reverse x11 tunneling versus ssh -X - SSH

This is a discussion on reverse x11 tunneling versus ssh -X - SSH ; Hello, Here is the situation Home -> Gateway -> Workstation I normally use VNC and -L forwarding through the Gateway to the desired workstation. This works fine, but some of my coworkers would like to directly tunnel X11. The recipe ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: reverse x11 tunneling versus ssh -X

  1. reverse x11 tunneling versus ssh -X


    Hello,

    Here is the situation


    Home -> Gateway -> Workstation


    I normally use VNC and -L forwarding through the Gateway to
    the desired workstation. This works fine, but some of my coworkers
    would like to directly tunnel X11. The recipe below seems to work
    fine:

    home> ssh -X Gateway
    Gateway> ssh -X Workstation
    Workstation> xterm

    This seems to work. But I would like to understand why the
    following does not:

    home> ssh -R 6001:127.0.0.1:6000 Gateway
    Gateway> ssh Workstation
    Workstation> DISPLAY=Gateway:1.0
    Workstation> xterm

    (Note: to generalize using port 60xx and DISPLAY=Gateway:xx.0)

    Why doesn't this work?

    Thanks.


  2. Re: reverse x11 tunneling versus ssh -X

    On Tue, 23 Oct 2007 18:10:02 +0000, ohms377 wrote:
    > Why doesn't this work?


    Probably because port 6001 is not open to accept connections on the
    gateway machine.

    But both those approaches are inefficient and tedious. You are best just
    adding the entry:

    Host Workstation
    ProxyCommand=ssh -qax -o "clearAllForwardings=yes" Gateway nc %h %p

    to your Workstation:~/.ssh/config file and then a simple:

    Home> ssh -X Workstation

    will work fine (and efficiently over a single ssh session).

  3. Re: reverse x11 tunneling versus ssh -X

    >
    > Hello,
    >
    > Here is the situation
    >
    >
    > Home -> Gateway -> Workstation
    >
    >
    > I normally use VNC and -L forwarding through the Gateway to
    > the desired workstation. This works fine, but some of my coworkers
    > would like to directly tunnel X11. The recipe below seems to work
    > fine:
    >
    > home> ssh -X Gateway
    > Gateway> ssh -X Workstation
    > Workstation> xterm
    >
    > This seems to work. But I would like to understand why the
    > following does not:
    >
    > home> ssh -R 6001:127.0.0.1:6000 Gateway
    > Gateway> ssh Workstation
    > Workstation> DISPLAY=Gateway:1.0
    > Workstation> xterm
    >
    > (Note: to generalize using port 60xx and DISPLAY=Gateway:xx.0)
    >
    > Why doesn't this work?


    You didn't say *how* it doesn't work (e.g. quote error messages). But
    one problem could be X authentication, which SSH X forwarding handles
    transparently.

    --
    Richard Silverman
    res@qoxp.net


  4. Re: reverse x11 tunneling versus ssh -X

    Hello Richard,

    This is the error I am getting:

    Workstation> xterm
    xterm Xt error: Can't open display: Gateway:1.0
    Workstation> xev
    xev: unable to open display 'Gateway:1.0'

    Thanks.


  5. Re: reverse x11 tunneling versus ssh -X

    Richard,

    It does seem to be a problem with X authentication in the Gateway.

    Gateway> xhost +
    access control disabled, clients can connect from any host
    xhost: must be on local machine to enable or disable access control.

    Workstation -> 6001 Gateway -> 6000 Home

    But authentication should not be required on the Gateway...
    since it should be forwarding incoming port 6001, via
    ssh -R forwarding.

    Thanks again.


  6. Re: reverse x11 tunneling versus ssh -X

    On Oct 23, 2:56 pm, Mark wrote:
    > On Tue, 23 Oct 2007 18:10:02 +0000, ohms377 wrote:
    > > Why doesn't this work?

    >
    > Probably because port 6001 is not open to accept connections on the
    > gateway machine.
    >
    > But both those approaches are inefficient and tedious. You are best just
    > adding the entry:
    >
    > Host Workstation
    > ProxyCommand=ssh -qax -o "clearAllForwardings=yes" Gateway nc %h %p
    >
    > to your Workstation:~/.ssh/config file and then a simple:
    >
    > Home> ssh -X Workstation
    >
    > will work fine (and efficiently over a single ssh session).


