X11 tunnelling issue andlogin security question - SSH

This is a discussion on X11 tunnelling issue andlogin security question - SSH ; Gurus, I have a unix server that I have installed OpenSSH and it all works fine. I am able to start a session (using PuTTY) and log in and use X11 forwarding to run x windows applications. I wouild like ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: X11 tunnelling issue andlogin security question

  1. X11 tunnelling issue andlogin security question

    Gurus,

    I have a unix server that I have installed OpenSSH and it all works fine. I
    am able to start a session (using PuTTY) and log in and use X11 forwarding
    to run x windows applications. I wouild like to run an X session with
    another unix server that is on the same lan segment and does not have
    OpenSSH installed. Is thios possible? if so how would i set this up?

    eg:

    PuTTY client <-------> OpenSSH hosta <---------> hostb - no ssh - (x11
    session)
    x11 forwarding en

    I would also like to know how to make the login more secure. Is there a way
    to further challange a login request after the correct password has been
    entered (two password login)? ie: some way of prompting client for a
    response to a key that is issued bey the server?


    eg:

    login as: xxxxxxx

    key 3a 45 6c 43 8b
    response?


    many thanks
    deanl

    I






  2. Re: X11 tunnelling issue andlogin security question

    >
    > Gurus,
    > I have a unix server that I have installed OpenSSH and it all works fine. I
    > am able to start a session (using PuTTY) and log in and use X11 forwarding
    > to run x windows applications. I wouild like to run an X session with
    > another unix server that is on the same lan segment and does not have
    > OpenSSH installed. Is thios possible? if so how would i set this up?
    >
    > eg:
    >
    > PuTTY client <-------> OpenSSH hosta <---------> hostb - no ssh - (x11
    > session)
    > x11 forwarding en


    Set X11UseLocalhost=no in sshd_config; that will allow an X client on
    hostb to connect to the OpenSSH X proxy (e.g. xterm -display hosta:10).
    However, the connection between hostb and hosta will of course be unsecured.

    > I would also like to know how to make the login more secure. Is there a way
    > to further challange a login request after the correct password has been
    > entered (two password login)? ie: some way of prompting client for a
    > response to a key that is issued bey the server?
    >
    >
    > eg:
    >
    > login as: xxxxxxx
    >
    > key 3a 45 6c 43 8b
    > response?


    You can use keyboard-interactive authentication instead of password, and
    configured any set of available authentication methods by setting
    UsePAM=yes and configuring PAM for sshd as you like (e.g. with libopie for
    one-time passwords).

    --
    Richard Silverman
    res@qoxp.net


  3. Re: X11 tunnelling issue andlogin security question

    Thanks Richard works a treat!

    I am a little uncertain about the one time password facility. Do you have an
    example of the configuration od sshd and PAM (example files)?

    thanks again

    Regards
    dean

    "Richard E. Silverman" wrote in message
    news:m2acanv9l8.fsf@darwin.oankali.net...
    >>
    >> Gurus,
    >> I have a unix server that I have installed OpenSSH and it all works fine.
    >> I
    >> am able to start a session (using PuTTY) and log in and use X11
    >> forwarding
    >> to run x windows applications. I wouild like to run an X session with
    >> another unix server that is on the same lan segment and does not have
    >> OpenSSH installed. Is thios possible? if so how would i set this up?
    >>
    >> eg:
    >>
    >> PuTTY client <-------> OpenSSH hosta <---------> hostb - no ssh - (x11
    >> session)
    >> x11 forwarding en

    >
    > Set X11UseLocalhost=no in sshd_config; that will allow an X client on
    > hostb to connect to the OpenSSH X proxy (e.g. xterm -display hosta:10).
    > However, the connection between hostb and hosta will of course be
    > unsecured.
    >
    >> I would also like to know how to make the login more secure. Is there a
    >> way
    >> to further challange a login request after the correct password has been
    >> entered (two password login)? ie: some way of prompting client for a
    >> response to a key that is issued bey the server?
    >>
    >>
    >> eg:
    >>
    >> login as: xxxxxxx
    >>
    >> key 3a 45 6c 43 8b
    >> response?

    >
    > You can use keyboard-interactive authentication instead of password, and
    > configured any set of available authentication methods by setting
    > UsePAM=yes and configuring PAM for sshd as you like (e.g. with libopie for
    > one-time passwords).
    >
    > --
    > Richard Silverman
    > res@qoxp.net
    >




  4. Re: X11 tunnelling issue andlogin security question

    Hi

    What does this message mean when using X11 forwarding and attempting to
    connect to an X11 session thru an ssh server on a host that does not have
    ssh installed ?

    testa@nike:/users/test >rlogin testb
    testb@nike:/users/test >export DISPLAY=10.214.110.29:10.0
    testb@nike:/users/test >xclock&
    [1] 13478
    testb@nike:/users/test >Xlib: connection to "10.214.110.29:10.0" refused by
    server
    Xlib: PuTTY X11 proxy: wrong authentication protocol attempted
    Error: Can't open display: 10.214.110.29:10.0
    Error: Couldn't find per display information

    [1] + Done(1) xclock&
    testb@nike:/users/test >

    The SSH server has;

    X11UseLocalhost=no
    How do I fix it?

    regards
    dean




    "diablo" wrote in message
    news:Kc2dnb1QcutPst3ZRVnyvA@bt.com...
    > Gurus,
    >
    > I have a unix server that I have installed OpenSSH and it all works fine.

