Re: Sun's mess up with ssh - any solution for me?
From: Dave (nospam_at_nowhere.com)
Date: 08/28/05
- Next message: Laurent Blume: "Re: Sun's mess up with ssh - any solution for me?"
- Previous message: Dave: "Re: Sun's mess up with ssh - any solution for me?"
- In reply to: Logan Shaw: "Re: Sun's mess up with ssh - any solution for me?"
- Next in thread: Scott Howard: "Re: Sun's mess up with ssh - any solution for me?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 28 Aug 2005 11:20:13 +0100
Logan Shaw wrote:
> Dave wrote:
>
>> sparrow /export/home/drkirkby % xhost + pigeon
>> pigeon being added to access control list
>
>
> If you're forwarding X11 through ssh, you don't want to do this. The
> connection is going to sparrow's X11 server is going to originate from
> the ssh process running on sparrow.
>
> Here's a picture of how things connect:
>
>
> sparrow pigeon
> +--------------+ +--------------+
> | | | |
> | X11 | | xclock |
> | ^ | | | |
> | | | | v |
> | ssh------------------------------->sshd |
> | | | |
> +--------------+ +--------------+
>
>
> All the lines with arrows are TCP connections. The arrows indicate
> which side initiates connection (the initiator is the side that
> the arrow points away from).
Thanks for that. I normally use the -X option and don't do this, but I
was at a bit of a loss when the -X was broken, and -R did not work, so
was trying anything that seemed semi plausable.
>> sparrow /export/home/drkirkby % ssh -R 6010:sparrow:6000 drkirkby@pigeon
>
>
> This looks fine, except that normally you're supposed to use -X
> instead of -R plus its argument. But in some other thread I saw
> some discussion about that (which I didn't have time to read),
> so maybe there is a reason for the -R here.
The point is the -X option on ssh no longer works after installation of
patch 118305-04, which I installed by the downloading the reccomended
patch list.
I think the patch is a security patch, as the README on the patch says
"5089150 Binding to a port which has already been bound may incorrectly
succeed"
But unfortunately, the patch breaks ssh -X.
>> Last login: Sat Aug 27 23:31:07 2005 from sparrow
>> Sun Microsystems Inc. SunOS 5.9 Generic May 2002
>> pigeon /export/home/drkirkby % setenv DISPLAY sparrow:10.0
>
>
> After you've logged into pigeon, you want to set DISPLAY to a value
> that points it at pigeon, because you are trying to get X11 clients
> to talk to an sshd on the same machine as them, not to talk to some
> remote host. The sshd will take care of the remote part.
>
> Actually, if you are using -X, you shouldn't set DISPLAY at all
> (not on the command line manually, and also NOT in your .cshrc
> or .profile or whatever). The reason is that the sshd process
> should set it for you before it starts your shell.
Normally I would not set DISPLAY, but
>> Am I doing it wrong, or is the suggestion just not valid?
>
>
>> I *think* port 6010 should be opened now on the firewall. Telnet
>> sessions to port 6010 just get refused, but hang on other ports: i.e.
>
>
> If you're forwarding the connection over ssh, there should be no
> need for the firewall to know about it, unless the firewall is
> filtering IP traffic that never goes to a remote host. (I think
> this is possible, but it'd be unusual.)
The firewall on sparrow (the machine I'm hoping to view X on, was
showing signs of port 6010 being blocked, until I opened the port). But
almost certainly this was because I was redirecting the display to the
wrong place.
> The question you should be asking yourself about sparrow is whether
> you can run X11 clients on it successfully. If you can, then you
> are good, because to the X11 server on sparrow, the ssh process
> is going to look like just another X11 client when the X11 server
> gets a connection from it. The X11 server can't tell that ssh's
> requests are secretly coming from a remote source. All it knows
> is that some local process wants it to do stuff.
Yes, sparrow runs X clients OK. I'm typing this on sparrow using Mozilla.
> I should say one more thing about -R vs. -X: if you are using
> -R because for some reason -X is broken or something, then that
> can still be made to work. But as long as you are tunneling the
> X11 connection through an ssh connection (which you are with
> either -R or -X), you still need the X11 client on pigeon connecting
> to a port on pigeon so that it can be forwarded, and you still need
> the X11 server on sparrow accepting a connection from a local port,
> because that's where it will come from after it's forwarded.
Cheers, I obviously had this bit about the where the display needed to
be open all wrong.
> Hope that helps and makes sense...
Thanks. I seem to have got -X to work now, but forcing sshd to start in
IPv4, and making some changes to the sshd_config file. So now -X works
again, but the patch does stop it.
Support for IPv6 was not enabled during the installation of Solaris -
that is the default, as I am sure you know.
I don't know how common the use of -X is on ssh, or how many people
download the latest patch cluster, but those that do both will probably
find -X stops working.
- Next message: Laurent Blume: "Re: Sun's mess up with ssh - any solution for me?"
- Previous message: Dave: "Re: Sun's mess up with ssh - any solution for me?"
- In reply to: Logan Shaw: "Re: Sun's mess up with ssh - any solution for me?"
- Next in thread: Scott Howard: "Re: Sun's mess up with ssh - any solution for me?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
