Re: ssh X tunnelling question
pa_at_invalid.invalid
Date: 05/07/03
- Next message: Mathieu: "Re: change rootdirectory for sftp"
- Previous message: pa_at_invalid.invalid: "Re: clientless windowsbased sftp / ssh server?"
- In reply to: Brendan E. Conboy: "Re: ssh X tunnelling question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 6 May 2003 22:42:09 -0400
Brendan E. Conboy <conboy@raytheon.com> wrote:
> Pierre,
> After some further research I did find something that may make the
> answer to this question easier (I hope). I ran ssh in verbose mode and got
> this error:
> debug1: channel 1: new [x11]
> debug1: confirm x11
> debug1: X11 connection uses different authentication protocol.
> X11 connection rejected because of wrong authentication.
> debug1: X11 rejected 1 i0/o0
> Does this help?
Uh, it doesn't help me one bit, but it might help you :-)
Let's see. You did say that this is a legacy application and that
normal X clients like xclock have no trouble with the tunnel? It
seems that the legacy app doesn't speak MIT-MAGIC-COOKIE-1, so
the sshd at the far end refuses to forward X connections from it.
I just did some experimentation on my laptop. This might work:
local> xhost +localhost
local> ssh -R6020:localhost:6000 remotehost
remote> export DISPLAY=localhost:20
remote> the_legacy_app
You may need to tweak the numbers. Ports 6000 and 6020 are the X server,
displays 0 and 20. I assume you have a display 0 on your computer and
that you *don't* have a display 20 on the remote. You can check with
"netstat -tan" on both sides. The above ssh command forwards X at the
TCP level instead of through the usual ssh mechanism.
The legacy app tries to connect to display 20 on the machine where it
is running, so it opens TCP port 6020. The ssh tunnel sends that to
your port 6000 without manipulating X cookies because it treats it as a
structureless TCP connection rather than an X forwarding. Your X server
sees the connection and thinks the legacy app is running locally and
trying to connect to display 0. It would normally reject the connection
because of the missing cookie, but you've told it to accept anything
running locally with the "xhost +localhost" that you ran before the
ssh command, so the connection should go through.
Your application should now work. Your co-workers can also run xroach on
you if they have a shell account on your machine. I don't see a way out
of that, you have to lower your guard a bit because you want to run an
application that doesn't understand the default authentication mechanism.
You'll have to figure out the tradeoffs...
Good luck.
- Next message: Mathieu: "Re: change rootdirectory for sftp"
- Previous message: pa_at_invalid.invalid: "Re: clientless windowsbased sftp / ssh server?"
- In reply to: Brendan E. Conboy: "Re: ssh X tunnelling question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
