No subject


Thu Apr 19 13:57:37 EDT 2007 

fowarding/receiving packets on SSH (port 22).  But you can forward all

kinds of stuff over SSH's tunneling (even NFS) since it can encapsulate

most UDP/IP or TCP/IP connections.  You can think of SSH as a "poor

man's VPN (virtual private network)" which is actually very secure,

because it uses a multi-key authentication system, and only port

forwards _select_ ports (VPNs usually are "wide open" and forward all

ports).

 

Here's an example session (NOTE:  -v on SSH turns debugging on so you

can see the messages listed as "debug1" below):

 

  mysys% xhost +

  mysys% ssh -v bjsmith at server.oninternet.com

  ...

  debug1: Requesting X11 forwarding with authentication spoofing.

  debug1: channel request 0: x11-req

  debug1: channel request 0: shell

  ...

 

Those are the lines showing that X11 forwarding is being requested from

the SSH server.  Again, SSH can port forward all kinds of things

normally with the "-L" option, but X is one of the things it will do

_inheritly_ without _any_ extra work.

 

  server% setenv |grep DISPLAY

  DISPLAY=server.oninternet.com:10.0

 

Again, it does X _inheritly_, right down to _automatically_ setting up

your DISPLAY variable.  Note the system where :10.0 is located is

localhost (server.oninternet.com) so it is sending X display back to

itself on port 6010 (X:10).  But that's where SSH comes in -- anything

going to that port is caught, encapsulated in a SSH packet, sent back

over port 22 to the client, then unencapsulated and displayed on the

client's :0 X-Server.

 

  server% xterm &

  debug1: client_input_channel_open: ctype x11 rchan 2 win 4096 max 

2048

  debug1: client_request_x11: request from xxx.xxx.xxx.xxx 2598

  debug1: fd 7 setting O_NONBLOCK

  debug1: channel 1: new [x11]

  debug1: confirm x11

 

And my xterm I launched on remote system "server.oninternet.com" shows

up on my local X-Server display.  Nothing else needed.

 

You need to make sure that the SSH server is setup to do X11

forwarding.  E.g., if you run the OpenSSH version (I think this is now

included with Solaris 8+?), typically the SSH daemon (sshd)

configuration file is "/etc/ssh/sshd_config".  These are the two lines

you need:

 

  X11Forwarding yes

  X11DisplayOffset 10

 

If you don't like :10 to be the default, change it to whatever you 

like.

 

If you need to get OpenSSH for any system, goto their site: 

  http://www.openssh.org/

 

They usually have binaries for most platforms if your version of 

Solaris

doesn't include SSH.  Compiling from source is easy assuming you have

GNU GCC installed and it should only require the OpenSSL encryption

library.

 

BTW, it's a good idea to keep OpenSSH _up-to-date_.  Exploits for

OpenSSH usually can't do much, but since SSH is a popular, encrypted

method of access, it's targetted heavily (whereas telnet is easy to

exploit on its own -- because you just capture and read the clear text

password sent over the Internet ;-).

 

-- Bryan

 

Bryan J. Smith, E.I.                          SmithConcepts, Inc.

mailto:b.j.smith at ieee.org                http://SmithConcepts.com

(407)489-7013 (Mobile)             Engineers and IT Professionals

-----------------------------------------------------------------

BS Computer Engineering, NSPE Certified Engineering Intern (E.I.)

Sun Certified System Admin (SCSA) Solaris 8

CompTIA A+ (2001), Linux+, Network+ (2002) Certified

 

-----------------------------------------------------------------
Yahoo! Health - Feel better, live better
_______________________________________________
sunmanagers mailing list
sunmanagers at sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

More information about the summaries mailing list