
    > connections to the residence from the outside. The only reachable
    > computer from the outside is our server in the residence, hal, for which
    > the computer center makes an exception.
    >
    > I'm now at my parent's place and want to build up an SSH connection with
    > X Forwarding from my computer here, freya, to ririu, my computer in the
    > residence. As hal is in the same LAN as ririu, obviously I can connect
    > from freya to hal, and then from hal to ririu.
    >
    > So I can also log in to hal and do a
    >
    > malte@hal $ ssh -g -L 2508:ririu:22 malte@ririu
    >
    > to build up an SSH tunnel. Then I can connect from freya to ririu using
    >
    > malte@freya $ ssh -p 2508 malte@hal
    >
    > This works like a charm. However, now I also want to have X Forwarding
    >
    > So I tried to specify -X as an additional parameter.
    >
    > malte@freya $ ssh -p 2508 -X malte@hal
    >
    > I do succeed in connecting to ririu. Except that the X forwarding doesn't
    > work!
    >
    > malte@ririu $ firefox
    > Error: no display specified
    > malte@ririu $ echo $DISPLAY
    >
    > malte@ririu $
    >
    > An X Forwarding to hal works flawlessly:
    >
    > malte@freya:~$ ssh -X malte@hal
    > malte@hal $ echo $DISPLAY
    > localhost:11.0
    >
    > ...I can start X applications on hal and they are displayed on freya. But
    > as you see, when I try to this from freya through an SSH tunnel from hal
    > to ririu, the DISPLAY variable somehow gets lost. It doesn't help to
    > randomly set the DISPLAY variable on ririu to localhost:11.0 or
    > localhost:10.0 either, which I tried in desperation.
    >
    > I hope I made it clear what the problem is, otherwise just ask
    > Do you have any idea why this isn't working? I would have assumed that
    > ssh doesn't even notice it's running through an SSH tunnel and that this
    > should hence work without problems. But it doesn't... so, is there any
    > way for me to build up an ssh connection with X forwarding from freya to
    > ririu at all?
    >
    > Thanks for your help




    --------------------------------------------------------------
    Dirk H. Schulz
    IT Systems Service
    Wiesenweg 12, 85567 Grafing
    Tel. 0 80 92/86 25 68
    Fax. 0 80 92/86 25 72
    --------------------------------------------------------------
    Technik vom Feinsten - und das nötige Tuning


  4. Re: SSH tunnel and X forwarding

    Hi people,

    thanks for all of your kind answers.

    I learned a lot about ssh and how X forwarding works thanks to your
    posts, and also about security guidelines. "Nesting tunnels is safer
    than chaining." I'll remember that. And I'll try to avoid -g ;-)

    As some of you suggested, in the end the problem was just that ririu was
    not configured to allow X11Forwarding. I just had to edit the
    sshd_config. Then it worked. However, now I'm also setting up the
    tunnels in the way you guys suggested :-)

    Cheers,

    Malte

    dani1l schrieb:
    > for example your X was opened at freya of port 6123
    > first:
    >
    > malte@freya $ ssh -R 1234:localhost:6123 malte@hal # port 1234 or other
    >
    > then you at hal:
    >
    > malte@hal $ ssh -R 6125:localhost:1234 malte@ririu
    >
    > then at ririu
    >
    > malte@ririu $ export DISPLAY=localhost:125.0
    > malte@ririu $ xterm &
    >
    >
    > 在2008-10-01,"Dirk H. Schulz" 写道:
    > >Malte,
    > >
    > >just one preliminary question:
    > >You have verified that every sshd on the way has X Forwarding enabled? And
    > >restarted it afterwards, eventually?
    > >
    > >Ah, well, and another question:
    > >Have you started sshd and ssh in very verbose mode (-vvv) and looked into
    > >the logs? Many things in verbose mode are completely alien wording, but
    > >sometimes one can get a hint.
    > >
    > >I have not tried using X forwarding on such a double ssh route myself, but
    > >I have configured something similar some months ago for someone else to
    > >use.
    > >What I did, was:
    > >On the first part of the way (that is freya to hal, isn't it?) I used
    > >public key authentication, and in authorized_keys I added
    > >"command=/path/to/ssh -X -l USER ririu" before the key. That makes the
    > >shell on hal open up the second part of the way on its own - you hop right
    > >through hal from freya to ririu. And you are restricted to exactly that
    > >command in the shell on hal, you can do nothing else.
    > >
    > >My first server was HPUX, the second some Linux (don't know the distro,
    > >presumably RedHat), and I remember I had to fiddle around with the syntax,
    > >but it worked in the end including X forwarding (according to the guy who
    > >had to use it).
    > >
    > >By the way, the above syntax is right away off my head - don't trust it
    > >down to the single sign.
    > >
    > >Regards,
    > >
    > >Dirk
    > >
    > >
    > >--On 30. September 2008 13:21:14 +0200 Malte Horst Arthur Skoruppa
    > >



+ Reply to Thread