    I
    > am able to start a session (using PuTTY) and log in and use X11 forwarding
    > to run x windows applications. I wouild like to run an X session with
    > another unix server that is on the same lan segment and does not have
    > OpenSSH installed. Is thios possible? if so how would i set this up?
    >
    > eg:
    >
    > PuTTY client <-------> OpenSSH hosta <---------> hostb - no ssh - (x11
    > session)
    > x11 forwarding en
    >
    > I would also like to know how to make the login more secure. Is there a

    way
    > to further challange a login request after the correct password has been
    > entered (two password login)? ie: some way of prompting client for a
    > response to a key that is issued bey the server?
    >
    >
    > eg:
    >
    > login as: xxxxxxx
    >
    > key 3a 45 6c 43 8b
    > response?
    >
    >
    > many thanks
    > deanl
    >
    > I
    >
    >
    >
    >
    >




  5. Re: X11 tunnelling issue andlogin security question

    >
    > Hi
    > What does this message mean when using X11 forwarding and attempting to
    > connect to an X11 session thru an ssh server on a host that does not have
    > ssh installed ?
    >
    > testa@nike:/users/test >rlogin testb
    > testb@nike:/users/test >export DISPLAY=10.214.110.29:10.0
    > testb@nike:/users/test >xclock&
    > [1] 13478
    > testb@nike:/users/test >Xlib: connection to "10.214.110.29:10.0" refused by
    > server
    > Xlib: PuTTY X11 proxy: wrong authentication protocol attempted
    > Error: Can't open display: 10.214.110.29:10.0
    > Error: Couldn't find per display information


    Since you are not using SSH X forwarding to testb, you have to manually
    transfer the xauth key from testa to testb. E.g.:

    testa> xauth list | grep :10
    testa/unix:10 MIT-MAGIC-COOKIE-1 62050649304690320d7408bb4f4205a2

    testb> xauth add testa/unix:10 MIT-MAGIC-COOKIE-1 62050649304690320d7408bb4f4205a2

    --
    Richard Silverman
    res@qoxp.net


  6. Re: X11 tunnelling issue andlogin security question


    > testa> xauth list | grep :10
    > testa/unix:10 MIT-MAGIC-COOKIE-1 62050649304690320d7408bb4f4205a2
    >
    > testb> xauth add testa/unix:10 MIT-MAGIC-COOKIE-1 62050649304690320d7408bb4f4205a2


    Except, of course, the display would look like :10.

    --
    Richard Silverman
    res@qoxp.net


  7. Re: X11 tunnelling issue andlogin security question

    Hi richard

    got all that. many thanks.

    One last question. I dowloaded skey from the hp porting archive and
    installed it on my HP9000 box.

    I am having problems setting it up. Do i have to maked changes to
    /etc/pam.conf ? the documentation is really poor and does not give a
    detailed installation guide.the binary zipped depot is available at
    http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/skey-1.1b/ . have you installed
    this package and set it up before?

    does anybody have experience of setting up skey on hpux?

    regards
    dean



    "Richard E. Silverman" wrote in message
    news:m2vetattjf.fsf@darwin.oankali.net...
    >
    >> testa> xauth list | grep :10
    >> testa/unix:10 MIT-MAGIC-COOKIE-1 62050649304690320d7408bb4f4205a2
    >>
    >> testb> xauth add testa/unix:10 MIT-MAGIC-COOKIE-1
    >> 62050649304690320d7408bb4f4205a2

    >
    > Except, of course, the display would look like :10.
    >
    > --
    > Richard Silverman
    > res@qoxp.net
    >




  8. Re: X11 tunnelling issue andlogin security question

    >>>>> "diablo" == diablo writes:

    diablo> Hi richard got all that. many thanks.

    diablo> One last question. I dowloaded skey from the hp porting
    diablo> archive and installed it on my HP9000 box.

    diablo> I am having problems setting it up. Do i have to maked changes
    diablo> to /etc/pam.conf ? the documentation is really poor and does
    diablo> not give a detailed installation guide.the binary zipped depot
    diablo> is available at
    diablo> http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/skey-1.1b/ . have
    diablo> you installed this package and set it up before?

    No sorry; I haven't used that package. However, yes (assuming it's a PAM
    module), you would normally configure it in pam.conf or /etc/pam.d/.

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread