[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: X forwarding problem with SSH.



* Adam McDaniel (adamm@psynch.com) [010905 13:38]:
> This may seem like an obvious question, have you a look in the messages/syslog file on the xserver itself? Perhaps its coming across permissional errors.
> 
> With the xserver running run the command in an shell prompt:
> $ xhost +
> 
> That'll disable X security while you debug the issue.
> 
> One last thing to check, in the file /etc/X11/xinit/xserverrc make sure
> there is no reference to the switch -nolisten tcp ... if so, delete it
> 
> That might work :)

... but it might also defeat the whole purpose.

I emphatically urge you to follow none of the above advice, with the
exception, of course, of examining the logs.

When ssh tunnels X, it takes care of X permissions with xauth, which is
far superior to xhost. 'xhost +' is a bad idea. Of course, issuing that
command will only render your X server open to every user on your box,
until you also remove X's -nolisten tcp startup flag. Then it will
render your X server entirely open to every user on every machine that
has a route to your machine. If you're on the Internet, this means
everybody in the world. (I admit I'm exaggerating a bit, but the point
remains the same: dont do this).

Also, when X is tunneled through ssh, it does not need an X server
listening for tcp connections; it makes the connection through the
existing ssh connection (hence the term tunnel). debian's X setup is be
default "pretty secure", but does allow ssh forwarding with no such
security compromises necessary.

-- 
Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgpMZ6VXHaQzT.pgp
Description: PGP signature


Reply to: