X/ssh by port forwarding? - Xwindows

This is a discussion on X/ssh by port forwarding? - Xwindows ; Hi all I understand how the -X flag of ssh allows built-in X tunnelling. However, for that to happen, the X client machine must be ssh-able. That means if I want to use my work machine at home, I must ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: X/ssh by port forwarding?

  1. X/ssh by port forwarding?

    Hi all

    I understand how the -X flag of ssh allows built-in X tunnelling.
    However, for that to happen, the X client machine must be ssh-able.

    That means if I want to use my work machine at home, I must be able to
    start ssh at home to the work machine. And this is exactly my problem.
    My work machine is behind a firewall. I can do the reverse very
    nicely, though - i.e., ssh from work to home and start xterm, which is
    displayed on the work screen.

    So, what I'm thinking is ssh port forwarding using the -L flag. I know
    that X listens to port 6000 for :0, 6001 for :1, and so on. But the
    following won't work:

    home> xhost +work
    work> ssh -L 6001:127.0.0.1:6001 home
    work> xterm -display :1
    xterm Xt error: Can't open display: :1

    I checked using netstat to make sure that my work machine is listening
    to port 6001. Doing "telnet work 6001" also establishes a valid
    connection that gets tunnelled to home:6001.

    Could someone tell me what I've done wrong or how I can access my work
    machine with X/ssh please?

    Thanks in advance.

    Regards
    Kevin

  2. Re: X/ssh by port forwarding?

    kevincpyeung1974-usenet@yahoo.com.sg (Kevin Yeung) writes:

    > home> xhost +work
    > work> ssh -L 6001:127.0.0.1:6001 home
    > work> xterm -display :1
    > xterm Xt error: Can't open display: :1


    With "home> xhost +work", you've allowed the (presumably public) IP
    address of your work machine to start X clients on your home display,
    with no benefit of SSH protection whatsoever. You don't have to do
    it, it does not help in the case at hand at all, and you should probably
    not be using xhost for anything, ever, if you can avoid it.

    "-display :1" is trying to connect to a socket, not the TCP port 6001.
    You need to specify a display that uses the TCP transport:
    "-display 127.0.0.1:1"

    And even then, the "xclient -display 127.0.0.1:1" would be asking to
    connect to 127.0.0.1:6001 on your home machine, and the connection
    would not be coming from the work address, but from 127.0.0.1, localhost,
    which is why "xhost +work" is useless, in addition to being generally
    harmful.

    Then there's the problem that nobody is listening on :1 on your _home_
    machine (you forwarded to localhost:6001). You would have to have
    another X server running for that to be the case. You probably wanted
    to "ssh -L 6001:localhost:6000 home" at work, instead.

    All this being done, it does work, but I can't seem to find the right
    xauth spells to get it to work without "xhost +localhost" (on the
    equivalent of your home machine). If there is nobody else on your
    home machine, you can do "xhost +localhost" without exposing yourself
    to too much trouble, but if the originating machine is being used by
    more people than just yourself, you don't want to do it.

    --
    Atro Tossavainen (Mr.) / The Institute of Biotechnology at
    Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
    +358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
    < URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS

  3. Re: X/ssh by port forwarding?

    In comp.windows.x Atro Tossavainen wrote:
    > All this being done, it does work, but I can't seem to find the right
    > xauth spells to get it to work without "xhost +localhost" (on the


    For this do at home:
    xauth list

    Find the right display, e.g. your_hostname/unix:0 and use everything
    after and including :0 in the following line on your machine at work:

    xauth add :0 and the rest

    Instead of :0 you can probably use any display number you like at work,
    as long as the appropriate port is forwarded with ssh.
    --
    Groetjes,
    Dennis Bijwaard (http://members.home.nl/bijwaard)
    mailto:`echo Dennis Bijwaard|sed 's/.*\ \(.*\)/\1@home.nl/'`
    Getting up in the morning can ruin your whole day.

  4. Re: X/ssh by port forwarding?

    "Dennis Bijwaard" writes:

    > > All this being done, it does work, but I can't seem to find the right
    > > xauth spells to get it to work without "xhost +localhost" (on the

    >
    > For this do at home:
    > xauth list


    I guess I should have been more verbose, but the problem never was my
    inability to get the correct xauth syntax. The problem is that the
    right cookies, applied to the right displays, do not work.

