Question: [SOLVED] X11+ssh+jail

I need clarification on the "X11UseLocalhost no" part of his solution. I can "ssh -YC development" using his solution and run stuff like xclock, etc.

If I can ssh from the jail into the jail itself using "ssh localhost", it appears localhost being resolved correctly. So it's not clear to me why "X11UseLocalhost" can't be left as the default "yes"

OTOH, after reading "man sshd_config", it mentions that the default is to use the loopback address - "localhost:10:0" in the jail's case. In my host lo0 is 127.0.0.1, in the jail lo0 isn't bound to anything. So in the jail, if ssh X11 forwarding is trying to get lo0, I guess I can understand that it can't because no address is bound. Now my question would be, why can I "ssh localhost" from the jail to the jail when localhost isn't bound to lo0?

If anybody can clear my confusion, greatly appreciated.

Regards,

Monty

==============================================
[SOLVED] X11+ssh+jail
Micah micahjon at ywave.com
Thu Aug 3 23:29:44 UTC 2006

* Previous message: X11+ssh+jail
* Next message: Adding To Path
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Micah wrote:
>
> I'm having problems trying to get X11 to forward from an ezjail created
> jail environment. Here's what happens:
>
> trisha% ssh -X 10.0.0.1
> ...
> test% xclock
> X11 connection rejected because of wrong authentication.
> X connection to test:10.0 broken (explicit kill or server shutdown).
>
> I added "X11UseLocalhost no" to sshd_config as suggested on the lists a
> while back, but it didn't change anything.
>
> Host is:
> trisha# uname -a
> FreeBSD trisha.eidolonworld 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #1:
> Sat Jul 15 15:48:17 PDT 2006
> root at trisha.eidolonworld:/usr/obj/usr/src/sys/TRISHA i386
>
> Thanks,
> Micah

Okay, it took me half a day to trip over the solution. The other half a
day was spent trying to figure out what that solution actually was. It
was a combination of two things (out of the dozen that I tried) that
weren't set up correctly.

The jailed system must be able to resolve it's own name to an IP
address. Since my home network does not have DNS, that meant adding
"10.0.0.1 test" to /etc/hosts on the jailed environment. Also,
"X11UseLocalhost no" must be set in the jailed sshd_config. Unless
*both* of those are set properly, I get the error as mentioned above.

HTH,
Micah

* Previous message: X11+ssh+jail
* Next message: Adding To Path
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the freebsd-questions mailing list
.

Relevant Pages

  • Re: Ultimately Safe User Account
    ... virtual jail. ... really familiar with SSH beyond the command line access...and they were ... potentially be used to see any other machines within the same subnet as ... administration and user's minds than dreamt of in any single admin's ...
    (freebsd-questions)
  • Re: Requesting advice on Jail technique.
    ... is that if you want to support any port (and specifically things like ssh) ... is running under each jail, you need to know my IP address which one to log ... > I do not have a wealth of real IPs at my disposal but accountability ... I can afford a few real IPs for the purpose. ...
    (freebsd-questions)
  • Re: SSH From within a Jail
    ... Koen Martens wrote: ... I need to ssh from within my jail to another ... do you jexec into the jail, ...
    (freebsd-hackers)
  • Re: Need urgent help regarding security
    ... I install FreeBSD and activate only SSH and only SSH with ... hierarchy but I don't actually run a jail in it. ... resolves to something inside of each separate jails local filesystem ... Unless there is a breach in SSH, it is highly unlikely that the root ...
    (freebsd-questions)
  • RE: Confused about tcp_wrappers and sshd
    ... you do not have to restart sshd when you update ... > not affect ssh connections which are already established. ... Try to ssh in from from another window. ... the loopback adapter 127.0.0.1 when you were doing an "ssh localhost". ...
    (Fedora)