From owner-freebsd-security Wed Jun 9 8:23: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id C5ED61507E for ; Wed, 9 Jun 1999 08:22:59 -0700 (PDT) (envelope-from hart@iserver.com) Received: by gatekeeper.iserver.com; Wed, 9 Jun 1999 09:22:55 -0600 (MDT) Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1) id xma022399; Wed, 9 Jun 99 09:22:32 -0600 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA05628; Wed, 9 Jun 1999 09:21:59 -0600 (MDT) Date: Wed, 9 Jun 1999 09:21:58 -0600 (MDT) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: John-Mark Gurney Cc: hqy2446 , freebsd-security@FreeBSD.ORG Subject: Re: newbie question: ssh In-Reply-To: <19990609004437.15372@hydrogen.nike.efn.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 9 Jun 1999, John-Mark Gurney wrote: > > What I did is > > > > $ xhost +[remote host] > > NEVER EVER do this!!! this is BAD, anyone on [remote host] can now > connect to your server and intercept ANY keystrokes that you may time, > this includes any passwords you may type... Oooh, yeah, this is very very bad. > as for why ssh isn't doing all the forwarding work for you, that's > another puzzle, you need to make sure you build ssh when the X libs > are installed on the machine, I built ssh once, then installed the X > libs, of course X forwarding didn't work till we rebuilt ssh... Did you make sure that the remote sshd has X11 forwarding turned on? You need to have X11 forwarding turned on in your local SSH client configuration and the remote sshd has to have it turned on as well. If the remote machine does not have X installed, it may be difficult to get sshd to do X11 forwarding because SSH likes to do things like create .Xauthority files for you on the remote machine using xauth and stock them with cookies. X11 forwarding will also be missing from sshd if the build process was unable to locate xauth at the SSH compilation configuration stage on the remote machine, as I recall. If you use the defaults everywhere that come with SSH, your client installation will have X11 forwarding turned on and the remote sshd should also have it enabled. Then just log in to the remote server with SSH and immediately check your DISPLAY environment variable (don't you set it!). You should see DISPLAY set to a high numbered display (like >10) on the the remote machine. This will be your sign that SSH X11 forwarding is in effect. Try running some X clients on the remote machine, verify that they do appear on your local X server, and check the list of open sockets on the local machine with netstat to verify that the X clients in fact did not come over a socket directly to your local X server (i.e. you don't see any active connections from the remote machine to port 6000 or so on the local machine). Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message