Re: ssh and X11Forwarding

From: Jason Stone (freebsd-security_at_dfmm.org)
Date: 07/28/03

Previous message: Paul Chvostek: "ssh and X11Forwarding"
In reply to: Paul Chvostek: "ssh and X11Forwarding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 28 Jul 2003 00:47:28 -0700 (PDT)
To: Paul Chvostek <paul+fbsd@it.ca>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> What has to be installed on a host for it to do X11Forwarding in SSH?

> Does X have to be installed *on the firewall* for me to forward X11
> connections from the X clients back to my workstation at home?

Depends on how you're ssh'ing. If you're ssh'ing from your box to the
firewall, and from the firewall to the target, then you'll need x support
on all the boxes, yes.

However, if you're doing the right thing and ssh'ing _through_ the
firewall to the target host (eg, with openssh's ProxyCommand option, or
with multiple ssh's and port forwards), then you only need x support on
your machine and the target machine.

I think that "x support" consists of xauth and whatever libraries are
needed by the binary you want to run.

The topically interesting part of this question is the issue of how you
handle multiple ssh hops - I think that most people don't know about
ProxyCommand, and when they have to ssh through multiple machines, they
just go from one to the next to the next, which is bad, security-wise, not
to mention less powerful. Is this worth a faq entry?

-Jason

--------------------------------------------------------------------------
Freud himself was a bit of a cold fish, and one cannot avoid the suspicion
that he was insufficiently fondled when he was an infant.
-- Ashley Montagu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE/JNUQswXMWWtptckRAqyaAKCNIxxhNOn0FFqNHV1x/VfXZQlu2wCfXmwm
R0dDztX2i0wokIAB4VyYDvI=
=R0GQ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Ronan Lucio: "IPSec"

Previous message: Paul Chvostek: "ssh and X11Forwarding"
In reply to: Paul Chvostek: "ssh and X11Forwarding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]