Re: ssh, how to work around "X11Forwarding no" if don't have root?

abc_18 · ‎04-11-2005

Let's say machine "fubar.acme.com"
has sshd configured, but they have
"X11Forwarding no" set in
their /opt/ssh/etc/sshd_config.
And let's say they refuse to change
it to "yes".

Well.

According to the ssh docs, there's a
way to get this to work, w/o using root access. But they don't say exactly how.

Any idea?

In other words, what I want to do is:

$ telnet mybox.happy.com
$ ssh -X fubar.acme.com
$ xclock

and have xclock from fubar show up
on mybox.happy.com

Any suggestions?
Thanks in advance.

harry d brown jr · ‎04-11-2005

read: http://lists.debian.org/debian-powerpc/2002/12/msg00372.html
http://www.cv.nrao.edu/~pmurphy/Talks/ssh/allparts.shtml

live free or die
harry d brown jr

Live Free or Die

abc_18 · ‎04-12-2005

Those URL's just document the same
method I already specified in my
original post, ie, "-X".

HOWEVER that technique doesn't work if the server has "X11Forwarding no".

The QUESTION is... how can I work
around this?

Ermin Borovac · ‎04-13-2005

You can try using ssh port forwarding feature.

This assumes that you have X server running on mybox.happy.com on port 6000 (display 0).

fubar.acme.com$ ssh -L fubar.acme.com:6010:mybox.happy.com:6000 mybox.happy.com
fubar.acme.com$ export DISPLAY=fubar.acme.com:10.0
fubar.acme.com$ xclock

xclock connects to fubar.acme.com port 6010 (display 10). First ssh process forwards this connection to mybox.happy.com port 6000 to X server.

abc_18 · ‎04-14-2005

Ahh - now we're making progress :-)
Unfortunately it doesn't quite work (yet).

I do have an X server running on mybox.happy.com on port 6000 (display 0).

Unfortunately ssh balked (syntax error):

fubar.acme.com$ ssh -L fubar.acme.com:6010:mybox.happy.com:6000 mybox.happy.com

but I think what you really meant was this
(notice - one less hostname in the cmd line):

fubar.acme.com$ ssh -L 6010:mybox.happy.com:6000 mybox.happy.com

So far, so good.
However running the xclock failed:

fubar.acme.com$ export DISPLAY=fubar.acme.com:10.0
fubar.acme.com$ xclock
Error: Can't open display: fubar.acme.com:10.0

So I tried a "netstat" to see if the *.6010 was set up. It was, but... using "localhost":

fubar.acme.com$ netstat -an|grep 6010
tcp 0 0 127.0.0.1.6010 *.* LISTEN

Okay - no problem. Just switch $DISPLAY to
use "localhost" instead of "fubar.acme.com", right?

Close. Now we have a slightly different
error:

fubar.acme.com$ export DISPLAY=127.0.0.1:10.0

$xclock
Xlib: connection to "localhost:10.0" refused by server
Xlib: Client is not authorized to connect to Server
Error: Can't open display: localhost:10.0

Okay - no problem. Just do a "xhost +"
first, right?

fubar.acme.com$ xhost +
Xlib: connection to "localhost:10.0" refused by server
Xlib: Client is not authorized to connect to Server
xhost: unable to open display "localhost:10.0"

Okay, NOW I'm stuck - I've never seen
"xhost +" fail before.

Any suggestions?
Thanks in advance!

Ermin Borovac · ‎04-14-2005

It wasn't syntax error, at least on ssh 4.0p1. Local bind address must have been introduced in recent versions of ssh.

Try running ssh with -g option.

$ ssh -g -L 6010::6000

abc_18 · ‎04-14-2005

Thanks - you get 10 points, because that
solves my original problem.

Unfortunately... I now see that I have
another problem - the two machines are
also separated by a firewall, which is
preventing the tcp/6000 connection from
being sent back.

mybox.happy.com ---- inside the firewall
fubar.acme.com ----- outside the firewall

mybox$ ssh fubar.acme.com
fubar$ ssh -g -L 6010:mybox.happy.com:6000 mybox.happy.com
ssh: connect to host mybox.happy.com port 22: Connection timed out

The error is because ssh can't get back across the firewall to tcp/22 on my internal machine.

But that part is easily fixed, by just
changing the last arg so the ssh ends up
launching a shell back on the external box.
(Wierd, but required by ssh syntax apparently).

fubar$ ssh -g -L 6010:mybox.happy.com:6000 fubar.acme.com

a new fubar prompt...>

So far so good.

Unfortunately, when I fire up an xclock,
I now get a new sort of error because
my company's firewall is blocking incoming connections to tcp/6000:

fubar$ export DISPLAY=fubar:10.0
fubar$ xclock
channel 2: open failed: connect failed: Connection timed out
X connection to fubar:10.0 broken (explicit kill or server shutdown).

It seems to me that there should be a way to
get ssh to forward the X11 traffic back
down the ssh I used to connect to fubar
in the first place.

Any ideas?
Thanks in advance.

Ermin Borovac · ‎04-15-2005

Sorry, that's why you need to ssh to mybox.happy.com (not to fubar.acme.com). ssh creates tunnel and redirects your X connection back to mybox.happy.com.

Maybe you should try -R option as in

mybox.happy.com$ ssh -fN -R 6000:fubar.acme.com:6010 fubar.acme.com

and then on the remote system

fubar.acme.com$ export DISPLAY=fubar.acme.com:10.0
fubar.acme.com$ xclock

Hope it works for you :-)

abc_18 · ‎04-28-2005

.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: ssh, how to work around "X11Forwarding no" if don't have root?

ssh, how to work around "X11Forwarding no" if don't have root?