X/OpenGL forwarding

From: Noel (ncookson@networkusa.net)
Date: 01/11/03

From: ncookson@networkusa.net (Noel)
Date: 11 Jan 2003 14:18:58 -0800


I have setup a local network that looks like the model
below. The firewall is OpenBSD 3.1 -stable. The workstations
on both the private and dmz are Suns running solaris 8.

I have been asked to allow individuals to start X and OpenGL
Sessions from their home PCs to Host B on the DMZ.

I have ssh up and running on both the firewall and Host B.

I understand that ssh can forward X sessions to the PCs across
the internet to the home PCs. I have a copy of snail book covering
ssh and X forwarding. However the x forwading section is brief
and has left me with a few questions I hope someone can
help me with.

1) Will I be able to forward OpenGL through ssh?

2) When forwarding X is it the ssh server on host B that does the
forwarding or the ssh server on the firewall? Maybe I can
do it either way? If so then wouldn't it be better to have host B
do the forwarding?

3) Is X forwarding really secure? The man pages reference potential
security problems if people have the ability to change file


                     | |
                     | Firewall |
                     | & SSH |
                     | |
                       | |
                       | |
               private | | DMZ Net
               net ---- ----
                    | |
                    | |
                    | |
                    |Host A,C -F ---------- Host B
                ------------ |
                | | ------------
                | Workstations | WWW, SMTP |
                | | | |
                | | | SSH, X, |
                ------------ | OpenGL |

Relevant Pages

  • Re: ssh/scp forwarding
    ... > a host on a home LAN behind a firewall. ... > firewall host run Linux and I have logins on both. ... The simplest is to ssh to the firewall, then ssh in from there, which does ... would only be 1 host key associated with that public name or IP. ...
  • Re: X11 Forwarding on a Headless Linux Box
    ... but that the X client can't connect to the SSH X proxy ... Perhaps the name "host" does not refer correctly to the remote ... debug1: Requesting X11 forwarding with authentication spoofing. ...
  • ssh on F14 complains when I run emacs with X11 port forwarding
    ... On F14's desktop, from gnome-terminal, I ssh to another host with port forwarding. ... Emacs appears to come up properly, with its window tunneled, and opening on my desktop. ... Some experimentation shows that this error is not coming from the host where I started emacs, but from the ssh client I started on my desktop. ...
  • Re: sshd known_hosts query
    ... > firewall and NAT router. ... > I've read the manpages and HOWTOs about this and looked at the open ssh ... > - can the known_hosts entry be just the host ID? ...
  • Re: [SLE] Networking question
    ... When it comes to internet and the host ... Unless you have multiple real IP addresses, you're going to need masquerading. ... Scrapping the firewall, then, is probably not a good idea. ... check the "do masquerading and forwarding" in the firewall setup ...