Discussion:
More (more) SSH Fun (X11 forwarding)
(too old to reply)
Tom Hoover
2002-07-13 19:56:15 UTC
Permalink
I have a related question. I have no trouble using X11 forwarding from
within my LAN, but how do I punch thru my firewall using ssh? Here's my
setup:

a = firewall/router running potato
b = desktop running woody
c = laptop running woody

If the laptop (c) is connected directly to my LAN (either wired or
wireless), I can "ssh -X b" and connect to the desktop (b) computer and
run programs under X. If I'm at work (therefore outside the firewall),
and want to connect to the desktop computer, I can "ssh a", and after
logging in to the firewall I can "ssh b" and read my mail using mutt,
but I cannot run program under X (adding the -X switch doesn't work).

How do I connect to the desktop computer _thru_ the firewall and use X11
forwarding? Do I have to setup ssh port forwarding on the firewall? Do
I have to setup some other VPN software? Is there a howto anywhere that
will guide me?

Thanks!
--
To UNSUBSCRIBE, email to debian-security-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
James Nord
2002-07-13 21:18:31 UTC
Permalink
Post by Tom Hoover
I have a related question. I have no trouble using X11 forwarding from
within my LAN, but how do I punch thru my firewall using ssh? Here's my
a = firewall/router running potato
b = desktop running woody
c = laptop running woody
If the laptop (c) is connected directly to my LAN (either wired or
wireless), I can "ssh -X b" and connect to the desktop (b) computer and
run programs under X. If I'm at work (therefore outside the firewall),
and want to connect to the desktop computer, I can "ssh a", and after
logging in to the firewall I can "ssh b" and read my mail using mutt,
but I cannot run program under X (adding the -X switch doesn't work).
How do I connect to the desktop computer _thru_ the firewall and use X11
forwarding? Do I have to setup ssh port forwarding on the firewall? Do
I have to setup some other VPN software? Is there a howto anywhere that
will guide me?
You should be able to cascade the X forwarding.

Did you try,

***@work> ssh -X ***@firewall
***@firewall> ssh -X ***@desktop

?

/James
--
To UNSUBSCRIBE, email to debian-security-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Tom Hoover
2002-07-14 00:03:50 UTC
Permalink
Post by James Nord
Post by Tom Hoover
How do I connect to the desktop computer _thru_ the firewall and use X11
forwarding? Do I have to setup ssh port forwarding on the firewall? Do
I have to setup some other VPN software? Is there a howto anywhere that
will guide me?
You should be able to cascade the X forwarding.
Did you try,
I had tried that before, and it didn't work (my problem was that since
it hadn't worked, I didn't know if it was _supposed_ to work). To test,
I then tried:

***@laptop> ssh -X ***@desktop
***@desktop> ssh -X ***@laptop

which worked (this proved that cascading _should_ work). Once I knew
that it was supposed to work, I found that I needed xauth installed on
the firewall machine, even though X is not installed on the firewall.
Once I did an "apt-get install xbase-clients" on the firewall,
everything started working. Thanks for confirming that cascading is
possible, and pointing me to the solution!
--
To UNSUBSCRIBE, email to debian-security-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Jan Niehusmann
2002-07-16 07:52:19 UTC
Permalink
Post by Tom Hoover
that it was supposed to work, I found that I needed xauth installed on
the firewall machine, even though X is not installed on the firewall.
Once I did an "apt-get install xbase-clients" on the firewall,
everything started working. Thanks for confirming that cascading is
possible, and pointing me to the solution!
Another possible solution would be:

ssh -L 2000:remotehost:22 firewall

and then, again on the local machine:

ssh -X -p 2000 localhost
(here you may get a warning about unknown/wrong host keys, because the
daemon you are connecting to is, of course, not presenting the host key
of localhost)

This way, you have a direct ssh connection between both computers
involved in X forwarding, and the firewall doesn't need (parts of)
an X installation.

Jan
--
To UNSUBSCRIBE, email to debian-security-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Tom Hoover
2002-07-17 02:50:16 UTC
Permalink
Post by Jan Niehusmann
ssh -L 2000:remotehost:22 firewall
ssh -X -p 2000 localhost
This way, you have a direct ssh connection between both computers
involved in X forwarding, and the firewall doesn't need (parts of)
an X installation.
Thanks! I'll have to try out that method also. I did, however, get
everything setup to do what I wanted it to...

At work, we're behind a firewall, and can only access the internet thru
a proxy server. I cannot therefore connect normally to my home network
using ssh. I found a perl script on the web (ssh-tunnel.pl) that allows
one to tunnel ssh thru ssl, which _will_ pass thru the proxy server. I
only had to setup another instance of sshd at home to listen on port
443, and I was then able to connect. I can now "ssh" thru the proxy
server to my home firewall/router, and then "ssh" from there into my
desktop machine which resides behind the firewall. I was able to
forward X over the ssh connection...it was pretty cool to run X
applications on my home machine from the work machine (I know that this
is probably "old hat" to many of you, but I felt a sense of accomplishment
managing to do it thru two firewalls and a proxy server). :-)
--
To UNSUBSCRIBE, email to debian-security-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Timo Lilja
2002-07-17 11:02:37 UTC
Permalink
Post by Jan Niehusmann
ssh -L 2000:remotehost:22 firewall
ssh -X -p 2000 localhost
(here you may get a warning about unknown/wrong host keys, because the
daemon you are connecting to is, of course, not presenting the host key
of localhost)
Yet another solution is to use ssh config option ProxyCommand. E.g.,

local$ ssh remotehost -o 'ProxyCommand ssh firewall nc %h %p'

ProxyCommand runs ssh to connect machine firewall and starts netcat
there to connect to the actual remotehost sshd. (%h expands to
remotehost and %p to ssh port.)

See ssh(1) or ssh_config(5) manual pages for more info on
ProxyCommand.

ProxyCommand is especially handy if you set up it in ~/.ssh/config
file, e.g.,

Host remote-direct
HostName remote.somewhere
ProxyCommand ssh firewall %h %p

After this you can use scp/cvs/rsync or whatever with remote-direct as your
hostname.
--
Timo Lilja

"Objects are a poor man's closures." -- Norman Adams
--
To UNSUBSCRIBE, email to debian-security-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Continue reading on narkive:
Loading...