[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Do I *have* to have xauth (and all that it brings in?)

Bill Moseley <moseley@hank.org> writes:
> But, I have a case where I need to first ssh to a machine on a public
> IP and then from there ssh into the machine on the local LAN where I
> want to run the application.

If you don't mind the overhead of double-encrypting, you can tunnel
SSH over SSH.  If the public machine is "pubhost" and it knows the
machine on which you want to run the application as "apphost", then
start with the following on your machine:

        yourhost% ssh -f pubhost -L 8022:apphost:22 sleep 60

and, within 60 seconds, run:

        yourhost% ssh -o UserKnownHostsFile=/dev/null -X localhost -p 8022

This will establish an X11-tunnelling SSH connection to "apphost" over
the previous SSH tunnel, so any password or passphrase you're prompted
for will be whatever you'd use on "apphost".  

The "-o UserKnownHostsFile=/dev/null" option is to avoid checking (or
adding) a bogus entry for "localhost" (with the public key of
"apphost") to your "~/.ssh/known_hosts" file.

Note that packets sent across this connection are encrypted on
"yourhost" by the second SSH command, then reencrypted on "yourhost"
by the first SSH command for transmission across the tunnel.  On the
other side, "pubhost" decrypts the latter layer of encryption and
passes the packets on to "apphost" which decrypts the former layer.
"yourhost" has to do double duty, but no packets are passed in the

Kevin <buhr@telus.net>

Reply to: