Date: Mon, 28 Jul 2003 00:47:28 -0700 (PDT) From: Jason Stone <freebsd-security@dfmm.org> To: Paul Chvostek <paul+fbsd@it.ca> Cc: freebsd-security@freebsd.org Subject: Re: ssh and X11Forwarding Message-ID: <20030728003941.C77638@walter> In-Reply-To: <20030728064729.GA30191@mail.it.ca> References: <20030728064729.GA30191@mail.it.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > What has to be installed on a host for it to do X11Forwarding in SSH? > Does X have to be installed *on the firewall* for me to forward X11 > connections from the X clients back to my workstation at home? Depends on how you're ssh'ing. If you're ssh'ing from your box to the firewall, and from the firewall to the target, then you'll need x support on all the boxes, yes. However, if you're doing the right thing and ssh'ing _through_ the firewall to the target host (eg, with openssh's ProxyCommand option, or with multiple ssh's and port forwards), then you only need x support on your machine and the target machine. I think that "x support" consists of xauth and whatever libraries are needed by the binary you want to run. The topically interesting part of this question is the issue of how you handle multiple ssh hops - I think that most people don't know about ProxyCommand, and when they have to ssh through multiple machines, they just go from one to the next to the next, which is bad, security-wise, not to mention less powerful. Is this worth a faq entry? -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/JNUQswXMWWtptckRAqyaAKCNIxxhNOn0FFqNHV1x/VfXZQlu2wCfXmwm R0dDztX2i0wokIAB4VyYDvI= =R0GQ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030728003941.C77638>