Re: SSH tunnel and X forwarding


just one preliminary question:
You have verified that every sshd on the way has X Forwarding enabled? And restarted it afterwards, eventually?

Ah, well, and another question:
Have you started sshd and ssh in very verbose mode (-vvv) and looked into the logs? Many things in verbose mode are completely alien wording, but sometimes one can get a hint.

I have not tried using X forwarding on such a double ssh route myself, but I have configured something similar some months ago for someone else to use.
What I did, was:
On the first part of the way (that is freya to hal, isn't it?) I used public key authentication, and in authorized_keys I added "command=/path/to/ssh -X -l USER ririu" before the key. That makes the shell on hal open up the second part of the way on its own - you hop right through hal from freya to ririu. And you are restricted to exactly that command in the shell on hal, you can do nothing else.

My first server was HPUX, the second some Linux (don't know the distro, presumably RedHat), and I remember I had to fiddle around with the syntax, but it worked in the end including X forwarding (according to the guy who had to use it).

By the way, the above syntax is right away off my head - don't trust it down to the single sign.



--On 30. September 2008 13:21:14 +0200 Malte Horst Arthur Skoruppa <malte@xxxxxxxxxxxxxx> wrote:

Hi all,

I'm having a problem setting up an SSH connection with X Forwarding in a
very special setup, and hope you will be able to help me.

The setup is as follows: I live in a student residence and have a
computer there named ririu. This computer isn't reachable from the
outside, as the university's computer center blocks all ingoing
connections to the residence from the outside. The only reachable
computer from the outside is our server in the residence, hal, for which
the computer center makes an exception.

I'm now at my parent's place and want to build up an SSH connection with
X Forwarding from my computer here, freya, to ririu, my computer in the
residence. As hal is in the same LAN as ririu, obviously I can connect
from freya to hal, and then from hal to ririu.

So I can also log in to hal and do a

malte@hal $ ssh -g -L 2508:ririu:22 malte@ririu

to build up an SSH tunnel. Then I can connect from freya to ririu using

malte@freya $ ssh -p 2508 malte@hal

This works like a charm. However, now I also want to have X Forwarding ;)

So I tried to specify -X as an additional parameter.

malte@freya $ ssh -p 2508 -X malte@hal

I do succeed in connecting to ririu. Except that the X forwarding doesn't

malte@ririu $ firefox
Error: no display specified
malte@ririu $ echo $DISPLAY

malte@ririu $

An X Forwarding to hal works flawlessly:

malte@freya:~$ ssh -X malte@hal
malte@hal $ echo $DISPLAY

...I can start X applications on hal and they are displayed on freya. But
as you see, when I try to this from freya through an SSH tunnel from hal
to ririu, the DISPLAY variable somehow gets lost. It doesn't help to
randomly set the DISPLAY variable on ririu to localhost:11.0 or
localhost:10.0 either, which I tried in desperation.

I hope I made it clear what the problem is, otherwise just ask :)
Do you have any idea why this isn't working? I would have assumed that
ssh doesn't even notice it's running through an SSH tunnel and that this
should hence work without problems. But it doesn't... so, is there any
way for me to build up an ssh connection with X forwarding from freya to
ririu at all?

Thanks for your help :)

Dirk H. Schulz
IT Systems Service
Wiesenweg 12, 85567 Grafing
Tel. 0 80 92/86 25 68
Fax. 0 80 92/86 25 72
Technik vom Feinsten - und das nötige Tuning

Relevant Pages

  • Re: SSH tunnel and X forwarding
    ... I learned a lot about ssh and how X forwarding works thanks to your posts, ... "Nesting tunnels is safer ... in the end the problem was just that ririu was not configured to allow X11Forwarding. ...
  • Re: Partial SNAFUs - X11Forwarding etc.
    ... to the base server machine via SSH, or it it also supposed to protect ... back "up the line" to the client machine? ... the ssh server host is compromised or otherwise untrustworthy, ... refrain from running the program via ssh X11 forwarding - there's no ...
  • Re: Whats the deal on the -X vs -Y thing?
    ... As a quick fix you could use something like this as your remote ssh ... chain is compromised (eg at either the tty layer, X11 forwarding port ... forwarding would not be needed on the intermediate hosts. ...
  • Re: Openssh Port Forwarding Confusion
    ... >Now for my Port forwarding question. ... So far what I have extracted about ssh port ... You connect to a port on the SSH client. ...
  • Re: ssh -X shop problem...
    ... somethings gone fubar in the X11 forwarding. ... When you "su" to gene on the X terminal, ... neither can he forward X over ssh. ... classic conditions, you'd use xhost to allow access from a remote host, ...