[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: x-forwarding with ssh

Tom Cook wrote:
Vineet Kumar wrote:

Also, please, please, PLEASE! DON'T do this:

local$ ssh remote
remote$ export DISPLAY=local:0 # DON'T EVER DO THIS!!!
remote$ xterm

As others have already explained. You might as well be using telnet.
This defeats the entire purpose of tunneling. What you'd be doing in
this case is telling the remote x client to connect directly to the
local x server using the unencrypted X protocol. If the local X server
even accepts it (woody and sid have been told not to, by default) all
the traffic sent over that connection is in the clear -- might as well
just be telnet.

My apologies for suggesting this earlier - if I had thought about it I
would have realised it is bad, but obviously I didn't think.

Makes me wondering what is all about with this ssh thing.
I believe that once you have to set up the DISPLAY, there's something wrong with the installation. If I remember correctly, what was needed was to make sure that the server and the client run the same version; SSH 1 and 2 are not compatible.

BTW, my /etc/ssh2/ssh2_config, just in case you want to compare things:

# ssh2_config
# SSH 2.0 Client Configuration File

        Port                            22
        Ciphers                         AnyStdCipher
        IdentityFile                    identification
        AuthorizationFile               authorization
        RandomSeedFile                  random_seed
        VerboseMode                     no
        #PasswordPrompt                 "%U@%H's password: "
        PasswordPrompt                  "%U's password: "
        #LocalForward                   "110:pop3.ssh.fi:110"
        #RemoteForward                  "3000:foobar:22"
        Ssh1AgentCompatibility          none
        #Ssh1AgentCompatibility         traditional
        #Ssh1AgentCompatibility         ssh2
        #SshSignerPath                  ssh-signer2
        NoDelay                         no
        KeepAlive                       yes

The following is the server part (/etc/ssh2/sshd2_config):
# sshd2_config
# SSH 2.0 Server Configuration File

        Port                            22
        Ciphers                         AnyStd
#       Ciphers                         AnyCipher
#       Ciphers                         AnyStdCipher
#       Ciphers                         3des
        IdentityFile                    identification
        AuthorizationFile               authorization
        HostKeyFile                     hostkey
        PublicHostKeyFile               hostkey.pub
        RandomSeedFile                  random_seed
        ForwardAgent                    yes
        ForwardX11                      yes
# DEPRECATED    PasswordAuthentication          yes
        PasswordGuesses                 3
#       MaxConnections                  50
# 0 == number of connections not limited
        MaxConnections                  0
#       PermitRootLogin                 nopwd
        PermitRootLogin                 yes
# DEPRECATED    PubkeyAuthentication            yes
#       AllowedAuthentications          publickey,password,hostbased
        AllowedAuthentications          publickey,password
#       RequiredAuthentications         publickey,password
        ForcePTTYAllocation             no
        VerboseMode                     no
        PrintMotd                       yes
        CheckMail                       yes
        UserConfigDirectory             "%D/.ssh2"
#       UserConfigDirectory             "/etc/ssh2/auth/%U"
        SyslogFacility                  AUTH
#       SyslogFacility                  LOCAL7
        Ssh1Compatibility               yes
#       Sshd1Path                       <set by configure>
#       AllowHosts                      localhost, foobar.com, friendly.org
#       DenyHosts                       evil.org, aol.com
#       AllowSHosts                     trusted.host.org
#       DenySHosts                      not.quite.trusted.org
#       NoDelay                         yes

#       KeepAlive                       yes
        RequireReverseMapping           yes
        UserKnownHosts                  yes

# subsystem definitions

        subsystem-sftp                  sftp-server


Reply to: