From owner-freebsd-security Thu Jun 24 8:38:21 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id B486A14E33 for ; Thu, 24 Jun 1999 08:38:18 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Thu, 24 Jun 1999 09:38:17 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma020077; Thu, 24 Jun 99 09:38:06 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA05573; Thu, 24 Jun 1999 09:37:28 -0600 (MDT) Date: Thu, 24 Jun 1999 09:37:27 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: "Jung, Michael" Cc: security@FreeBSD.ORG Subject: Re: X and SSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 24 Jun 1999, Jung, Michael wrote: > I have been reading these threads and unless I missed something > this has not seen this addressed. This came up earlier this month, but maybe you missed it. Search the freebsd-security mailing list archives for "ssh" and "newbie" for a full discussion. > Suppose you use ssh, tterm etc to securely connect to a host. Once on > the host you want to export your display back to a client so you can > bring up a X application. How does one have the X session encrypted? If your SSH client and the SSH server have X11 forwarding turned on, then the DISPLAY environment variable should already be set automatically when you log into the remote machine. Don't try to set this manually! SSH will create a high-numbered display on the remote machine which it actually uses to intercept your X traffic to send it back down the SSH tunnel to your local machine. This is for the UNIX client and server. I believe that in the Windows world, SecureCRT can do X11 forwarding to a Windows X server, but I might be mistaken. > Can someone supply an example _OR_ provide a better way of getting > encrypted X sessions. SSH is probably the best way to get encrypted X sessions. If you use the defaults everywhere that come with SSH, your client installation will have X11 forwarding turned on and the remote sshd should also have it enabled. Then just log in to the remote server with SSH and immediately check your DISPLAY environment variable (don't you set it!). You should see DISPLAY set to a high-numbered display (like >10) on the the remote machine. This will be your sign that SSH X11 forwarding is in effect. Try running some X clients on the remote machine, verify that they do appear on your local X server, and check the list of open sockets on the local machine with netstat to verify that the X clients in fact did not come over a socket directly to your local X server (i.e. you don't see any active connections from the remote machine to port 6000 or so on the local machine). If the remote machine does not have X installed, it may be difficult to get sshd to do X11 forwarding because SSH likes to do things like create .Xauthority files for you on the remote machine using xauth and stock them with cookies. X11 forwarding will also be missing from sshd if the build process was unable to locate xauth at the SSH compilation configuration stage on the remote machine, as I recall. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message