X11 forwarding--with a wrinkle - SSH

This is a discussion on X11 forwarding--with a wrinkle - SSH ; Hi all, I have a slightly odd situation in using X11 forwarding, possibly unsolvable, but I want to hear that from the experts. Starting from my home machine, I need to multi-hop to reach my workstations in my office. First ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: X11 forwarding--with a wrinkle

  1. X11 forwarding--with a wrinkle

    Hi all,
    I have a slightly odd situation in using X11 forwarding, possibly
    unsolvable, but I
    want to hear that from the experts. Starting from my home machine, I need
    to multi-hop
    to reach my workstations in my office. First I ssh to the accessible
    "gateway" machine
    inside the firewall, then must connect to a "portal" machine that provides
    an inner
    gateway to the networks in my building, from which I can then connect to
    my office
    workstations. Problem is with the inner "portal" machine, which in
    principle allows X
    forwarding, and server is configured to do the right thing, but this
    machine has been
    set up in a minimalist fashion, so that anybody connecting to it is
    expected to be doing
    so purely to connect to a machine in the building network. For this
    reason, all logins go
    to the same home directory, to which the user has no write permissions on
    files or directories.
    This trashes "xauth", because it can't modify the locks files in any way,
    so X11
    authorizations fail. As a result, further ssh from this machine inward to
    my office is stripped of
    the X11 connection, and I can't access X apps on the innermost machines.
    Is there any type of
    tunnelling trick that might allow me to "sneak" the X11 access through
    this machine without
    having to deal with xauth? From my readings, I suspect not, because I
    don't see any way to
    pass the X11 channels cleanly (or "collapse" them on entry and
    "re-channelize" them at the
    next connection) under these conditions. I'm told these portal machine
    constraints will be
    addressed "eventually", but do the experts see any way to make this
    possible before that?
    Many thanks in advance.

    Eric Henry
    eric@helix.nih.gov

    --
    Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

  2. Re: X11 forwarding--with a wrinkle

    "Eric Henry" writes:

    > I have a slightly odd situation in using X11 forwarding,


    You could manually configure tunnels across each link and also handle
    xauth manually. (X11 forwarding is just regular tunneling with some
    automation that works in simple situations.)

    When I get into multi-hop situations like this I usually punt and
    configure a VPN.

    --kyler

  3. Re: X11 forwarding--with a wrinkle

    In article "Eric Henry"
    writes:
    > First I ssh to the accessible
    >"gateway" machine
    >inside the firewall, then must connect to a "portal" machine that provides
    >an inner
    >gateway to the networks in my building, from which I can then connect to
    >my office
    >workstations. Problem is with the inner "portal" machine, which in
    >principle allows X
    >forwarding, and server is configured to do the right thing, but this
    >machine has been
    >set up in a minimalist fashion, so that anybody connecting to it is
    >expected to be doing
    >so purely to connect to a machine in the building network. For this
    >reason, all logins go
    >to the same home directory, to which the user has no write permissions on
    >files or directories.
    >This trashes "xauth", because it can't modify the locks files in any way,
    >so X11
    >authorizations fail.


    You could tunnel an end-to-end ssh session with X11 forwarding through a
    chain of ssh sessions that don't need to do X11 forwarding. Something
    like this:

    1. ssh -t -L2222:localhost:2222 gateway ssh -N -L2222:final:22 portal
    2. ssh -Y -p 2222 localhost

    Doing X11 forwarding "by hand" using -R as suggested in the other
    followup is sort-of possible, though I can't really see a way to get X
    auth to work with that (enlightenment welcome). But doing without it by
    means of a 'xhost +localhost' may be acceptable, depending on the
    circumstances.

    --Per Hedeland
    per@hedeland.org

    PS You would do well to keep the length of your lines below the point
    where your news-posting program folds them - your posting is almost
    unreadable.

+ Reply to Thread