    I.e. at home, you "xauth list", then, at work, you
    "xauth add 127.0.0.1:1 MIT-MAGIC-COOKIE-1 thecookie", and expect
    "xclient -display 127.0.0.1:1" to work. It doesn't.

    --
    Atro Tossavainen (Mr.) / The Institute of Biotechnology at
    Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
    +358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
    < URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS

  5. Re: X/ssh by port forwarding?

    "Dennis Bijwaard" wrote in message news:...
    > In comp.windows.x Atro Tossavainen wrote:
    > > All this being done, it does work, but I can't seem to find the right
    > > xauth spells to get it to work without "xhost +localhost" (on the

    >
    > For this do at home:
    > xauth list
    >
    > Find the right display, e.g. your_hostname/unix:0 and use everything
    > after and including :0 in the following line on your machine at work:
    >
    > xauth add :0 and the rest
    >
    > Instead of :0 you can probably use any display number you like at work,
    > as long as the appropriate port is forwarded with ssh.



    Hi Atro & Dennis

    Thank you both for helping! It kind of works and kind of doesn't.

    After all the xauthing and sshing, I finally got an xterm to start on
    my work machine and display on my home one. However, after some time
    of inactivity, the window will not respond to anything, will not
    re-draw itself when covered and uncovered.

    Is there any timeout setting I can control? Some kind of keep-alive?

    Many thanks.

    Regards
    Kevin

  6. Re: X/ssh by port forwarding?

    kevincpyeung1974-usenet@yahoo.com.sg (Kevin Yeung) writes:

    > Hi Atro & Dennis
    >
    > Thank you both for helping! It kind of works and kind of doesn't.
    >
    > After all the xauthing and sshing, I finally got an xterm to start on
    > my work machine and display on my home one. However, after some time
    > of inactivity, the window will not respond to anything, will not
    > re-draw itself when covered and uncovered.
    >
    > Is there any timeout setting I can control? Some kind of keep-alive?


    The problem is probably due to the firewall breaking idle
    connections. The classic work around is running something like xlock
    on the remote computer, thus making sure that some packets are sent
    every minute. Nowadays most clients and server have support for
    sending keep alive packets. Check the documentation. The unix clients
    and servers I work with need changes in their configuration files to
    enable this.

    --
    - Mårten

    mail: msv@kth.se *** ICQ: 4356928 *** mobile: +46 (0)707390385

  7. Re: X/ssh by port forwarding?

    If your work machine is also running sshd, you can create a reverse
    tunnel for your home machine from your work machine which bypasses the
    firewall of your company. Check the rule with your corporate security!

    work> ssh -R 8022:127.0.0.1:22 home
    home> ssh -p 8022 localhost

    The port 8022 is arbitrary on your home machine. The beauty of this
    is when you access local port from your home machine, it is forwarded
    back to your work machine from the existing tunnel. After that, your
    "DISPLAY" shell variable is configured, you also have a shell prompt
    of your work machine from home. Be warned whether this violate your
    corporate network security.

    If you enable "KeepAlive yes" in the sshd_config of your home machine,
    you should not be timing out unless your work firewall terminates your
    connection.

    Kevin Yeung (kevincpyeung1974-usenet@yahoo.com.sg) wrote:
    : Hi all

    : I understand how the -X flag of ssh allows built-in X tunnelling.
    : However, for that to happen, the X client machine must be ssh-able.

    : That means if I want to use my work machine at home, I must be able to
    : start ssh at home to the work machine. And this is exactly my problem.
    : My work machine is behind a firewall. I can do the reverse very
    : nicely, though - i.e., ssh from work to home and start xterm, which is
    : displayed on the work screen.

    : So, what I'm thinking is ssh port forwarding using the -L flag. I know
    : that X listens to port 6000 for :0, 6001 for :1, and so on. But the
    : following won't work:

    : home> xhost +work
    : work> ssh -L 6001:127.0.0.1:6001 home
    : work> xterm -display :1
    : xterm Xt error: Can't open display: :1

    : I checked using netstat to make sure that my work machine is listening
    : to port 6001. Doing "telnet work 6001" also establishes a valid
    : connection that gets tunnelled to home:6001.

    : Could someone tell me what I've done wrong or how I can access my work
    : machine with X/ssh please?

    : Thanks in advance.

    : Regards
    : Kevin

+ Reply to Thread