    Thanks for replying Mark,

    But my Home computer cannot directly communicate to my work's
    Workstation,
    so ssh -X Workstation from Home doesn't make sense for me. Sorry, I
    might be
    missing something...


  7. Re: reverse x11 tunneling versus ssh -X

    >
    > Hello Richard,
    > This is the error I am getting:
    >
    > Workstation> xterm
    > xterm Xt error: Can't open display: Gateway:1.0
    > Workstation> xev
    > xev: unable to open display 'Gateway:1.0'


    -R [bind_address:] port:host:hostport
    ...
    By default, the listening socket on the server will be
    bound to the loopback interface only. This may be
    overriden by specifying a bind_address. An empty
    bind_address, or the address `*', indicates that the
    remote socket should listen on all interfaces. Speci-
    fying a remote bind_address will only succeed if the
    server's GatewayPorts option is enabled (see sshd_con-
    fig(5)) .

    --
    Richard Silverman
    res@qoxp.net


  8. Re: reverse x11 tunneling versus ssh -X

    >>>>> "ohms377" == ohms377 writes:

    ohms377> Richard, It does seem to be a problem with X authentication
    ohms377> in the Gateway.

    Gateway> xhost +
    ohms377> access control disabled, clients can connect from any host
    ohms377> xhost: must be on local machine to enable or disable access
    ohms377> control.

    ohms377> Workstation -> 6001 Gateway -> 6000 Home

    ohms377> But authentication should not be required on the Gateway...
    ohms377> since it should be forwarding incoming port 6001, via ssh -R
    ohms377> forwarding.

    When connected to the forwarded port, you are talking directly to the X
    server, and *it* requires authentication.

    --
    Richard Silverman
    res@qoxp.net


  9. Re: reverse x11 tunneling versus ssh -X

    On Wed, 24 Oct 2007 18:50:44 +0000, ohms377 wrote:
    > But my Home computer cannot directly communicate to my work's
    > Workstation, so ssh -X Workstation from Home doesn't make sense for
    > me. Sorry, I might be missing something...


    You are missing something. Did you add that "Host Workstation" entry I
    mentioned to your ~/.ssh.config file on your home box?

    Of course you can't directly access your Workstation box from your home
    box but if you add that entry then when you type "ssh -X Workstation"
    from your home box then ssh will make the connection automatically via
    Gateway. The ssh connection will actually be proxied via a netcat from
    Gateway to Workstation.

    If you are actually using PuTTY on your home box then it has equivalent
    functionality to ProxyCommand by using plink, refer the PuTTY docs.

  10. Re: reverse x11 tunneling versus ssh -X

    On Wed, 24 Oct 2007 18:40:21 +0000, ohms377 wrote:
    > This is the error I am getting:
    >
    > Workstation> xterm
    > xterm Xt error: Can't open display: Gateway:1.0 Workstation> xev
    > xev: unable to open display 'Gateway:1.0'


    As I said in my first sentence of my first response, Gateway looks to be
    a firewall box so it is likely that all ports (other than ssh) are
    blocked for inbound connection (i.e port 6001 on Gateway is blocked so X
    clients on Workstation can not connect to it).

  11. Re: reverse x11 tunneling versus ssh -X


    > On Oct 23, 2:56 pm, Mark wrote:
    > > On Tue, 23 Oct 2007 18:10:02 +0000, ohms377 wrote:
    > > > Why doesn't this work?

    > >
    > > Probably because port 6001 is not open to accept connections on the
    > > gateway machine.
    > >
    > > But both those approaches are inefficient and tedious. You are best just
    > > adding the entry:
    > >
    > > Host Workstation
    > > ProxyCommand=ssh -qax -o "clearAllForwardings=yes" Gateway nc %h %p
    > >
    > > to your Workstation:~/.ssh/config file and then a simple:
    > >
    > > Home> ssh -X Workstation
    > >
    > > will work fine (and efficiently over a single ssh session).

    >
    > Thanks for replying Mark,
    >
    > But my Home computer cannot directly communicate to my work's
    > Workstation,
    > so ssh -X Workstation from Home doesn't make sense for me. Sorry, I
    > might be
    > missing something...


    The "host Workstation" stanza makes ssh do something different when you
    type "ssh Workstation": it uses a second SSH connection together with
    netcat (nc) as the transport for the first connection. Read up on the
    ProxyCommand feature. This is definitely a better way to do it.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread